Windows cheet sheet
| Variable Name | Description |
%PATH% | Specifies a set of directories(locations) where executable programs are located. |
%OS% | The current operating system on the user's workstation. |
%SYSTEMROOT% | Expands to C:\Windows. A system-defined read-only variable containing the Windows system folder. Anything Windows considers important to its core functionality is found here, including important data, core system binaries, and configuration files. |
%LOGONSERVER% | Provides us with the login server for the currently active user followed by the machine's hostname. We can use this information to know if a machine is joined to a domain or workgroup. |
%USERPROFILE% | Provides us with the location of the currently active user's home directory. Expands to C:\Users\{username}. |
%ProgramFiles% | Equivalent of C:\Program Files. This location is where all the programs are installed on an x64 based system. |
%ProgramFiles(x86)% | Equivalent of C:\Program Files (x86). This location is where all 32-bit programs running under WOW64 are installed. Note that this variable is only accessible on a 64-bit host. It can be used to indicate what kind of host we are interacting with. (x86 vs. x64 architecture) |
more variables can be found here https://ss64.com/nt/syntax-variables.html
Tools To Be Aware Of
Below we will quickly list a few PowerShell modules and projects we, as penetration testers and sysadmins, should be aware of. Each of these tools brings a new capability to use within PowerShell. Of course, there are plenty more than just our list; these are just several we find ourselves returning to on every engagement.
- AdminToolbox: AdminToolbox is a collection of helpful modules that allow system administrators to perform any number of actions dealing with things like Active Directory, Exchange, Network management, file and storage issues, and more.
- ActiveDirectory: This module is a collection of local and remote administration tools for all things Active Directory. We can manage users, groups, permissions, and much more with it.
- Empire / Situational Awareness: Is a collection of PowerShell modules and scripts that can provide us with situational awareness on a host and the domain they are apart of. This project is being maintained by BC Security as a part of their Empire Framework.
- Inveigh: Inveigh is a tool built to perform network spoofing and Man-in-the-middle attacks.
- BloodHound / SharpHound: Bloodhound/Sharphound allows us to visually map out an Active Directory Environment using graphical analysis tools and data collectors written in C# and PowerShell.
TCP PORTS
| Protocol | Acronym | Port | Description |
| Telnet | Telnet | 23 | Remote login service |
| Secure Shell | SSH | 22 | Secure remote login service |
| Simple Network Management Protocol | SNMP | 161-162 | Manage network devices |
| Hyper Text Transfer Protocol | HTTP | 80 | Used to transfer webpages |
| Hyper Text Transfer Protocol Secure | HTTPS | 443 | Used to transfer secure webpages |
| Domain Name System | DNS | 53 | Lookup domain names |
| File Transfer Protocol | FTP | 20-21 | Used to transfer files |
| Trivial File Transfer Protocol | TFTP | 69 | Used to transfer files |
| Network Time Protocol | NTP | 123 | Synchronize computer clocks |
| Simple Mail Transfer Protocol | SMTP | 25 | Used for email transfer |
| Post Office Protocol | POP3 | 110 | Used to retrieve emails |
| Internet Message Access Protocol | IMAP | 143 | Used to access emails |
| Server Message Block | SMB | 445 | Used to transfer files |
| Network File System | NFS | 111, 2049 | Used to mount remote systems |
| Bootstrap Protocol | BOOTP | 67, 68 | Used to bootstrap computers |
| Kerberos | Kerberos | 88 | Used for authentication and authorization |
| Lightweight Directory Access Protocol | LDAP | 389 | Used for directory services |
| Remote Authentication Dial-In User Service | RADIUS | 1812, 1813 | Used for authentication and authorization |
| Dynamic Host Configuration Protocol | DHCP | 67, 68 | Used to configure IP addresses |
| Remote Desktop Protocol | RDP | 3389 | Used for remote desktop access |
| Network News Transfer Protocol | NNTP | 119 | Used to access newsgroups |
| Remote Procedure Call | RPC | 135, 137-139 | Used to call remote procedures |
| Identification Protocol | Ident | 113 | Used to identify user processes |
| Internet Control Message Protocol | ICMP | 0-255 | Used to troubleshoot network issues |
| Internet Group Management Protocol | IGMP | 0-255 | Used for multicasting |
| Oracle DB (Default/Alternative) Listener | oracle-tns | 1521/1526 | The Oracle database default/alternative listener is a service that runs on the database host and receives requests from Oracle clients. |
| Ingres Lock | ingreslock | 1524 | Ingres database is commonly used for large commercial applications and as a backdoor that can execute commands remotely via RPC. |
| Squid Web Proxy | http-proxy | 3128 | Squid web proxy is a caching and forwarding HTTP web proxy used to speed up a web server by caching repeated requests. |
| Secure Copy Protocol | SCP | 22 | Securely copy files between systems |
| Session Initiation Protocol | SIP | 5060 | Used for VoIP sessions |
| Simple Object Access Protocol | SOAP | 80, 443 | Used for web services |
| Secure Socket Layer | SSL | 443 | Securely transfer files |
| TCP Wrappers | TCPW | 113 | Used for access control |
| Internet Security Association and Key Management Protocol | ISAKMP | 500 | Used for VPN connections |
| Microsoft SQL Server | ms-sql-s | 1433 | Used for client connections to the Microsoft SQL Server. |
| Kerberized Internet Negotiation of Keys | KINK | 892 | Used for authentication and authorization |
| Open Shortest Path First | OSPF | 89 | Used for routing |
| Point-to-Point Tunneling Protocol | PPTP | 1723 | Is used to create VPNs |
| Remote Execution | REXEC | 512 | This protocol is used to execute commands on remote computers and send the output of commands back to the local computer. |
| Remote Login | RLOGIN | 513 | This protocol starts an interactive shell session on a remote computer. |
| X Window System | X11 | 6000 | It is a computer software system and network protocol that provides a graphical user interface (GUI) for networked computers. |
| Relational Database Management System | DB2 | 50000 | RDBMS is designed to store, retrieve and manage data in a structured format for enterprise applications such as financial systems, customer relationship management (CRM) systems. |
UDP Ports
| Protocol | Acronym | Port | Description |
| Domain Name System | DNS | 53 | It is a protocol to resolve domain names to IP addresses. |
| Trivial File Transfer Protocol | TFTP | 69 | It is used to transfer files between systems. |
| Network Time Protocol | NTP | 123 | It synchronizes computer clocks in a network. |
| Simple Network Management Protocol | SNMP | 161 | It monitors and manages network devices remotely. |
| Routing Information Protocol | RIP | 520 | It is used to exchange routing information between routers. |
| Internet Key Exchange | IKE | 500 | Internet Key Exchange |
| Bootstrap Protocol | BOOTP | 68 | It is used to bootstrap hosts in a network. |
| Dynamic Host Configuration Protocol | DHCP | 67 | It is used to assign IP addresses to devices in a network dynamically. |
| Telnet | TELNET | 23 | It is a text-based remote access communication protocol. |
| MySQL | MySQL | 3306 | It is an open-source database management system. |
| Terminal Server | TS | 3389 | It is a remote access protocol used for Microsoft Windows Terminal Services by default. |
| NetBIOS Name | netbios-ns | 137 | It is used in Windows operating systems to resolve NetBIOS names to IP addresses on a LAN. |
| Microsoft SQL Server | ms-sql-m | 1434 | Used for the Microsoft SQL Server Browser service. |
| Universal Plug and Play | UPnP | 1900 | It is a protocol for devices to discover each other on the network and communicate. |
| PostgreSQL | PGSQL | 5432 | It is an object-relational database management system. |
| Virtual Network Computing | VNC | 5900 | It is a graphical desktop sharing system. |
| X Window System | X11 | 6000-6063 | It is a computer software system and network protocol that provides GUI on Unix-like systems. |
| Syslog | SYSLOG | 514 | It is a standard protocol to collect and store log messages on a computer system. |
| Internet Relay Chat | IRC | 194 | It is a real-time Internet text messaging (chat) or synchronous communication protocol. |
| OpenPGP | OpenPGP | 11371 | It is a protocol for encrypting and signing data and communications. |
| Internet Protocol Security | IPsec | 500 | IPsec is also a protocol that provides secure, encrypted communication. It is commonly used in VPNs to create a secure tunnel between two devices. |
| Internet Key Exchange | IKE | 11371 | It is a protocol for encrypting and signing data and communications. |
| X Display Manager Control Protocol | XDMCP | 177 | XDMCP is a network protocol that allows a user to remotely log in to a computer running the X11. |