Windows Recon (Cheat Sheet)

2 min readJul 3, 2019


Windows OS Enumeration

net config Workstation
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
net users
ipconfig /all
route print
arp -A
netstat -ano
netsh firewall show state
netsh firewall show config
schtasks /query /fo LIST /v
tasklist /SVC
net start
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
dir /s pass == cred == vnc == .config
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Find Goodies

Service Account Credentials within SYSVOL Group Policy Preferences (GPP)

findstr /S /I cpassword \\\sysvol\\policies\*.xml

Find in files and registry

findstr /snip password *.xml *.ini *.txt (quicker than below)
findstr /snip password *
dir /s *password* == *cred* == *vnc* == *.config*dir c:\*vnc.ini /s /bc:\sysprep.inf
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

GPO settings

gpresult /z
gpresult /H (for Pretty HTML output)

Users, Groups and Privileges


net localgroup administrators /domain
net group “Domain Controllers” /domain
net group “Domain Admins” /domain
net group “Enterprise Admins” /domain
net user /domain <UserName>


Get-ADDomainController -filter * | select hostname, operatingsystemGet-ADFineGrainedPasswordPolicy -filter *Get-ADDefaultDomainPasswordPolicyGet-ADUser <UserName>-Properties *Get-ADUser -filter * -properties Name, PasswordNeverExpires | where {$_.passwordNeverExpires -eq "true" } | Select-Object DistinguishedName,Name,EnabledGet-ADGroupMember -identity <GroupName>Get-ADComputer -filter * | select nameGet-GPO -all | select DisplayName, gpostatus

SMB File Shares

Find Hosts with SMB Open (Nmap)

nmap -vv -Pn -n -p 445 -oA smb_hostFormat:
grep open smb_host.gnmap | awk {'print $2'} > smb_up.txt && cat smb_up.txt

Find Open Shares (PowerView)

Invoke-ShareFinder -HostList hosts_with_smb.txt -NoPing -CheckShareAccess | Out-File -Encoding ascii found_shares.txtIf you want to remove the extra formatting of output in found_shares.txt, you can run:
grep -oP "(\s).?\-.*" found_shares.txt > found_shares.txt

Permissions (PowerView)

Invoke-FileFinder -ShareList .\found_shares.txt | ForEach-Object {Get-Acl $_.FullName} | Select-Object -Property Path,Owner,Group,AccessToString | Export-Csv Permissions.csv

Find Interesting file names from Share list (PowerView)

Invoke-FileFinder -ShareList found_shares.txt -Terms confidential, password -Verbose | ForEach-Object {Get-Acl $_.FullName} | Format-List

Batch Script to search for in-file passwords in open shares found from steps above.

@echo off
for /F "tokens=*" %%a in (found_shares.txt) do (
NET USE Z: /delete /y
net use z: “%%a”
echo %%a
echo %%a >> "C:\Temp\output_file.txt"
if exist z:\ ( findstr /snip password * >> "C:\Temp\output_file.txt" )

Use password or hash for authentication (using CrackMapExec)

cme smb -u UserName -H 'LM:NT'
cme smb -u UserName -p 'PASSWORDHERE'