Windows Post Exploitation

Did you just exploit a windows machine and you don’t know what to do next?

Here’s a quick list that helps you to start:

Command Prompt Commands

whoami /all

Lists the current user, SID, user privileges, and groups.

ipconfig /all and

ipconfig /displaydns

Display information regarding the network interface, connectivity protocols, and local DNS cache.

netstat -bnao and

netstat -r

List the ports and connections with corresponding processes (-b) to no lookups (-n), all connections (-a), and parent process IDs (-o). The -r option displays the routing table. They require administrator rights to run.

net view and

net view /domain

Queries NBNS/SMB to locate all of the hosts in the current workgroup or domain. All of the domains available to the host are given by /domain .

net user /domain

Lists all of the users in the defined domain.

net user %username% /domain

Obtains information on the current user if they are part of the queried domain (if you are local user, then /domain is not required). It includes the login times, the last time that the password was changed, the logon scripts, and the group memberships.

net accounts

Prints the password policy for the local system. To print the password policy for the domain, use net accounts /domain.

net localgroup administrators

Prints the members of the administrator’s local group. Use the /domain switch to obtain the administrators for the current domain.

net group “Domain Controllers” /domain

Prints the list of domain controllers for the current domain.

net share

Displays the current shared folders, which may not provide sufficient access controls for the data shared within the

folders, and the paths that they point to.

PowerShell Commands

Get-Host | Select Version

Identifies the version of PowerShell used by the victim’s system. Some cmdlets are added or invoked in different versions.


Identifies the installed security patches and system hotfixes.


Identifies the group names and usernames.

Get-Process, Get-Service

Lists the current processes and services.

gwmi win32_useraccount

Invokes WMI to list the user accounts.


Invokes WMI to list the SIDs, names, and domain groups.

It's only fair to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedIn