A single-file, offline-ready command reference terminal built for penetration testers preparing for OSCP+, OSEP, or working on real-world engagements. No installation required — just open the HTML file in any browser.
This tool is a personal, browser-based cheat sheet that puts 580+ penetration testing commands one click away. It replaces scattered notes, bookmarks, and text files with a fast, searchable, keyboard-friendly interface that lets you focus on the box — not on finding commands.
Organized into 4 groups:
OSCP+ Core
| Section | What's Inside |
|---|---|
| 🔍 Recon | Nmap, Rustscan, service enum, web fuzzing |
| 🌐 Web Attacks | SQLi, LFI, XSS, SSRF, XXE, File Upload, Command Injection |
| ⚡ API Attacks | REST recon, JWT attacks, GraphQL, OAuth/SSO, IDOR |
| 💀 Shells | Listeners, Linux/Windows reverse shells, Msfvenom, TTY upgrade |
| 🐧 Linux PrivEsc | LinPEAS, sudo exploits, SUID, capabilities, cron hijack, container escape |
| 🪟 Windows PrivEsc | WinPEAS, token impersonation, service misconfigs, UAC bypass, credential hunting |
| ☁ Cloud Attacks | AWS metadata/IAM/S3/Secrets, Azure Entra ID, GCP buckets |
| 🔀 Pivoting / Tunnels | Chisel, Ligolo-ng, SSH tunneling, Socat relay, MSF routes |
| 🔑 Password Attacks | Hydra, Medusa, Crunch, CeWL, default credentials |
| 🕵 OSINT / Ext Recon | Subfinder, Amass, theHarvester, Google Dorks, Nuclei, Shodan |
| 📶 Wireless Attacks | WPA2 handshake capture, PMKID, WPA2-Enterprise, Evil Twin |
| 📋 Misc / Reference | Quick wins, wordlist paths, port checks |
Active Directory
| Section | What's Inside |
|---|---|
| 🗺 AD Recon | BloodHound, CME, PowerView, LDAP enum |
| ⚔ AD Attacks | Kerberoasting, ASREPRoast, NTLM relay, DCSync, ZeroLogon, PetitPotam |
| ↔ AD Lateral | Pass-the-Hash, Overpass-the-Hash, Golden/Silver/Diamond tickets |
| 🔒 Persistence | AdminSDHolder, Skeleton Key, DSRM, custom SSP |
| 🏆 AD Certs (ADCS) | Certipy, ESC1/ESC4/ESC8, NTLM relay to ADCS, PKINITtools |
| 🎭 AD Extra Attacks | Constrained delegation, RBCD, Shadow Credentials, GPO abuse, Trust attacks |
OSEP Advanced
| Section | What's Inside |
|---|---|
| 👻 Evasion / OPSEC | AMSI bypass, LOLBins, encoded execution |
| 💉 Injection | Shellcode injection, process hollowing, Early Bird APC |
| 📡 C2 Frameworks | Metasploit, Cobalt Strike, Sliver, Havoc |
| 📄 VBA / Office | Macro payloads, sandbox evasion, HTML smuggling, XLM macros |
| 🔬 Binary / Thick Client | Static analysis, dnSpy, Frida, Procmon, traffic interception |
Post-Exploitation
| Section | What's Inside |
|---|---|
| 💰 Post-Exploit / Loot | Credential hunting, exfil, OPSEC cleanup, situational awareness |
| 🔓 Hash Cracking | Hashcat modes & strategies, John the Ripper |
| 💥 Buffer Overflow | Fuzzing, badchars, JMP ESP, exploit template |
| 🔀 Tunneling | SSH, Chisel, Ligolo, Socat, MSF |
| 📁 File Transfer | Python server, certutil, wget, PowerShell, base64 |
Fill in your engagement values once at the top — every command auto-updates:
| Variable | Default | Description |
|---|---|---|
{LHOST} |
10.10.14.1 |
Your attacker IP |
{RHOST} |
10.10.10.10 |
Target IP |
{LPORT} |
4444 |
Your listener port |
{RPORT} |
9001 |
Target port |
{DOMAIN} |
corp.local |
Active Directory domain |
{DC} |
192.168.1.10 |
Domain Controller IP |
{USER} |
john |
Username |
{PASS} |
Password123 |
Password |
{HASH} |
NTLM_HASH_HERE |
NTLM hash |
{URL} |
http://10.10.10.10 |
Target URL |
| Feature | How to Use |
|---|---|
| Search | Ctrl+K or click the search bar — searches across all sections instantly |
| Copy | Click Copy on any command — auto-substitutes your variables |
| 1-Line | Click 1-line — joins multiline commands with ; for quick paste |
| Favorites ★ | Star any command → access from ★ FAVS panel |
| Notes 📝 | Add inline notes to any individual command |
| Mark Done ✔ | Track which commands you've run |
| Export | Export any section or favorites as a .txt file |
| Copy History | ⏱ HIST shows your last 20 copied commands |
| Collapse Groups | Click any group header to collapse/expand |
| Collapse Sidebar | Shrink sidebar to icons only for more screen space |
Press 🎯 INTEL to open a persistent engagement notepad:
- Engagement name — machine name or client name
- Target scope — IPs and ranges
- Current objective — what you're focusing on right now
- Found credentials — add and track creds as you find them
- Captured flags — user.txt / root.txt
- Pivot points / shells — track your active shells
- Quick notes — freeform anything
- Export — download everything as a
.txtfile
All data is saved in localStorage — persists across browser sessions.
Press 📓 NOTES to open a freeform notes panel:
- Create unlimited notes with individual titles
- Each note autosaves on every keystroke
- Timestamps on every note
- Notes count shown in header badge
- Persists across sessions via localStorage
Press + ADD to add your own commands:
- Title and command body
- Tag as CRITICAL / HIGH / MEDIUM / OSEP / NEW
- Appears in its own Custom section in the sidebar
- Saved in localStorage — survives refresh
Toggle between Dark (default cyberpunk) and Light (clean blue/white) mode with the button in the header. Preference is saved automatically.
| Shortcut | Action |
|---|---|
Ctrl+K |
Focus search |
Escape |
Clear search |
Ctrl+D |
Toggle dark/light mode |
Ctrl+F |
Open favorites panel |
- Download
index.html - Open it in any modern browser (Chrome, Firefox, Edge)
- Set your LHOST, RHOST, LPORT in the variables bar
- Start hacking
No server, no internet, no dependencies required. Fully offline after first load (except Google Fonts).
index.html ← Everything. Single self-contained file.
profile.jpg ← Optional: your profile picture for the header
README.md ← This file
All user data (favorites, notes, intel, history, custom commands) is stored only in your browser's localStorage. Nothing is sent anywhere. Safe to use on air-gapped machines.
To clear all data: open browser DevTools → Application → Local Storage → clear keys starting with cs_.
This tool is intended for authorized penetration testing and security research only. Use only on systems you have explicit written permission to test. The author is not responsible for any misuse.
Anshuman Jha LinkedIn
Built for the grind. Stay authorized.