01 Reconnaissance
January 2022
After getting the initial access to a Windows environment, the commands are used for the Reconnaissance.
Operating System
User
Network
Dumping Windows Credentials
1
# Systeminfo
2
systeminfo
3
hostname
4
5
# Hotfix info
6
wmic qfe get Caption,Description,HotFixID,InstalledOn
7
8
# Read Environment Variable
9
Get-ChildItem Env: | ft Key,Value
10
11
# Installed Software
12
reg query HKEY_LOCAL_MACHINE\SOFTWARE
Copied!
1
# To see what tokens we have
2
whoami /priv
3
4
# What users/localgroups are on the machine?
5
net users
6
Get-LocalUser | ft Name,Enabled,LastLogon
7
net localgroups
8
Get-LocalGroup | ft Name
9
net localgroup Administrators
10
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
11
net user morph3
12
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
13
14
# Crosscheck local and domain too
15
net user morph3 /domain
16
net group Administrators /domain
Copied!
1
# Connected drives
2
net use
3
wmic logicaldisk get caption,description,providername
4
5
# Network information
6
ipconfig /all
7
route print
8
arp -A
9
10
# Recursive string scan
11
findstr /spin "password" *.*
12
findstr /i /s "password" *.*
13
gci -recurse –include *.txt | select Fullname
14
15
# Search for writeable directories
16
dir /a-r-d /s /b
17
dir abc.txt /s /p
18
19
# Running processes
20
tasklist /SVC
21
22
# Network connections
23
netstat -ano
24
Copied!
Dumping Windows Credentials
Windows Privilege Escalation Guide
Copy link