01 Reconnaissance

January 2022

After getting the initial access to a Windows environment, the commands are used for the Reconnaissance.

Operating System

# Systeminfo
systeminfo
hostname 

# Hotfix info
wmic qfe get Caption,Description,HotFixID,InstalledOn

# Read Environment Variable
Get-ChildItem Env: | ft Key,Value

# Installed Software
reg query HKEY_LOCAL_MACHINE\SOFTWARE

User

# To see what tokens we have 
whoami /priv

# What users/localgroups are on the machine?
net users
Get-LocalUser | ft Name,Enabled,LastLogon
net localgroups
Get-LocalGroup | ft Name
net localgroup Administrators
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
net user morph3
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"

# Crosscheck local and domain too
net user morph3 /domain
net group Administrators /domain

Network

# Connected drives
net use
wmic logicaldisk get caption,description,providername

# Network information
ipconfig /all
route print
arp -A

# Recursive string scan
findstr /spin "password" *.*
findstr /i /s "password" *.* 
gci  -recurse –include *.txt | select Fullname 

# Search for writeable directories
dir /a-r-d /s /b
dir abc.txt /s /p 

# Running processes
tasklist /SVC

# Network connections
netstat -ano

Dumping Windows Credentials

Dumping Windows Credentials130n@calvinlai.com

Windows Privilege Escalation Guide