A self-contained, offline pentest command cheat sheet built for OSEP-style engagements.
Set your IP, port, domain, and credentials once in the variable bar and every
{{PLACEHOLDER}} across all 535 commands (in 26 categories) updates live. One click
copies any command, a whole multi-step chain, or an entire category to your clipboard.
Everything runs locally in a tiny Flask app — no internet, no telemetry, bound to
127.0.0.1 only.
- Live variable substitution — fill in
YOUR IP (LHOST), target, domain, user, hash, pivot host, etc. and every command rewrites instantly. Filled values are highlighted; any variable you leave blank stays visible as a red{{PLACEHOLDER}}. - 🔑 Credential vault — stash creds as you loot them and load any one into the variable bar with a single click (see below).
- One-click copy — copy a single command, a whole ordered chain, or an entire category.
- Live search — filter all commands and notes as you type (
rubeus,ntlmrelayx,ligolo,xp_cmdshell, …). - Two themes — a modern Gemini theme and a high-contrast Classic black terminal look.
- Persistent — your variables, credentials, and theme are saved in the browser
(
localStorage) and survive restarts. - Offline & private — pure Python + vanilla JS, localhost only, no external requests.
Double-click start.bat. It installs Flask if needed, starts the server, and opens your
browser at http://127.0.0.1:5000.
./start.sh(or bash start.sh)
pip install -r requirements.txt
python app.pyThen open http://127.0.0.1:5000.
To use a different port:
PORT=8080 python app.py- Variable bar (sticky, top): fill in your attacker IP, target IP/host/port, domain, DC IP, base DN, username, password, NTLM hash, pivot host, and internal subnet.
- Every command below updates instantly. Keep Target hostname distinct from Target IP — Kerberos SPNs need the short hostname, never the IP.
- copy — copies one filled-in command.
- copy chain — copies every step of a multi-step chain, in order.
- copy all — copies every command in a category.
- search — filters all commands/notes live.
- reset defaults — restores the starting values.
| Key | Label | Example |
|---|---|---|
LHOST |
Your IP (LHOST) | 192.168.45.172 |
LPORT |
Listener port | 443 |
LGPORT |
Ligolo port | 11601 |
WEB |
Your HTTP port | 8001 |
RHOST |
Target IP | 10.10.10.10 |
THOST |
Target hostname | dc01 |
RPORT |
Target port | 80 |
DOMAIN |
Domain | corp.com |
DCIP |
DC IP (-dc-ip) |
10.10.10.10 |
BASEDN |
Base DN (LDAP) | DC=corp,DC=com |
USER |
Username | Administrator |
PASS |
Password | Password123! |
NTHASH |
NTLM hash | 00000000000000000000000000000000 |
PIVOT |
Pivot host IP | 172.16.1.10 |
SUBNET |
Internal subnet | 172.16.1.0/24 |
As you loot creds during an engagement, stash them in the 🔑 Credential Vault (just under the variable bar):
- Add a cred by hand — domain / username / password / NT hash / host / note.
- Paste & import — drop in raw output and it auto-extracts credentials (duplicates are
skipped). It understands:
secretsdump/ SAM / pwdump lines —Administrator:500:aad3b4…:5bdd6a…:::- cleartext lines —
CORP.COM\jdoe:Summer2024! - a lone NT hash on its own line
- whole command lines — e.g.
evil-winrm -i 10.0.0.5 -u Administrator -H 5bdd6a…(pulls out user / hash / password / domain / host) - impacket target syntax —
corp.com/administrator@10.10.10.10— and Rubeus/user: /rc4:
- use — one click loads that cred into the variable bar (
USER,DOMAIN,NTHASH,PASS), so every command instantly rewrites to use it. The active cred is highlighted, and editing a variable by hand clears the highlight. - copy the hash or password, click a host to set it as the Target IP, delete a single
cred, or clear all. Everything persists in
localStorage.
26 categories, 535 commands:
| # | Category | Commands |
|---|---|---|
| 00 | Host Discovery & Recon | 16 |
| 01 | Service / Protocol Enumeration | 67 |
| 02 | Mail Attacks — SMTP / IMAP / POP3 | 30 |
| 03 | Kali: Servers & Listeners | 7 |
| 04 | Payload Generation & Delivery | 17 |
| 05 | Meterpreter: Session Control | 17 |
| 06 | File Transfer (download to target) | 6 |
| 07 | File Transfer (exfil from target) | 5 |
| 08 | Execution & AppLocker / CLM Bypass | 10 |
| 09 | Credential Dumping (Windows) | 19 |
| 10 | File / Secret Hunting | 16 |
| 11 | Windows Privilege Escalation | 20 |
| 12 | Linux Privilege Escalation | 13 |
| 13 | Linux Shared-Library / LD_PRELOAD Hijack | 7 |
| 14 | AMSI / Defender / Logging Evasion | 15 |
| 15 | Active Directory Enumeration | 19 |
| 16 | NetExec (nxc) Module Reference | 67 |
| 17 | Kerberos / Pass-the-Hash / Delegation | 78 |
| 18 | MSSQL Exploitation | 15 |
| 19 | NTLM Relay / Poisoning | 7 |
| 20 | Tunneling / Pivoting (Ligolo-ng + chisel) | 23 |
| 21 | Web Enum / Dir Busting | 7 |
| 22 | Brute Forcing (Hydra) | 4 |
| 23 | Reverse Shells & Payloads | 7 |
| 24 | Lateral Movement / Access | 30 |
| 25 | Misc / Utilities | 13 |
| Setting | How |
|---|---|
| Port | PORT=8080 python app.py (defaults to 5000) |
| Bind address | Hard-bound to 127.0.0.1 (localhost only) by design |
| Edit commands | Change commands.json and refresh the page — no restart needed |
The full dataset is available for scripting:
curl http://127.0.0.1:5000/api/commandsReturns { "vars": [...], "groups": [...] }.
| File | Purpose |
|---|---|
app.py |
Flask server + variable definitions |
commands.json |
The command dataset (26 categories, 535 commands) |
templates/index.html |
Page shell |
static/app.js |
Live substitution, credential vault, copy, search |
static/style.css |
Gemini + Classic themes |
start.bat / start.sh |
One-click launchers |
requirements.txt |
Just Flask |
commands.json is a list of category objects. Each has an id, an accent color, a
title, an optional HTML intro, and a list of cmds. A command is either a single entry
or a multi-step chain:
Use {{KEY}} anywhere in a c string and it becomes a live, substituted variable. Available
accents: cyan, green, pink, yellow, purple, red, orange.
This tool ships no exploits — it is a reference that fills in commands with your own
values. It is intended for authorized security testing, CTFs, and exam preparation only.
You are responsible for having explicit permission to test any system you target. The server
binds to 127.0.0.1 and makes no outbound connections.
- NetExec (nxc) reference expanded (category 16, 42 → 67 commands): SMB
null/guest/anonymous enum,
--computers/--local-groups/--disks/--filter-shares; a new files, spider & host audit chain (spider_plus,--spider,--get-file/--put-file,wcc);krbtgt-only--ntdsplus KeePass / mRemoteNG / Veeam loot modules; a new LDAP — AD hunting chain (--gmsa, delegation,--password-not-required,--admin-count,get-desc-users,laps); andnopac/spooler/webdav/timeroast. - Ligolo pivoting — collapsed three duplicate
listener_addentries into one with a full note (runs on Kali, the reverse direction, and both address sides). - Totals now 26 categories, 535 commands.
- New Mail Attacks — SMTP / IMAP / POP3 category (02): user/mailbox enumeration,
credential spraying, open-relay testing, authenticated phishing, and authenticated
looting of IMAP folders (
BODY.PEEK) and POP3 mailboxes (RETR), pluscurlone-shots. Now 26 categories, 505 commands.
- Initial release: 25 categories, 475 commands with live
{{VARIABLE}}substitution. - One-click copy for single commands, chains, and whole categories.
- Live search, Gemini/Classic themes,
localStoragepersistence. - 🔑 Credential vault — store creds and one-click load them into the variable bar; import
from
secretsdump/SAM/pwdump output, cleartext lines, lone hashes, or full command lines.
{ "id": "mycat", "accent": "cyan", "title": "MY CATEGORY", "intro": "<b>Optional</b> HTML shown under the header.", "cmds": [ { "c": "nxc smb {{RHOST}} -u {{USER}} -H {{NTHASH}}", "note": "pass-the-hash" }, { "type": "chain", "label": "example chain", "intro": "Optional HTML intro for the chain.", "cmds": [ { "c": "step one {{LHOST}}", "note": "first" }, { "c": "step two {{RHOST}}", "note": "second" } ] } ] }