01 Reconnaissance
January 2022
After getting the initial access to a Windows environment, the commands are used for the Reconnaissance.
Operating System
User
Network
Dumping Windows Credentials
# Systeminfo
systeminfo
hostname
# Hotfix info
wmic qfe get Caption,Description,HotFixID,InstalledOn
# Read Environment Variable
Get-ChildItem Env: | ft Key,Value
# Installed Software
reg query HKEY_LOCAL_MACHINE\SOFTWARE
# To see what tokens we have
whoami /priv
# What users/localgroups are on the machine?
net users
Get-LocalUser | ft Name,Enabled,LastLogon
net localgroups
Get-LocalGroup | ft Name
net localgroup Administrators
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
net user morph3
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
# Crosscheck local and domain too
net user morph3 /domain
net group Administrators /domain
# Connected drives
net use
wmic logicaldisk get caption,description,providername
# Network information
ipconfig /all
route print
arp -A
# Recursive string scan
findstr /spin "password" *.*
findstr /i /s "password" *.*
gci -recurse –include *.txt | select Fullname
# Search for writeable directories
dir /a-r-d /s /b
dir abc.txt /s /p
# Running processes
tasklist /SVC
# Network connections
netstat -ano
Dumping Windows Credentials
Windows Privilege Escalation Guide
Copy link