🧙
Pentesting & Red Teaming Notes
  • Windows
    • Recon - Initial Access
    • Privilege Escalation
      • Enable Privs
      • SeBackupPrivilege
      • SeImpersonatePrivilege
      • SeDebugPrivilege
    • Kerberoasting
    • Lateral Movement
    • MSSQL
    • AD Related
    • Bypass-Evasion Techniques
    • Post Exploitation
    • Miscellaneous
    • UAC Bypass
    • Exploits
      • MS03-026 - RPC DCOM
      • MS04-011 - LSASRV
      • MS08-67 - Netapi
      • MS17-010 - Eternalblue
      • CVE-2019-1388
      • CVE-2020-1472 - Zerologon
      • CVE-2020-16938
      • CVE-2021-1675 - PrintNightmare
      • CVE-2022-21999 - SpoolFool
    • Coerced Auth
  • Linux
  • Abusing Active Directory ACLs
    • ReadLAPSPassword
    • WriteDacl
    • GenericWrite
    • ForceChangePassword
    • WriteOwner
  • Port Forwarding - Tunneling
  • Cloud
  • Mobile
  • Malware Development
    • Process Migration
    • Process Hollowing
    • Dynamic API Resolution
    • Suspended Threads
    • PPID Spoofing
    • Thread Stack Spoofing
    • ETW (Event Tracing for Windows)
    • AMSI Bypass
    • Tools
    • Esoteric
Powered by GitBook
On this page
  • Who we are
  • What are our privileges and which group do we belong to
  • Systeminfo
  • Antivirus Status
  • Which users/localgroups are on the machine
  • Network information
  • Logged on users
  • File - Directory enumerations
  • Running processes
  • Service related things
  1. Windows

Recon - Initial Access

PreviousWindowsNextPrivilege Escalation

Last updated 2 years ago

Who we are 

whoami /fqdn
whoami /upn
whoami

What are our privileges and which group do we belong to

whoami /priv
whoami /groups
whoami /all

Systeminfo

systeminfo
hostname

Hotfix and KB information

wmic qfe get Caption,Description,HotFixID,InstalledOn

Antivirus Status

Get-MpComputerStatus

Which users/localgroups are on the machine

net users
net localgroups
net localgroup Administrators
net user morph3

Crosscheck local and domain groups too

net user morph3 /domain
net users /domain
net group "Domain Admins" /domain

Network information

ipconfig /all
route print
arp -A

# Network connections
netstat -ano

Network shares

net view

Logged on users

Get-NetLoggedon -ComputerName client251

File - Directory enumerations

Recursive string scan

findstr /spin "password" *.*

To list all the files recursively

dir /a-D /S /B

Search for writeable directories

dir /a-r-d /s /b

Running processes

tasklist /SVC

Service related things

To check permissions of us on service vulnsvc

accesschk.exe /accepteula -uwcqv morph3 vulnsvc
https://github.com/dafthack/HostRecon/blob/master/HostRecon.ps1
https://gist.github.com/egre55/db41cc2df355e8591eacff561facf34e