Sliver

ABOUT

Sliver is a powerful command and control (C2) framework designed to provide advanced capabilities for covertly managing and controlling remote systems. With Sliver, security professionals, red teams, and penetration testers can easily establish a secure and reliable communication channel over Mutual TLS, HTTP(S), DNS, or Wireguard with target machines. Enabling them to execute commands, gather information, and perform various post-exploitation activities. The framework offers a user-friendly console interface, extensive functionality, and support for multiple operating systems as well as multiple CPU architectures, making it an indispensable tool for conducting comprehensive offensive security operations.

ARCHITECTURE

             In         ┌───────────────┐ C2
┌─────────┐  Memory     │               │ Protocol ┌─────────┐
│ Server  ├────────────►│ Sliver Server ├─────────►│ Implant │
│ Console │             │               │          └─────────┘
└─────────┘             └───────────────┘
                               ▲
                               │
                               │gRPC/mTLS
                               │
                          ┌────┴────┐
                          │ Sliver  │
                          │ Client  │
                          └─────────┘

Server

Sliver Server is also part of the sliver-server executable and manages the internal database, starts/stops network listeners (such as C2 listeners, though there are other types). The main interface used to interact with the server is the gRPC interface, thru which all functionality is implemented. By default the server will only start an in-memory gRPC listener that can only be communicated with from the server console. However, the gRPC interface can also be exposed to the network (i.e., multiplayer mode) over mutual TLS (mTLS).

Client

Sliver Client component has the role of being the location the user will execute the commands and tools needed to fulfill their objectives. It's a necessity if operators wants to use same server, then they need to install client.

Both Server and Client has their own consoles, but server console is just upgraded version of client console, except server-only features. So the syntax is mostly the same.

Implant

[DOCS]

The implant is the actual malicious code run on the target system you want remote access to. And sliver is stage 2 payload, so because of easy static compilation in Go file can be relatively large. That's why it's better to use stagers (when file size is a concern).

Sliver implants support two modes of operation: "beacon mode" and "session mode". Beacon mode implements an asynchronous communication style where the implant periodically checks in with the server, retrieves tasks, executes them, and returns the results. In "session mode" the implant will create an interactive real-time session using either a persistent connection or long polling depending on the underlying C2 protocol.

Beacons may be tasked to open interactive sessions over any C2 protocol they were compiled with using the interactive command, i.e., if a beacon implant was not compiled with HTTP C2 it cannot open a session over HTTP (use the close command to close the session). Currently implants initially compiled for session mode cannot be converted to beacon mode.

Stager

[DOCS]

As payloads can be pretty big (around 10MB), you may sometime require the use of stagers to execute your implant on a target system. Stager downloads implant shellcode from a remote location, such as the C2 server, and then runs the shellcode.

Armory

Its capability of having pre-installed .NET binaries ready to be used makes the operators' lives easier. However, one of the drawbacks that one might stumble upon is the detection of the tools. In the future, we may need to think of a way to change the internals of the tools to avoid being detected.

OPERATORS

For both components of Sliver, we can use the help command followed by any available command in the tool to get more detailed information, such as brief information about the command, its arguments, etc.

[server] sliver > help new-operator

Adding an operator

Sliver can differentiate who can connect based on the generated profile from its server. -l parameter is server's IP so that operator can connect to it.

[server] sliver > new-operator -n songbird -l 13.13.13.13

Before clients can connect to a server you must start an RPC listener with the multiplayer.The default port is TCP/31337.

Setting up a client

./sliver-client_linux import songbird_13.13.13.13.cfg

INSTALLATION

You can use either Github Releases [LINK] or

Github Releases

https://github.com/BishopFox/sliver/releases

wget -q https://github.com/BishopFox/sliver/releases/download/{your-version}/sliver-server_linux
chmod +x ./sliver-server_linux

Linux One-liner

curl https://sliver.sh/install|sudo bash

If you install Sliver via the one-liner, you can check that the server service is running using systemctl status sliver. Note that the Sliver service is not configured to start automatically on boot by default (i.e., if you reboot the server you'll need to start the service again using systemctl start sliver):