Cardboard Iguana Security

/

spells

/

Useful built in commands for Windows reconnaissance

Monday, May 5, 20251 min read

  • OS/Windows
  • AttackCycle/Reconnaissance
  • Application/arp
  • Application/cmdkey
  • Application/driverquery
  • Application/hostname
  • Application/net
  • Application/query
  • Application/reg
  • OS/Windows/Services
  • OS/Windows/Tasks
  • Application/systeminfo
  • Application/whoami
  • arp -a — display the ARP cache (find other machines on the network!)
  • cmdkey /list — show saved credentials
  • driverquery — list installed drivers
  • hostname — return system hostname
  • net accounts — local machine policies
  • net accounts /domain — domain policies
  • net group — list domain groups
  • net group “Domain Admins” /domain — list domain admins
  • net localgroup — list all (local) groups
  • net localgroup administrators — list local admins
  • net share — list all shares (made available by the current machine)
  • net start — list all running services (lots!)
  • net user — list all (local) users
  • net user $USERNAME — get details for user $USERNAME
  • netstat — query open/listening ports
  • query session — list other users who are currently logged in
  • reg — query (and manipulate) registry entries
  • sc — query (and manipulate) services (conflicts with a PowerShell built-in!)
  • schtasks — list scheduled tasks
  • systeminfo — return system info
  • whoami /groups — list current user’s groups
  • whoami /priv — current user + privileges

Graph View

Created with Quartz v4.5.0 © 2025

  • Home
  • Resume
  • Contact
  • RSS Feed