Introduction to Command and Control

This chapter focuses on the Command and Control (C2) stage of the Cyber Kill Chain, which then leads to the threat actor completing the Actions on Objective phase of the cyber-attack. As an aspiring penetration tester, it is essential to understand the fundamentals of performing C2 operations from a threat actor’s perspective. This technique also helps penetration testers determine whether their clients’ security solutions are sufficient to detect a real-world cyber-attack and stop a threat actor’s C2 operation. ...

November 24, 2025 · 1 min · 101 words · 0x-s0M3n4th

Introduction to Post Exploitation

Post-exploitation is the phase that occurs after an attacker or penetration tester has successfully compromised a system. Unlike the initial exploitation stage, which focuses on gaining entry, post-exploitation is about leveraging that access to achieve specific objectives. Post- exploitation refers to all the operations that are performed after gaining initial access to the target system. It is done to further gain control of the target system and network. Detailed intro coming soon ...

November 24, 2025 · 1 min · 72 words · 0x-s0M3n4th

Attacking Active Directory

We will perform various Lateral movement and vertical movement . Vertical movement allows a penetration tester to escalate their privileges within a network, as compared to lateral movement, which focuses on using the same user privileges across multiple systems on the network. Lateral movement with crackmapexec: Power on kali, THEPUNISHER, Windows server 2022 . We will perform a pass the password attack using the password of the user fcastle across the entire domain. Make sure you have installed crackmapexec on your kali. Use the following command: crackmapexec smb 10.11.12.0/24 -u fcastle -d MARVEL.local -p Password1 crackmapexec performs SMB enumeration on the targeted network using the creds. Then it uses pwn3d syntax to show that the machine has been affected using the username and password 2. Retrieving the SAM database from the windows devices across the domain using the following command: ...

November 24, 2025 · 4 min · 769 words · 0x-s0M3n4th

Use Cases of Command and Control

Threat actors and Advanced Persistent Threat (APT) groups are always thinking about clever techniques and strategies to compromise their next target. A technique that is commonly used by threat actors is implementing C2 operations to centrally manage compromised hosts over the internet. A threat actor will set up one or more C2 servers on the internet that serve the purpose of centrally managing infected and compromised systems, uploading data from the compromised hosts, and downloading additional malware onto newly infected devices. Note These C2 servers also serve as update servers for malware such as ransomware. When ransomware infects a new device, most malware is designed to establish a connection to designated C2 servers on the internet to download updates, which ensures cybersecurity professionals are not able to eradicate/remove the malware infection from the host. ...

November 24, 2025 · 3 min · 479 words · 0x-s0M3n4th

Anti-Malware Evasion Techniques

The following techniques used by antimalware solutions to detect potential threats: Signature based detection Behavioral based detection Heuristic based detection Platforms for performing static malware analysis: https://www.virustotal.com/ https://cuckoo.cert.ee/ https://app.any.run/ Encoding payloads with MSFVenom: Metasploit Framework Venom (MSFvenom) is commonly used by penetration testers to craft custom payloads for performing exploitation, remote code execution (RCE), and privilege escalation on targeted systems. RCE allows an attacker to run arbitrary code on a target machine or in a target process without having physical access to the machine. In addition, this tool enables the penetration tester to perform encoding and obfuscation by altering and changing the appearance of the payload without changing its functionality. These methods are commonly used to evade threat detection systems such as IDSs and IPSs. ...

November 24, 2025 · 3 min · 543 words · 0x-s0M3n4th

Gaining Access by Exploiting SSH

Now after misconfiguring ssh we will exploit it using some basic techniques. Scanning the target windows server: Performing user enumeration: Open msfconsole Once it’s loaded, use this ssh_enumusers module use auxiliary/scanner/ssh/ssh_enumusers 3. Settings: This didn’t give any results due to secure OpenSSH server, modern SSH servers are patched against this. If this was an actual pentest we hit the wall, but as we know the username and password, we can try login brute force attacks ...

November 24, 2025 · 1 min · 160 words · 0x-s0M3n4th

Setting Up C2 Operations

C2 OPERATION: Power on the main Kali Linux virtual machine (not the clone), open the Terminal, and use the ifconfig eth0{whatever interface you are having as NAT} command to determine the IP address on the eth0 interface as shown below: This ip address will act as an empire server , while the clone vm will act as a empire client . Start the maria DB service in the kali vm(not the clone) : Next, use the following commands to start the Empire server on the main Kali Linux virtual machine: sudo powershell-empire server 5. Next, power on the Empire Client (clone of Kali Linux) virtual machine and use the following commands to edit the Empire client configuration file to insert the Empire server information: ...

November 24, 2025 · 7 min · 1442 words · 0x-s0M3n4th

Creating Custom Payloads With Shelter

Shellter is an antimalware evasion tool that is commonly used by ethical hackers and penetration testers to automate the process of creating and encoding custom payloads to evade threat detection systems. Shellter handles the generation of shellcode and injects it into a trusted Microsoft Windows 32-bit application. When the custom payload is executed on a targeted system, the trusted files are executed as if the application is benign, but the custom payload (shellcode) is executed in the background within the memory space. ...

November 24, 2025 · 3 min · 619 words · 0x-s0M3n4th

Leveraging Network-Based Trust in AD

While this section focuses on exploiting the trust of the Active Directory roles and services within a Windows environment, there are several types of attacks, such as pass-the-hash, that exploit the security vulnerabilities found within the protocols of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. When we talk about TCP/IP, we are often referring to network-related technologies and devices. However, the protocols within TCP/IP can be found in the operating system and the applications running on a host device as well. ...

November 24, 2025 · 9 min · 1895 words · 0x-s0M3n4th

DNS Tunneling

How does DNS tunneling works? It’s a step-by-step process that relies on the openness of DNS to carry other traffic without detection. Here’s how it works, step by step: The attacker registers a domain The domain, like badsite.com, is controlled by the attacker and points to a server they own. The attacker infects a computer They use malware to gain control of a computer inside a target network. The computer becomes the client for the DNS tunnel. The client sends a DNS query The infected computer encodes data in DNS queries. For example, it puts a secret value in the subdomain of a DNS request. The query reaches the DNS resolver The DNS resolver forwards the request to the appropriate servers to resolve the domain name. The attacker’s server decodes the request The attacker’s server receives the DNS request. It decodes the embedded data and can send back commands or other data in DNS responses. The server encodes a response The attacker’s server encodes its own data as a DNS response. This could be an instruction for the infected computer to carry out. The client receives and decodes the response The infected computer receives the DNS response from the resolver. It decodes the data and takes action as instructed. The process repeats as needed If the data is too large for a single DNS message, the client and server split it into smaller parts. Each part is sent in its own DNS query or response. Attackers often use tools like iodine, dnscat2, and Cobalt Strike to perform DNS tunneling. Which handle the encoding and decoding of data within DNS packets. ...

November 24, 2025 · 3 min · 451 words · 0x-s0M3n4th