In network infrastructure penetration tests if we manage to exploit one system then it is easy to obtain information for the network that this system is part of.This information is important because in almost every network penetration test the ultimate goal is to become domain administrator and in order to achieve that it is necessary to know the appropriate commands that will help us to gather information about the network that we are already inside.In this article we will see how we can gather information about windows networks that we are conducting the penetration test from the system that we have already exploited.

Lets say that we have exploited a windows system and we want to know more about the network that this system belongs to.The first and most common command is of course the ipconfig /all which it will display to us all the information about the network adapters of the host and the Windows IP configuration as the picture below is showing:

ipconfig /all
ipconfig /all


Another command is the ipconfig /displaydns which it will display the contents of local DNS cache.

Display Local DNS Cache
Display Local DNS Cache


Systems in internal networks most of the times contain shared folders which can be listed with the command net share.

System Shares
System Shares


We might also want to discover other internal networks that exist by examining the machine routing table with the command route print.

Routing Table


The ARP -A command will list all the systems that are currently in the machine’s ARP table helping us to discover other valid hosts.

ARP Table


We can also use the network diagnostic command of the system to obtain information about operating system,network adapters,network clients and other network configuration with the command netsh diag show all.

network diagnostic
network diagnostic


Another information that is important to learn about the host that we have exploited is to see which other hosts are on the same workgroup.The command that we will need to type is the net view.

Discover Hosts on the same workgroup
Discover Hosts on the same workgroup


Last but not least the netstat command can be used with the parameters -n -a -o to display all the active connections along with the IP addresses and process ID of each connection.

Active Connections
Active Connections



In this article we saw some common commands and their output that can be used for post exploitation activities in Windows networks.The majority of these commands will help us to identify new hosts and network shares which can lead us to compromise further systems on the network.


  1. How about these tricks?
    1. net use x: \\server\share “” /u:
    2. net user username password /ADD /DOMAIN
    3. net group “Domain Admins” username /ADD /DOMAIN
    4. net user username password /ADD
    5. net localgroup Administrators username /ADD

  2. I would strongly disagree with this statement:

    “This information is important because in almost every network penetration test the ultimate goal is to become domain administrator”

    On the tests I do they are more usually target orientated, for example access a key piece of information, modify some data, demonstrate potential business impact of a compromise .I can’t really remember a job where a client has specifically set the goal of gaining domain admin.

    It definitely helps with the rest of the job if you are DA but it shouldn’t really be the ultimate goal.

  3. Maybe I didn’t express this correctly as I didn’t had either clients that they set this goal in meetings before the engagements.A pen test can be considered successful if the objectives that the client sets are met,right?However my view is that in infrastructure penetration tests if you have the chance to become Domain Admin you should take it.So from that point this can be the ultimate goal for penetration testers and we must almost try our possibilities to achieve this even if sometimes this it is not necessary or it can’t be achieved due to other parameters and restrictions.

  4. I think if you can achieve your objectives without becoming DA then you shouldn’t do it. If the client sets you the goal of acquiring financial information and you find it on an open share on an accountants machine then you take it and it is game over. If the domain controller has ms08-067 on it then you wouldn’t pop a shell and add a DA account just to say you also got DA.

    The ultimate goal is to meet the clients objectives, a lot of testers have a personal goal of getting DA as it makes them feel they have beaten the admin but that is different.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s