01 Reconnaissance

After getting the initial access to a Windows environment, the commands are used for the Reconnaissance.
Operating System
User
Network
Dumping Windows Credentials
# Systeminfo
systeminfo
hostname 
​
# Hotfix info
wmic qfe get Caption,Description,HotFixID,InstalledOn
​
# Read Environment Variable
Get-ChildItem Env: | ft Key,Value
​
# Installed Software
reg query HKEY_LOCAL_MACHINE\SOFTWARE
# To see what tokens we have 
whoami /priv
​
# What users/localgroups are on the machine?
net users
Get-LocalUser | ft Name,Enabled,LastLogon
net localgroups
Get-LocalGroup | ft Name
net localgroup Administrators
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
net user morph3
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
​
# Crosscheck local and domain too
net user morph3 /domain
net group Administrators /domain
# Connected drives
net use
wmic logicaldisk get caption,description,providername
​
# Network information
ipconfig /all
route print
arp -A
​
# Recursive string scan
findstr /spin "password" *.*
findstr /i /s "password" *.* 
gci  -recurse –include *.txt | select Fullname 
​
# Search for writeable directories
dir /a-r-d /s /b
dir abc.txt /s /p 
​
# Running processes
tasklist /SVC
​
# Network connections
netstat -ano
​
Dumping Windows Credentials
[email protected]
Windows Privilege Escalation Guide

Penetration Testing Checklists - Previous

Mobile Application PenTest

Next - Red Team (Windows)

02 Privileges Escalation

Last modified 5mo ago

Copy link