Commit 96e346c
2016-11-30 15:11:03
Changed files (35)
networking
protocols
windows
cli
networking/protocols/ethernet.md
@@ -0,0 +1,49 @@
+# Ethernet
+
+Systems communicating over Ethernet divide a stream of data into shorter pieces called frames. Each frame contains source and destination MAC addresses, and error-checking data so that damaged frames can be detected and discarded; most often, higher-layer protocols trigger retransmission of lost frames. As per the OSI model, Ethernet provides services up to and including the data link layer.[1]
+
+## PN Headers
+
+```
+ 1
+byte 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-. D ....-+-+-+-+-+
+ |Destination| Source | E | .. A ... | CRC |
+ |MAC Address|MAC Address| T | ... T .. | cksum |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-.... A .-+-+-+-+-+
+```
+
+## PN Header Descriptions
+
+| Bytes | Name | Description |
+|-------|------|-------------|
+| `ether[0:4], ether[4:2]` | Dst MAC Address | |
+| `ether[6:4], ether[8:2]` | Src MAC Address | |
+| `ether[12:2]` | [EtherType](./ether_type.md) | indicates which protocol is encapsulated in the payload of the frame |
+
+- bytes are in bpf filter notation
+- name is usually the abbreviated name
+- description usulally has the full name and a short description
+
+## PN Example Packets
+
+* `pn[0] = 0` - this packet is the first, identified by an id of one
+* `pn[0] = 255` - the last possible packet, id of 255
+
+## PN State machine (optional)
+
+Short description of why this protocol has a state machine and what it attempts to accomplish
+
+
+
+## Additional resources
+
+* [Ethernet - wikipedia](https://en.wikipedia.org/wiki/Ethernet)
+* [Ethernet Frame - wikipedia](https://en.wikipedia.org/wiki/Ethernet_frame)
+* [rfc####](link)
+* [Source Enumeration via PN packets](../packet_forensics/pn_ids.md)
+* [PN address schemes](../compnents/subnetting/pn.md)
+
+## References
+
+* [1]: http://www.tcpipguide.com/free/t_DataLinkLayerLayer2.htm
\ No newline at end of file
networking/protocols/ipv4.md
@@ -0,0 +1,77 @@
+# IPv4 - Internet Protocol Version 4
+
+IPv4 is a connectionless protocol for use on packet-switched networks. It
+operates on a best effort delivery model, in that it does not guarantee
+delivery, nor does it assure proper sequencing or avoidance of duplicate
+delivery.
+
+## IPv4 Headers
+
+```
+byte 0 1 2 3 4
+bit 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 0 |Version| IHL |Type of Service| Total Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 4 | Identification |Flags| Fragment Offset |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 8 | Time to Live | Protocol | Header Checksum |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+12 | Source Address |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+16 | Destination Address |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+20 | Options | Padding |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+```
+
+IPv4 Header length = **24 bytes**
+
+# IPv4 Header Descriptions
+
+| Bytes | Field | Description |
+|--------------------|----------------------|-----------------------------------------------------------------|
+| `ip[0] & 0xF0` | Version | IPv4 = 4, IPv6 = 6 |
+| `ip[1] & 0x0F` | IHL | Internet Header Length, number of 4 byte blocks, min=5=20bytes |
+| `ip[1]` | TOS | Type of Service,set packet priority (RFC 2472 and 3168) |
+| `ip[2:2]` | Total Length | Defines the entire packet size in bytes, 0-65535 |
+| `ip[4:2]` | Identification | Used for uniqely identifying fragements accoring to their group |
+| `ip[6] & 0x80` | Flags: X | Reserved: Must be zero |
+| `ip[6] & 0x40` | Flags: DF | Don't Fragment: prevent fragementation along route (=1) |
+| `ip[6] & 0x20` | Flags: MF | More Fragments: fragment packet and not the last (=1) |
+| `ip[6:2] & 0x1FFF` | Fragment Offset | offset measured in 8-byte blocks, 13 bits, max=65,528 |
+| `ip[8]` | TTL | Time to Live: maximum hops the pacet is allowd to traverse |
+| `ip[9]` | [Protocol Number][2] | Payload IANA assigned IP protocol number (see [list][2]) |
+| `ip[10:2]` | Checksum | Header checksum, silent discard if not correct |
+| `ip[12:4]` | Source | IPv4 Address of originating host |
+| `ip[16:4]` | Destination | IPv4 Address of destination host |
+| `ip[20:n]` | Extra Options | variable length, optional, not common |
+
+
+## IPv4 Example Packets
+
+### Fragmentation
+
+* `ip[TODO]` - the whole packet (MF is off and Offset is zero, then it is)
+* `ip[TODO]` - the first fragment (MF is on and Offset is zero)
+* `ip[TODO]` - a middle fragment (MF is on and Offset is non zero)
+* `ip[TODO]` - the last fragment (MF is off and Offset is non zero)
+* `ip[8] <= 64` - likely a unix system (see [Packet Forensics - IPv4 initial TTL][1])
+
+### IPv4 BPF Shortcuts
+
+| BPF Shortcut Syntax | Description |
+|--------------------------------|--------------------------------------------------------------------------------------|
+| `ip proto protocol` | packet of protocol type `protocol` (icmp, udp, tcp) |
+| `ip broadcast` | an IPv4 broadcast packet |
+| `ip multicast` | an IPv4 multicast packet |
+| `ip host host` | either the IPv4/v6 source or destination of the packet is `host` |
+| `ip` | abbreviaition for: `ether proto ip`
+
+## Additional resources
+
+* [IPv4 - wikipedia](https://en.wikipedia.org/wiki/IPv4)
+* [IPv4 Protocol Numbers](https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers)
+
+[1]: ../packet_forensics/ipv4_ttl_ws.md
+[2]: ./lists/ip_protocol_numbers.md
\ No newline at end of file
networking/protocols/tcp.md
@@ -0,0 +1,94 @@
+# TCP - Transmission Control Protocol
+
+TCP provides reliable, ordered, and error-checked delivery of a stream of bytes
+between applications running on hosts communicating by an IP network.
+
+## TCP Headers
+
+```
+byte 0 1 2 3 4
+bits 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 0 | Source Port | Destination Port |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 4 | Sequence Number |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 8 | Acknowledgment Number |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Data | |C|E|U|A|P|R|S|F| |
+ 12 | Offset| Rsrvd.|W|C|R|C|S|S|Y|I| Window |
+ | | |R|E|G|K|H|T|N|N| |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 16 | Checksum | Urgent Pointer |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 20 | Options | Padding |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 24 | data |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+```
+
+TCP header length is **20 bytes** *plus options* (up to 40 bytes)
+
+## TODO Header Descriptions
+
+|Bytes | Field | Description |
+|-------------|------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `tcp[todo]` | Source Port | Sender's port number ([Ephemeral Ports][1]) |
+| `tcp[todo]` | Destination Port | Port number of the receiver |
+| `tcp[todo]` | Sequence Number | Has two roles: <ol> <li>If the `SYN` flag is set, then this is the initial sequence number. The sequence number of the actual first data byte will then be this sequence number plus 1. </li> <li> If the `SYN` flag is not set, then this is the sequence number of the first data byte. </li> </ol> |
+| `tcp[todo]` | Acknowledgement Number | If the ACK flag is set then the value of this field is the next sequence number that the receiver is expecting. A SYN packet should have this set to 0. |
+| `tcp[todo]` | Reserved | For future use and should be set to zero. Note: RFC 3168 (The Addition of Explicit Congestion Notification (ECN) to IP) has taken two bits from the Reserved field and added them to the flags field. |
+| `tcp[todo]` | TCP Flags | In bit order (8 to 1) : `CWR, ECE, URG, ACK, PSH, RST, SYN, FIN`. __Note__ More information available in resources |
+| `tcp[todo]` | Window | Size of the receive window. This is the number of bytes that the sender is currently willing to receive. Details: <br/> ```For more efficient use of high bandwidth networks, a larger TCP window size may be used (through the window scale option). The TCP window size field controls the flow of data and its value is limited to between 2 and 65,535 bytes. Access the TCP header reference from the Resources section for a complete description of the Window field. ``` |
+| `tcp[todo]` | Checksum | 16-bit checksum used for error checking |
+| `tcp[todo]` | Urgent Pointer | If the `URG` flag is set, then this 16-bit field is an offset from the sequence number indicating the last urgent data byte. |
+| See Below | TCP Options | Can be between 0-320 bits in length. Must be a multiple of a 32-bit word. Data offset field adjusted appropriately. Options have up to three fields: <ul> <li> Option-Kind (1 Byte) </li> <li> Option-Length (1 byte) </li> <li> Option Data (variable) <li> </ul> See also: [p0f][2] |
+
+#### TCP Options
+
+| Name | Type | Length (b) | Value | Packet |
+|----------------------|------|-----------------|------------------------------------|--------|
+| End of list | 0 | 1 | n/a | |
+| NOP | 1 | 1 | n/a | |
+| Max Segmt Size (MSS) | 2 | 4 | Segment Size (2b) | SYN |
+| Window Scale | 3 | 3 | Scale (1b) | SYN |
+| SACK OK | 4 | 2 | n/a | SYN |
+| SACK | 5 | 10,18,26, or 34 | Selective ACK begin / end pointers | |
+| Timestamp | 8 | 10 | time,echo (4b each) | |
+
+## TCP Example Packets
+
+* `tcp[TODO]` - connection start, step 1 of TWHS (SYN)
+* `tcp[TODO]` - server responses, step 2 of TWHS (SYN+ACK)
+* `tcp[TODO]` - , step 3 of TWHS (ACK)
+
+### TCP BPF Shortcuts
+
+| BPF Shortcut Syntax | Description |
+|--------------------------------|--------------------------------------------------------------------------------------|
+| `port p` | packet is IPv4/v6, tcp or udp, and has a source or destination port of `p` |
+| `dst port p` | packet is IPv4/v6, tcp pr udp, and has a destination port of `p` |
+| `src port p` | packet is IPv4/v6, tcp or udp, and has a source port of `p` |
+| `tcp port p` | packet is IPv4/v6, tcp, and has a source or destination port of `p` |
+| `tcp dst port p` | packet is IPv4/v6, tcp, and has a destination port of `p` |
+| `tcp src port p` | packet is IPv4/v6, tcp, and has a source port of `p` |
+| `tcp` | abbreviaition for: `ip proto tcp` |
+
+## TCP State machine
+
+TODO: Three way handshake description
+
+
+
+## TCP Packet Forensics
+
+* [Ephemeral Ports][1]
+* [Passive OS Fingerprinting via TCP Options - p0f][2]
+
+## Additional resources
+
+*
+*
+
+[1]: ../packet_forensics/ephemeral_ports.md
+[2]: ../packet_forensics/tcp_options_p0f.md
\ No newline at end of file
networking/protocols/template.md
@@ -0,0 +1,37 @@
+# PN - Protocol Name
+
+
+## PN Headers
+
+```
++-------------+
+|ASCII Diagram|
++-------------+
+```
+
+## PN Header Descriptions
+
+| Bytes | Name | Description |
+|-------|------|-------------|
+| pn[0] | PNID | The PN Id field |
+
+- bytes are in bpf filter notation
+- name is usually the abbreviated name
+- description usulally has the full name and a short description
+
+## PN Example Packets
+
+* `pn[0] = 0` - this packet is the first, identified by an id of one
+* `pn[0] = 255` - the last possible packet, id of 255
+
+## PN State machine (optional)
+
+Short description of why this protocol has a state machine and what it attempts to accomplish
+
+
+
+## Additional resources
+
+* [rfc####](link)
+* [Source Enumeration via PN packets](../packet_forensics/pn_ids.md)
+* [PN address schemes](../compnents/subnetting/pn.md)
\ No newline at end of file
networking/protocols/udp.md
@@ -0,0 +1,56 @@
+# UDP - User Datagram Protocol
+
+UDP uses a simple connectionless transmission model with a minimum of protocol
+mechanism. UDP provides checksums for data integrity, and port numbers for
+addressing different functions at the source and destination of the datagram.
+It has no handshaking dialogues, and thus exposes the user's program to any
+unreliability of the underlying network and so there is no guarantee of
+delivery, ordering, or duplicate protection.
+
+## TODO Headers
+
+```
+byte 0 1 2 3 4
+bits 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 0 | Source Port | Destination Port |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 4 | Length | Checksum |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 8 | data |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+```
+
+## TODO Header Descriptions
+
+| Bytes | Field | Description |
+|----------|------------------|------------------------------|
+| udp[0:2] | Source Port | |
+| udp[2:2] | Destination Port | |
+| udp[4:2] | Length | Header+data length in bytes |
+| udp[6:2] | Checksum | Error checking - [RFC768][1] |
+
+## TODO Example Packets
+
+* `todo[0] = 0` - this packet is the first, identified by an id of one
+* `todo[0] = 255` - the last possible packet, id of 255
+
+### TODO BPF Shortcuts
+
+| BPF Shortcut Syntax | Description |
+|--------------------------------|--------------------------------------------------------------------------------------|
+| `port p` | packet is IPv4/v6, tcp or udp, and has a source or destination port of `p` |
+| `dst port p` | packet is IPv4/v6, tcp pr udp, and has a destination port of `p` |
+| `src port p` | packet is IPv4/v6, tcp or udp, and has a source port of `p` |
+| `udp port p` | packet is IPv4/v6, udp, and has a source or destination port of `p` |
+| `udp dst port p` | packet is IPv4/v6, udp, and has a destination port of `p` |
+| `udp src port p` | packet is IPv4/v6, udp, and has a source port of `p` |
+| `udp` | abbreviaition for: `ip proto udp` |
+
+
+
+## Additional resources
+* [1](https://tools.ietf.org/html/rfc768)
+* [TODO rfc####](link)
+* [Source Enumeration via TODO packets](../packet_forensics/todo_ids.md)
+* [TODO address schemes](../compnents/subnetting/todo.md)
\ No newline at end of file
networking/protocols/vlan.md
@@ -0,0 +1,46 @@
+# VLAN - Virtual LAN tagging
+
+IEEE 802.1Q is the networking standard that supports virtual LANs (VLANs) on an
+Ethernet network. The standard defines a system of VLAN tagging for Ethernet
+frames and the accompanying procedures to be used by bridges and switches in
+handling such frames
+
+## Ethernet+VLAN tag Headers
+
+```
+byte 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- D ...-+--+--+--+--+
+ | Destination | Source | TPID| TCI | E | . A .. | CRC |
+ | MAC Address | MAC Address | | | T | .. T . | Checksum |
+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+-... A -+--+--+--+--+
+```
+
+Ethernet+VLAN total byte count = 6+6+2+2+2+4 = **24 Bytes**
+
+## Ethernet+VLAN tag Headers Descriptions
+
+| Bytes | Field | Description |
+|--------------------------|------------------------------------|--------------------------------------------|
+| `ether[0:4], ether[4:2]` | Dest MAC Address | |
+| `ether[6:4], ether[8:2]` | Src MAC Address | |
+| `ether[12:2]` | TPID | Tag Protocol ID = `0x8100 |
+| `ether[14:2]` | TCI | Tag control information (PCP + DEI + VLAN) |
+| `ether[14] & 0xE0` | PCP | Priority Control Point - 3bits |
+| `ether[14] & 0x10` | DEI | Drop Eligible Indicator |
+| `ether[14:2] & 0x0FFF` | VID | VLAN Identifier - 12 bits |
+| `ether[16:2]` | [EtherType](./lists/ether_type.md) | protocol of payload |
+
+## Ethernet+VLAN Example Packets
+
+* `ether[12:2] = 0x8100` - frame is an IEEE 802.1Q
+* `ether[14:2] & 0x0FFF = 1` - frame has the default VLAN ID (1)
+* see also [Ethernet](./ethernet.md)
+
+### Ethernet+VLAN BPF Shortcuts
+| BPF Shortcut Syntax | Description |
+|--------------------------------|--------------------------------------------------------------------------------------|
+| `vlan [vlan_id]` | IEEE 802.1Q VLAN packet. If [vlan_id] is specified test if frame has the specified vlan |
+
+## Additional resources
+
+* [VLAN tags - wikipedia](https://en.wikipedia.org/wiki/IEEE_802.1Q)
\ No newline at end of file
networking/readme.md
@@ -0,0 +1,41 @@
+# Networking
+
+## Protocols
+
+* [Ethernet](./protocols/ethernet.md)
+* [VLAN](./protocols/vlan.md)
+* [IP](./protocols/ipv4.md)
+* [TCP](./protocols/tcp.md)
+* [UDP](./protocols/upd.md)
+* [ARP](./protocols/arp.md)
+* [ICMP](./protocols/icmp.md)
+* [DHCP](./protocols/dhcp.md)
+* Lists
+ * [EtherTypes](./protocols/lists/ether_types.md)
+ * [IPv4 Protocol Numbers](./protocols/lists/ipv4_protocol_numbers.md)
+ * [Subnets and CIDRs](./protocols/lists/subnets_and_cidrs.md)
+ * [TCP/UDP Ports](./protocols/lists/tcp_udp_ports.md)
+
+## Packet Forensics
+
+* [MAC OUI](./packet_forensics/mac_oui.md)
+* [IPv4 initial TTL & TCP Window Size](./packet_forensics/ipv4_ttl_ws.md)
+* [Source Ephemeral ports](./packet_forensics/ephemeral_ports.md)
+* [TCP options (p0f)](./packet_forensics/tcp_options_p0f.md)
+* [DHCP options](./packet_forensics/dhcp_options.md)
+
+## Components
+
+* [Broadcast Domains](./components/broadcast_domains.md)
+* [Subnetting](./components/subnetting.md)
+* [Switching](./components/switching.md)
+* [Routing](./components/routing.md)
+
+## Pacet Capture
+
+* [bpf](./packet_capture/bpf.md)
+* [phd](./packet_capture/phd.md)
+* [tcpdump](./packet_capture/tcpdump.md)
+* [tshark](./packet_capture/tshark.md)
+* [wireshark](./packet_capture/wireshark.md)
+* [snoop](./packet_capture/snoop.md)
\ No newline at end of file
windows/cli/sysinternals/handle.md
@@ -0,0 +1,11 @@
+# handle
+
+https://technet.microsoft.com/en-us/sysinternals/handle
+
+## Examples
+| command | description |
+|--------------------|---------------------------------------------|
+| `handle <QUERY>` | show system wide handles that match <QUERY> |
+| `handle -p <PID>` | show for specific pid |
+| `handle -a <NAME>` | show all |
+| `handle -s <NAME>` | show statistics of handles |
windows/cli/sysinternals/listdlls.md
@@ -0,0 +1,12 @@
+
+# listdlls
+
+https://technet.microsoft.com/en-us/sysinternals/bb896656
+
+## Examples
+| command | description |
+|----------------------------|--------------------------------------------|
+| `listdlls <NAME/PID>` | list loaded dlls of process by name or pid |
+| `listdlls -d <MODULE>.dll` | list process with MOUDLE dll loaded |
+| `listdlls -u` | show only unsigned dlls |
+| `listdlls -v` | show dll version numbers |
windows/cli/sysinternals/pskill.md
@@ -0,0 +1,10 @@
+# pskill
+
+https://technet.microsoft.com/en-us/sysinternals/pskill
+
+# Examples
+| command | description |
+|------------------------------------------------|-----------------------------------------|
+| `pkill -t` | terminate a process and its descendants |
+| `pskill /s \\<SYSTEM> /u <USER> /p <PASS> <N>` | remote pkill by pid |
+
windows/cli/sysinternals/pslist.md
@@ -0,0 +1,13 @@
+# pslist
+
+https://technet.microsoft.com/en-us/sysinternals/pslist.aspx
+
+## Examples
+| command | description |
+|-----------------------------------------|------------------------------------------------------------------|
+| `pslist -d -m` | show thread (d) and memory (m) details |
+| `pslist -x` | both `-d` and `-m` |
+| `pslist -t` | show tree view |
+| `pslist -s <S> -r <R>` | taskman mode for S seconds with periodic updates every R seconds |
+| `pslist \\<SYSTEM> /u <USER> /p <PASS>` | remote plist |
+| | show/sort on priority |
windows/cli/sysinternals/psservice.md
@@ -0,0 +1,34 @@
+# psservice
+https://technet.microsoft.com/en-us/sysinternals/psservice
+
+## Usage
+
+`psservice [\\computer [-u username] [-p password]] <command> <options>`
+
+| <command> | description |
+|------------|------------------------------------------------------------|
+| query | Displays the status of a service. |
+| config | Displays the configuration of a service. |
+| setconfig | Sets the start type (disabled, auto, demand) of a service. |
+| start | Starts a service. |
+| stop | Stops a service. |
+| restart | Stops and then restarts a service. |
+| pause | Pauses a service |
+| cont | Resumes a paused service. |
+| depend | Lists the services dependent on the one specified. |
+| security | Dumps the service's security descriptor. |
+| find | Searches the network for the specified service. |
+| \\computer | Targets the NT/Win2K system specified. |
+
+## Eamples
+
+TODO: Table & Descriptions
+psservice query audiosrv
+psservice stop audiosrv
+psservice query audiosrv
+psservice start Umrdpservice
+psservice query Umrdpservice
+psservice setconfig spooler disabled
+psservice setconfig w32time auto
+psservice security appinfo
+
windows/cli/wmic/cpu.md
@@ -0,0 +1,6 @@
+
+
+wmic cpu get name, CurrentClockSpeed, MaxClockSpeed
+wmic cpu get NumberOfCores,NumberOfLogicalProcessors
+
+
windows/cli/wmic/datafile.md
@@ -0,0 +1,3 @@
+
+
+wmic datafile where name='<FILEPATH>' get creationdate
windows/cli/wmic/process.md
@@ -0,0 +1,8 @@
+
+## wmic Process Examples
+| command | description |
+|-----------------------------------------------------------------|------------------------------|
+| `wmic process where "priority=n"` | filter processes by priority |
+| `wmic process where "name like '%<NAME>%'" get name, processid` | fuzzy match process name |
+| `wmic process where processid=<N>` | get process by id |
+
windows/cli/wmic/useraccount.md
@@ -0,0 +1,13 @@
+
+```bash
+# This gives a lot of information, try piping it to a file or to your clipboard
+wmic useraccount
+# For just the domain, name, and sid
+wmic useraccount get domain, name, sid
+# Find out who is logged on
+WMIC /NODE: "workstation_name" COMPUTERSYSTEM GET USERNAME
+WMIC /NODE: "xp" COMPUTERSYSTEM GET USERNAME
+# Get both sets of information at once!
+wmic useraccount get domain, name, sid && WMIC /NODE: "xp" COMPUTERSYSTEM GET USERNAME
+```
+
windows/cli/arp.md
@@ -0,0 +1,11 @@
+# arp
+
+https://technet.microsoft.com/en-us/library/bb490864.aspx
+
+## Syntax
+
+`arp [-a [InetAddr] [-N IfaceAddr]] [-g [InetAddr] [-N IfaceAddr]] [-d InetAddr [IfaceAddr]] [-s InetAddr EtherAddr [IfaceAddr]]`
+
+## Examples
+| command | description |
+|-------------------------------------------------------|---------------------------------------|
windows/cli/cmd.md
@@ -0,0 +1,10 @@
+# cmd.exe
+
+## File location
+
+| | 32bit shell | 64bit shell |
+|----------------|-------------|-------------|
+| **x86 system** | system32 | N/A |
+| **x64 system** | syswow64 | system32 |
+
+Native Commands: `copy`, `move`, `dir`, `set`, `date`, `help`, `path`
\ No newline at end of file
windows/cli/driverquery.md
@@ -0,0 +1,8 @@
+# driverquery
+
+https://technet.microsoft.com/en-us/library/bb490896.aspx
+
+## Examples
+driverquery
+driverquery /si | findstr "TRUE"
+
windows/cli/ds.md
@@ -0,0 +1,52 @@
+
+# Links
+
+### `ds` Commands
+
+The `ds` family of commands perform operations on Active Directory objects.
+There are too many commands to show all the flags but they mostly follow the same structure.
+Here are the main links you want to have around.
+
+| Command | Link | ss64 |
+|------------|----------------------------------------------------------------------|--------------------------------------------|
+| `Dsacls` | [technet](https://technet.microsoft.com/en-us/library/cc771151.aspx) | |
+| `Dsadd` | [technet](https://technet.microsoft.com/en-us/library/cc753708.aspx) | |
+| `Dsamain` | [technet](https://technet.microsoft.com/en-us/library/cc772168.aspx) | |
+| `Dsdbutil` | [technet](https://technet.microsoft.com/en-us/library/cc753151.aspx) | |
+| `Dsget` | [technet](https://technet.microsoft.com/en-us/library/cc755162.aspx) | |
+| `Dsmgmt` | [technet](https://technet.microsoft.com/en-us/library/cc732473.aspx) | |
+| `Dsmod` | [technet](https://technet.microsoft.com/en-us/library/cc732406.aspx) | [ss64](http://ss64.com/nt/dsmod-user.html) |
+| `Dsmove` | [technet](https://technet.microsoft.com/en-us/library/cc732952.aspx) | |
+| `Dsquery` | [technet](https://technet.microsoft.com/en-us/library/cc732952.aspx) | [ss64](http://ss64.com/nt/dsquery.html) |
+| `Dsrm` | [technet](https://technet.microsoft.com/en-us/library/cc731865.aspx) | [ss64](http://ss64.com/nt/dsrm.html) |
+
+# Examples
+| Command | Description |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------|
+| `dsquery computer` | get comptuer info |
+| `dsquery * -limit 0 -filter "&(objectClass=User)(objectCategory=Person)" -attr *` | get all users metadata |
+| `dsquery * "<DN>" -attr *` | get all attributes |
+| `dsquery * -attr operatingSystem operatingSystemServicePack -filter "(| (operatingSystem=*))` | service pack info |
+| `dsquery user -name *FILTER* | dsget user -memberof` | user group memberships |
+| `dsquery group -name *FILTER* | dsget group -members | dsget user -upn` | all group members upns |
+| `dsget group "<GROUP DN>" -members` | list members |
+| `dsadd user "CN=userA,CN=users,DC=acme,DC=local" -samid usera -upn usera@acme.local -fn "user" -ln "a" -display "User A" -pwd abc123 -desc "user a" -disabled no` | create a user |
+| `dsadd group "cn=acme admins,cn=users,dc=acme,dc=local"` | add a group (OU) |
+| `dsmod group "<GROUP DN>" -addmbr "<MEMBER DN>"` | add member to group |
+| `dsrm "<OBJECT DN>" -noprompt` | remove raw object |
+| `dsquery computer -name <NAME>` | Determine if a computer name is on the domain |
+| `dsquery ou -name *` | Find all OU's |
+| `dsquery user "OU=Acme Admins,DC=acme,DC=local" -desc "Acme Admin"` | Get all users belonging to an OU with a particular description |
+| `dsquery user -samid <SAMID> | dsrm -noprompt` | remove user by samid |
+| `dsmove <DN> -newparent <PARENT_DN>` | move to new parent |
+
+## Is this box a member of a domain?
+
+ * nslookup -type=any %userdnsdomain%.
+ * nltest /dclist:<DOMAIN NAME>
+ * systeminfo | findstr "Domain"
+
+## use variables for long OU names
+
+ * `set _usera="cn=userA,ou=users,dc=domain,dc=local`
+ * `dsmod user %_usera% -disabled yes`
windows/cli/nbstat.md
@@ -0,0 +1,10 @@
+# nbstat
+https://technet.microsoft.com/en-us/library/cc940106.aspx
+
+## Syntax
+
+## Examples
+| command | description |
+|-------------------|-------------|
+| nbtstat -n | |
+| nbtstat -A <HOST> | |
windows/cli/netsh.md
@@ -0,0 +1,197 @@
+# `netsh`
+
+Advanced networking command-line utility.
+
+Resources
+
+| Description | Link |
+|--------------------------------------------------------------|--------------------------------------------------------------------------|
+| Shows: Enabling ports, services, programs, logging, and more | <https://support.microsoft.com/en-us/kb/947709> |
+| Logging Specific information | <https://technet.microsoft.com/en-us/library/cc787462%28v=ws.10%29.aspx> |
+| | |
+
+
+## Firewall
+
+On older systems `netsh firewall` works. For newer systems use `netsh advfirewall firewall`.
+
+Get into the Firewall Configuration mode
+
+```bash
+netsh advfirewall
+```
+
+Fun fact: The Windows Firewall operates only in User Mode. The Windows Filtering
+Platform (WPF) has functionality in both User Mode and Kernel Mode.
+
+### Basic Commands
+
+Check and change the status of the firewall
+
+| Command | Description |
+|--------------------------------------------------|--------------------------------|
+| `netsh advfirewall show allprofiles` | Display status of all profiles |
+| `netsh advfirewall set allprofiles state off` | Turn off all profiles |
+| `netsh advfirewall set allprofiles state on` | Turn on all profiles |
+| `netsh advfirewall show currentprofile` | Show the current profile |
+| `netsh advfirewall set currentprofile state off` | Turn the current profile off |
+| `netsh advfirewall set currentprofile state on` | Turn the current profile on |
+| | |
+
+Example:
+
+```bash
+# Turn off public firewall
+netsh advfirewall set public state off
+# Another way to turn off/on existing firewall network profiles
+# enable
+netsh firewall set opmode profile=all mode=enable
+# disable
+netsh firewall set opmode profile=all mode=disable
+```
+
+### Review Firewall Rules
+
+| Command | Description |
+|-------------------------------------------------------------------------------|--------------------------------------------|
+| `netsh advfirewall show currentprofile` | Display status of current profile |
+| `netsh advfirewall firewall show rule profile=private name=all` | Replace "profile" for the current profile. |
+| `netsh advfirewall firewall show rule profile=private name=all > fwrules.txt` | Get output as a text file for review |
+| | |
+
+Example:
+
+```bash
+# Show all the rules on the system
+netsh advfirewall firewall show rule name=all
+# Show all the rules on the private profile
+netsh advfirewall firewall show rule profile=private name=all
+# Filter for a rule name,
+```
+
+### Enable/Disable
+
+For individual rules:
+
+```bash
+# Enable a rule
+netsh advfirewall firewall set rule name="NameOfFirewallRule" new enable=yes
+# Disable a rule
+netsh advfirewall firewall set rule name="NameOfFirewallRule" new enable=no
+```
+
+For a rule group:
+
+```bash
+# This enables file and printer sharing
+# Disable
+netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=no
+# Enable
+netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=yes
+```
+
+### Add a rule
+
+```bash
+# Add SSH
+netsh advfirewall firewall add rule
+ name="Secure Shell"
+ dir=in
+ action=allow
+ protocol=TCP
+ localport=22
+ remoteport=49155
+ profile=any
+# Verify
+netsh advfirewall firewall show rule name="Secure Shell"
+```
+
+Create a rule that will allow inbound TCP traffic from a specific IP address and
+source port to a specific destination port:
+
+```bash
+netsh advfirewall firewall add rule
+ name="Rule Name"
+ dir=in
+ protocol=tcp
+ localport=31337
+ remoteport=6666
+ remoteip=192.168.11.14
+ profile=private
+ action=allow
+```
+
+#### Add a Program
+
+```bash
+netsh advfirewall firewall add rule
+ name="FOX"
+ dir=in
+ action=allow
+ program="C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
+ enable=yes
+```
+
+### Delete
+
+```bash
+netsh advfirewall firewall delete rule name="<Rule Name>"
+```
+
+### Backup/Import
+
+Export current settings:
+
+```bash
+netsh advfirewall export PATH
+# Example
+netsh advfirewall export "C:\FW-Before-Changes.wfw"
+```
+
+Import settings:
+
+```bash
+netsh advfirewall import "C:\FW-Before-Changes.wfw"
+```
+
+
+### Enable/Disable Windows Firewall log
+
+To enable or disable the Windows Firewall log:
+
+```bash
+ netsh firewall set logging droppedpackets=enable connections=enable
+```
+
+### Respond to Pings
+
+```bash
+netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow
+```
+
+### Turn on RDP
+
+```bash
+# newer netsh
+systems advfirewall firewall set rule group="remote desktop" new enable=Yes
+
+# older systems
+netsh firewall set service type = remotedesktop mode = enable
+```
+
+### Turn on File Sharing
+
+```bash
+# xp, enable
+netsh firewall set service type = fileandprint mode = enable
+# xp, disable
+netsh firewall set service type = fileandprint mode = disable
+
+# Newer
+netsh advfirewall firewall set rule group="Network Discovery" new enable=no
+netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=no
+# Enable
+netsh advfirewall firewall set rule group="Network Discovery" new enable=yes
+netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=yes
+```
+
windows/cli/netstat.md
@@ -0,0 +1,9 @@
+# netstat
+
+https://technet.microsoft.com/en-us/library/bb490947.aspx
+
+## Syntax
+
+## Examples
+| command | description |
+|-------------------------------------------------------|---------------------------------------|
windows/cli/pathping.md
@@ -0,0 +1,9 @@
+# pathping
+
+https://technet.microsoft.com/en-us/library/bb490964.aspx
+
+## Syntax
+
+## Examples
+| command | description |
+|-------------------------------------------------------|---------------------------------------|
windows/cli/ping.md
@@ -0,0 +1,8 @@
+# ping
+https://technet.microsoft.com/en-us/library/bb490968.aspx
+
+## Syntax
+
+## Examples
+| command | description |
+|-------------------------------------------------------|---------------------------------------|
windows/cli/sc.md
@@ -0,0 +1,93 @@
+# `sc`
+
+The Services Controller (SC) utility is native to Windows, and is included with the installation of the operating system. It includes a number of options that provide the functionality to allow you to view, manage and configure the services on the local computer as well as a remote computer.
+https://technet.microsoft.com/en-us/library/bb490995.aspx
+
+## Usage
+
+__NOTE:__ The sc utility does not accept the DISPLAY_NAME of a service as input. You must use the service's SERVICE_NAME (also referred to as its KEY_NAME) as input to the command. To find the SERVICE_NAME associated with a service, using the following command syntax: sc getkeyname "DISPLAY_NAME"
+
+## Examples
+
+`<SN> = <SERVICE NAME>`
+
+| command | description |
+|------------------------------------------------|------------------------------------------------------------------------------------------|
+| `sc /?` | show help |
+| `sc getkeyname "<DISPLAY NAME>"` | returns <SN> |
+| `sc stop <SN>` | |
+| `sc start <SN>` | |
+| `sc config <SN> start= disabled` | |
+| `sc config <SN> start= auto` | |
+| `sc qc <SN>` | start_type, binary_path_name, load_order_group, display_name, dependencies, service_name |
+| `sc enumdepend <SN>` | find services that depend on <SC> |
+| `sc \\<REMOTE.PC> query | clip && notepad` | open results of remote query in notepad |
+
+
+
+### `sc getkeyname`
+
+This command returns a SERVICE_NAME (Also known as a KEY_NAME) from a given
+DISPLAY_NAME
+
+### `sc query`
+
+Without any arguments this command returns a listing of all services installed
+on the system and the state of each service. Here's a cool trick to get the
+output of this command into notepad, without creating a file:
+
+```bash
+# This puts the output of the command into the clipboard and opens notepad
+# You are then one CTRL+V away from having the output in notepad.
+sc \\REMOTE.PC query | clip && notepad
+```
+
+```bash
+# Query for the telnet service
+sc getkeyname "Telnet"
+# Returns "TlntSvr"
+sc query TlntSvr
+```
+
+### `sc <stop | pause | continue | start>`
+
+Use the commands above to stop, pause, continue, or start a service.
+
+### `sc qc`
+
+This command shows the configurable data associated with a process. The `qc`
+could stand for "query configuration."
+
+```bash
+# Show the configuration for the "Netowork Connections" service
+sc getkeyname "Network Connections"
+# returns "Netman"
+sc qc netman
+# Returns all the configurable data
+```
+
+### `sc config`
+
+This allows a configuration parameter to be changed on a service.
+
+```bash
+# Change netlogon from auto_start to disabled
+sc config netlogon start= disabled
+```
+
+### `sc EnumDepend`
+
+The EnumDepend shows what services depend on the given service.
+
+```bash
+sc getkeyname "Workstation"
+# returns LanmanWorkstation
+sc EnumDepend LanmanWorkstation
+```
+
+To see what dependencies a certain service has, checkout it's configuration:
+
+```bash
+sc qc Browser
+# Shows LanmanWorkstation as a dependency
+```
windows/cli/taskkill.md
@@ -0,0 +1,9 @@
+
+# taskkill
+https://technet.microsoft.com/en-us/library/bb491009.aspx
+
+## Examples
+| command | description |
+|-------------------------------------------------------|---------------------------------------|
+| `taskkill /fi "imagename eq <NAME>"` | kill a task by name |
+| `taskkill /s \\<SYSTEM> /u <USER> /p <PASS> /pid <N>` | kill a task on a remote system by pid |
windows/cli/tasklist.md
@@ -0,0 +1,14 @@
+# tasklist
+https://technet.microsoft.com/en-us/library/bb491010.aspx
+
+## Examples
+
+| command | description |
+|-----------------------------------------|----------------------------------------|
+| `tasklist | sort /R /+58` | sorted tasklist by memory usage |
+| `tasklist /svc` | show services running in a process |
+| `tasklsit /fi "services eq <NAME>"` | filter for service by name |
+| `tasklist /m <name>.dll` | filter for modules (dlls) loaded |
+| `tasklist /fi "username eq <USERNAME>"` | filter for process by owner username |
+| `tasklist /fi "session eq <N>"` | filter for processes by session number |
+| `tasklist /s \\<SYSTEM> /u <USER>` | remote tasklist |
windows/cli/template.md
@@ -0,0 +1,17 @@
+# command name
+
+Link to online man page or main documentation
+
+## Usage
+
+Summary of usage to include a table of flags if appropriate
+
+## Examples
+| command | description |
+|---------|-------------|
+
+## More
+
+ * List
+ * Of
+ * Links
windows/cli/tracert.md
@@ -0,0 +1,10 @@
+# tracert
+
+https://technet.microsoft.com/en-us/library/cc940128.aspx
+
+## Syntax
+
+## Examples
+| command | description |
+|-------------------------------------------------------|---------------------------------------|
+
windows/win_env.md
@@ -0,0 +1,16 @@
+# Environmental Variables
+
+## Registry storage
+
+`HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment`
+
+## Common Variables
+
+* %systemroot%
+* %homepath%
+
+
+## Manipulation:
+
+* set (TODO link to tools/set.md)
+* setx (TODO link to tools/setx.md)
windows/win_kernel.md
@@ -0,0 +1,21 @@
+# Windows Kernel
+
+Need URL or page number:
+Typically, the kernel is responsible for:
+ Process and task management,
+ Memory management, and
+ Device management.
+
+### Types of Windows Drivers
+
+[MSDN: Types of Windows Drivers]
+
+
+
+
+Kernel VM Paging - http:/pages.cs.wisc.edu/~remzi/OSTEP/vm-paging.pdf
+Kernel Reference https://msdn.microsoft.com/en-us/library/ee482973.aspx
+Kernel Functions https://msdn.microsoft.com/en-us/library/ee482951.aspx
+[MSDN: Types of Windows Drivers]: https://msdn.microsoft.com/en-us/library/windows/hardware/ff564864(v=vs.85).aspx
+[Understanding User and Kernel Mode]: https://blog.codinghorror.com/understanding-user-and-kernel-mode/
+[MSDN: User and Kernel Mode]: https://msdn.microsoft.com/en-us/library/windows/hardware/ff554836(v=vs.85).aspx
\ No newline at end of file
windows/win_passive.md
@@ -0,0 +1,25 @@
+## process list
+
+| System PID | Win OS Version |
+|------------|----------------|
+| 2 | Windows NT |
+| 8 | Windows 2000 |
+| 4 | Windows XP+ |
+
+## other processes
+| process | system info |
+|---------|---------------------------------|
+| MsMpEng | Windows Defender |
+| NlsSrv | Security Essentials |
+| msseces | Security Essentials |
+| wininit | Vista+ |
+| csrss | n>=2,Vista+; n=1,XP/2K3 or less |
+| dwm | Vista+ |
+
+## uptime & logon time
+
+* smss's Elapsed Time
+* smss ET / Idle CPU Time ~= # CPU's
+* Logon time = explorer.exe ET
+
+
windows/win_registry.md
@@ -0,0 +1,80 @@
+# Windows Registry
+
+## Registry Structure
+
+### Registry Root Keys [3]
+
+| Root Key | Abbrv. | Description | Link (Alias) |
+|-----------------------|--------|------------------------------------------------------------|--------------------------------------------------------------------------------------------------------|
+| HKEY_CURRENT_USER | HKCU | Points to the user profile of the currently logged on user | Subkey under `HKEY_USERS` corresponding to currently logged on user |
+| HKEY_USERS | HKU | Contains subkeys for all loaded user profiles | Not a link |
+| HKEY_CLASSES_ROOT | HKCR | Contains file association and COM registration information | Not a direct link; rather, a merged view of `HKLM\SOFTWARE\Classes` and `HKEY_USERS\\SOFTWARE\Classes` |
+| HKEY_LOCAL_MACHINE | HKLM | Global settings for the machine. | Not a link |
+| HKEY_CURRENT_CONFIG | HKCC | Current hardware profile | `HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current` |
+| HKEY_PERFORMANCE_DATA | HKPD | Performance counters | Not a link |
+
+### Data Types [1]
+
+| Name | Data type | Purpose |
+|--------------------------------|--------------|--------------------------|
+| REG_BINARY | Binary | Binary data |
+| REG_DWORD | Numeric | Numeral |
+| REG_QWORD | Numeric | 64-bit numeric value |
+| REG_EXPAND_SZ | String | Text and variables |
+| REG_FULL_RESOURCE_DESCRIPTOR | String | Device resource ID |
+| REG_LINK | String | Path to file |
+| REG_MULTI_SZ | Multi-string | Array of strings |
+| REG_NONE | Unknown | Encoded data |
+| REG_RESOURCE_LIST | String | List of device resources |
+| REG_RESOURCE_REQUIREMENTS_LIST | String | Device resource ID |
+| REG_SZ | String | Text |
+
+### Size Limits [4],[5]
+
+| Architecture | OS Version | Maximum size of the system hive |
+|---------------|-----------------------|---------------------------------------------|
+| x86 | Vista+ | 50 percent of physical memory, up to 400 MB |
+| x86 | 2003,XP | 25 percent of physical memory, up to 200 MB |
+| x64 | Vista+ | 50 percent of physical memory, up to 1.5 GB |
+| x64 | 2003 SP2 | 25 percent of system memory, up to 200 MB |
+| x64 | 2003 SP1, XP | 32 MB |
+| Intel Itanium | 8+ | 50 percent of physical memory, up to 1 GB |
+| Intel Itanium | Vista, 2008, 2003, XP | 32 MB |
+
+## Registry usage
+
+#### Registry data is read [2]
+
+0. During the initial boot process
+0. During the kernel boot process
+0. During logon
+0. During application startup
+
+## Additional Info:
+
+* [Windows Internals Part 1](http://materias.fi.uba.ar/7508/WI6/Windows%20Internals%20Part%201%20(6th%20Edition).pdf
+* Last Known Good: WIp16e: pg 329
+
+Registry Tools:
+
+* reg (TODO link)
+* regedit (TODO link)
+* regfind (TODO link)
+
+TODO move to tools pages:
+
+* reg - http://ss64.com/nt/reg.html
+* reg - https://technet.microsoft.com/en-us/library/cc732643(v=ws.11).aspx
+* regfind - http://www.mobzystems.com/Tools/RegFind.aspx
+* regedit - http://ss64.com/nt/regedit.html
+* Reg save https://technet.microsoft.com/en-us/library/cc742108.aspx
+* Reg add https://technet.microsoft.com/en-us/library/cc742162.aspx
+* Reg query https://technet.microsoft.com/en-us/library/cc742028.aspx
+* Export WinNT Registry Entries https://support.microsoft.com/en-us/kb/168589/en-us
+
+
+[1]: http://kb.chemtable.com/en/types-of-registry-data.htm
+[2]: Windows Internals Part 1, 6th Edition: pg 278
+[3]: Windows Internals Part 1, 6th Edition: pg 280
+[4]: Windows Internals Part 1, 6th Edition: pg 295
+[5]: https:/msdn.microsoft.com/en-us/library/windows/desktop/ms724881(v=vs.85).aspx
\ No newline at end of file
windows/win_sid.md
@@ -0,0 +1,74 @@
+## SID Components
+
+ 0. Prefix (S)
+ 0. A revision level,
+ 0. An identifier-authority value,
+ 0. One or more subauthority values, and
+ 0. A Relative ID (RID).
+
+### Example SID Decode
+
+| S | 1 | 5 | 21-3623811015-3361044348-30300820 | 1013 |
+|----------------------|------------------------------------------------------------|---------------------------------|-------------------------------------|-------------------------------------------------------------------------------------------------------------------|
+| The string is a SID. | The revision level (the version of the SID specification). | The identifier authority value. | Domain or local computer identifier | A Relative ID (RID). Any group or user that is not created by default will have a Relative ID of 1000 or greater. |
+
+
+## Identifier Authorities
+
+| Decimal | Name |
+|---------|-----------------------------|
+| 0 | Null Authority |
+| 1 | World Authority |
+| 2 | Local Authority |
+| 3 | Creator Authority |
+| 4 | Non-unique Authority |
+| 5 | NT Authority |
+| 9 | Resource Manager Authority |
+| 11 | Microsoft Account Authority |
+
+[source](https://en.wikipedia.org/wiki/Security_Identifier)
+
+## Well Known RID's
+
+| Well-Known Entity | RID | Type | Essential |
+|---------------------------|-----|-------|-----------|
+| Domain Administrator | 500 | User | No |
+| Domain Guest | 501 | User | No |
+| Domain KRBTGT | 502 | User | No |
+| Domain Admins | 512 | Group | Yes |
+| Domain Users | 513 | Group | Yes |
+| Domain Guests | 514 | Group | Yes |
+| Domain Computers | 515 | Group | No |
+| Domain Controllers | 516 | Group | No |
+| Domain Certificate Admins | 517 | Group | No |
+| Domain Schema Admins | 518 | Group | No |
+| Domain Enterprise Admins | 519 | Group | No |
+| Domain Policy Admins | 520 | Group | No |
+| Builtin Admins | 544 | Alias | No |
+| Builtin users | 545 | Alias | No |
+| Builtin Guests | 546 | Alias | No |
+| Builtin Power Users | 547 | Alias | No |
+| Builtin Account Operators | 548 | Alias | No |
+| Builtin System Operators | 549 | Alias | No |
+| Builtin Print Operators | 550 | Alias | No |
+| Builtin Backup Operators | 551 | Alias | No |
+| Builtin Replicator | 552 | Alias | No |
+| Builtin RAS Servers | 553 | Alias | No |
+
+[source](https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html)
+
+## SID from V
+
+| Steps | Values |
+|---------------------------------------------|------------------------------------------|
+| HKLM\SAM\SAM\Domains\Account\V | 2E,43,AC,40,C0,85,38,5D,07,E5,3B,2B |
+| Divide the bytes into 3 sections: | 2E,43,AC,40 - C0,85,38,5D - 07,E5,3B,2B |
+| Reverse the order of bytes in each section: | 40,AC,43,2E - 5D,38,85,C0 - 2B,3B,E5,07 |
+| Convert each section into decimal: | 1085031214 - 1563985344 - 725345543 |
+| Add the machine SID prefix: | S-1-5-21-1085031214-1563985344-725345543 |
+
+## Recovery
+
+If the SAM file is missing at startup, a backup is retrieved in hexadecimal form here:
+ * regedit.exe: \HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAcDmS\@ (last 12 bytes)
+ * explorer.exe: \%windir%\system32\config\SECURITY