Red Team Toolkit
  • 👊Welcome!
  • Methodology
    • MITRE
    • NIST
    • OWASP
    • PTES
    • SANS
  • Reconnaissance
    • DNS Recon
    • Open Source Intelligence
    • Web Application Recon
  • Initial Access
    • Phishing
    • Web Authentication Bypass
    • Network Services Attacks
    • Breaching Active Directory
    • Windows Exploits
    • Linux Exploits
    • SQL Injection
    • XSS
    • Burp Suite
    • Hyrdra
    • Metasploit
    • Nessus
    • Wordlists
    • OWASP ZAP
  • Discovery
    • NMAP
    • PowerView
    • Active Directory Enumeration
    • Windows Post Exploitation Discovery
    • Linux Post Exploitation Discovery
    • Other Scanning Methods
  • Privilege Escalation
    • Password Cracking
    • AD Privilege Escalation
    • Local Windows Privilege Escalation
    • Linux Privilege Escalation
    • Mimikatz
  • Movement
    • Movement
    • Evasion
  • Collection
    • Persistence
    • Exfiltration
  • Other
    • Bookmarks
    • OpeSec
Powered by GitBook
On this page
  • Description
  • Background
  • Techniques
  • System Info with CMD
  • Network/Domain Info with CMD
  • Local User Info with CMD
  • Resources

Was this helpful?

  1. Discovery

Windows Post Exploitation Discovery

PreviousActive Directory EnumerationNextLinux Post Exploitation Discovery

Last updated 1 year ago

Was this helpful?

Description

Techniques and tools for post-exploitation discovery using native Windows tools

  • [Tools]

Background

Windows post-exploitation techniques during a red-team engagement often involve discovering and leveraging weaknesses in the target environment, such as misconfigurations, unpatched vulnerabilities, or insecure permissions, to further exploit and compromise the system. These discoveries can include locating stored credentials, identifying vulnerable services or applications, enumerating network resources, or discovering ways to move laterally within the network. By leveraging these post-exploitation findings, attackers can extend their control over the compromised system and potentially expand their reach to other interconnected systems within the target environment.

Techniques

  • Identify current user ID and privileges

  • Identify network connections (for lateral movement)

  • Identify Running processes

  • Identify Chron jobs/scheduled tasks

  • Identify if Active Directory environment then identify users/groups/computers if in cloud or on-prem

  • If not AD, then find applications, firewalls, AV

  • Common Windows commandss to run on system:

    • whoami

    • tasklist

    • systeminfo

    • systeminfo && whoami /all

System Info with CMD

Description
Command
Example

System info

systeminfo

systeminfo

OS Name/Version

systeminfo

systeminfo | findstr /B /C:"OS Name" /C:"OS Version

System drives

wmic logicaldisk

wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber

Connected Devices

wmic logicaldisk

wmic logicaldisk get caption,description,providername

System Environment Table

set

set

Running System Processes

tasklist

tasklist /v

Services Running Inside Each Process

tasklist

tasklist /svc

Attributes of All Running Processes

wmic process list

wmic process list full

Started Windows Services

net start

net start

Scheduled Jobs

schtasks

schtasks /query /fo LIST /v

Windows Patches

wmic qfe

wmic qfe get Caption,Description,HotFixID,InstalledOn

Installed Application Names

wmic product

wmic product get name

Network/Domain Info with CMD

Description
Command
Example

IP and Interfaces

ipconfig

ipconfig /all

Copy IP info to clipboard

ipconfig

ipconfig | clip

Routing Table

route

route print

ARP Table

arp

arp -a

Active TCP Connections

netstat

netstat -an

TCP and UDP activity every 1 second

netstat

netstat -naob 1 | find "<IPADRR or PORT>

Get domain

echo

echo %USERDOMAIN%

Domain Logon Server

echo

echo %LOGONSERVER%

Domain Password Policy

net

net accounts /domain

Local Password Policy

net

net accounts

DC Address, Domain Name, Roles

wmic

wmic ntdomain

Trusted Domain

dsquery

dsquery * -filter "(objectclass=TrustedDomain)" -attr trustpartner,flatname,trustdirection

Network Shares

net

net share

View All Hosts in Domain/Workgroup

net

net view

Domain Trust Info

nltest

nltest /trusted_domains

Local User Info with CMD

Description
Command
Example

Username of Current User

whoami or echo %USERNAME%

whoami

All whoami Access Token Info

whoami

whoami /all

Local Users

net

net users

Detailed User Info

net

net user $USERNAME

Users with RDP Priv

qwinsta

qwinsta

Local Groups

net

net localgroup

Local Administrators

net

net localgroup administrators

Resources

Awesome Windows Post Exploitation:

SANS PowerShell Port Scanner:

A simple batch script with these commands:

A simple CMD script that outputs these commands to txt is here:

https://github.com/emilyanncr/Windows-Post-Exploitation
https://www.sans.org/blog/pen-test-poster-white-board-powershell-built-in-port-scanner/
\tools\WinSysEnum.bat
\tools\WinUserEnum.bat
Background
Techniques
System Info with CMD
Network/Domain Info with CMD
Local User Info with CMD
Domain User Info with CMD
Enumerating with PowerShell
Resources