# Useful built-in commands for Windows reconnaissance - `arp -a` - display the [[ARP]] cache (find other machines on the network!) - `cmdkey /list` - show saved credentials - `driverquery` - list installed drivers - `hostname` - return system hostname - [[net|net accounts]] - local machine policies - [[net|net accounts /domain]] - domain policies - [[net|net group]] - list domain groups - [[net|net group "Domain Admins" /domain]] - list domain admins - [[net|net localgroup]] - list all (local) groups - [[net|net localgroup administrators]] - list local admins - [[net|net share]] - list all shares (made available by the current machine) - [[net|net start]] - list all running services (lots!) - [[net|net user]] - list all (local) users - [[net|net user $USERNAME]] - get details for user `$USERNAME` - [[netstat]] - query open/listening ports - `query session` - list other users who are currently logged in - [[reg]] - query (and manipulate) registry entries - [[Exploit Windows services|sc]] - query (and manipulate) services (conflicts with a PowerShell built-in!) - [[Exploit Windows tasks|schtasks]] - list scheduled tasks - [[systeminfo]] - return system info - [[whoami|whoami /groups]] - list current user's groups - [[whoami|whoami /priv]] - current user + privileges