Scribd
Upload
588 views139 pages

Intro To C2 Operations With Sliver

The document provides an introduction to command and control (C2) operations using Sliver, a software developed by BishopFox for penetration testing and red teaming. It outlines the Cyber Kill Chain framework, detailing the attack lifecycle stages, and explains the components and functionalities of Sliver, including its server, client, and beaconing processes. Additionally, it discusses the installation and setup of Sliver, emphasizing the importance of operational security and the ability for multiple operators to collaborate.

Uploaded by

Vvvvvvb
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
588 views139 pages

Intro To C2 Operations With Sliver

The document provides an introduction to command and control (C2) operations using Sliver, a software developed by BishopFox for penetration testing and red teaming. It outlines the Cyber Kill Chain framework, detailing the attack lifecycle stages, and explains the components and functionalities of Sliver, including its server, client, and beaconing processes. Additionally, it discusses the installation and setup of Sliver, emphasizing the importance of operational security and the ability for multiple operators to collaborate.

Uploaded by

Vvvvvvb
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 139

13.

Intro to C2 Operations with Sliver


Introduction to C2s and Sliver
A command and control (C2) server is software tasked to execute commands or binaries on
a remote computer, or a network of computers. The primary focus of a C2 is to have a
centralized management system where the operator can manage access to other machines
somewhere in the network. An operator is the one who carries out the (simulated) attack and
manages the software. The access can be gained in multiple ways, be it a SQL Injection
vulnerability, weak credentials on different services such as SSH, RDP, or access to the
initial machine (foothold) given by the client for a red team engagement or a penetration test.
The term "red team" refers to a group of people specializing in researching different ways
getting into systems and refining tools, and being a step ahead of defenders.

A C2 server facilitates the creation of a specific executable, and once it is on the target
machine, establishes a communication channel between the server and the target when
executed. From here on, we are going to refer to these executables as beacons.

Predominantly, C2 servers are used by the red team. It is a focused, goal-oriented security
testing approach to achieve specific objectives. The objectives closely follow the Cyber Kill
Chain.

Attack Lifecycle
Developed by Lockheed Martin in 2011, the Cyber Kill Chain framework categorizes the
attack lifecycle of cyber operations into seven steps.

Attack Lifecycle Description


Reconnaissance starts with gathering as much information as possible about the
target. It can be active reconnaissance (actively interacting with the
target) or passive reconnaissance. Such recon can include active
scanning, gathering information about the victim's hosts/identity or
the network, and searching through the open and deep web.
Weaponization characterizing the process of the development of the payload
allowing foothold access.
Delivery constitutes a stage when one has found a way of transferring the
payload onto the target.
Exploitation the step where one executes the payload onto the target.

https://t.me/offenciveSec
Attack Lifecycle Description
Installation the step during which the adversary establishes initial control over
the target
Command and constitutes a step wherein one has established a connection from
Control (C2) the target to the command and control server.
Actions on the step where one starts carrying out the intended goals, whether
Objectives data theft or exfiltration.

One important aspect not mentioned in the Cyber Kill Chain is the Operational Security
known as OpSec. It is an aspect where an adversary minimize their footprints to hide their
presence on target systems.

Sliver
Sliver is a command and control software developed by BishopFox. Used by penetration
testers and red teamers, its client, server, and beacons (known as implants) are written in
Golang - making it easy to cross-compile for different platforms.

Sliver has implants, beacons, and stagers (or stager). Implants are the software
(binaries/executables) used to preserve an entry onto a target, facilitated by a command and
control server.
Beaconing is the process of communicating from the target host to the command and
control server over a set period.
Stagers or a stager are a way of loading a code onto a remote machine. It is mostly used
to execute a small piece of code ( stager ) that loads a different code.

Sliver can be installed using the Linux one-liner in the GitHub repository or by downloading
Sliver's server and client separately from the releases. The server can be used as a single
point of connection both for beacons and for operators, having the ability to host multiple
operators at the same time. A downside of not having a server and a client is that everything
runs inside the process of Sliver, meaning that if you accidentally terminate the process, you
might lose the beacons or sessions. One of the most important features of Sliver is its
Armory, a library of precompiled .NET binaries that can be executed on the victim machine,
helping us minimize the footprint.

Delving into the following module sections, we will be exposed to different tools,
methodologies, and scenarios, primarily targeting Active Directory and Windows systems.

Setting Up
Sliver is developed and actively updated by BishopFox. The installation we are going to
follow throughout the module focuses on utilizing the pre-compiled binaries, each having

https://t.me/offenciveSec
their separate responsibilities. Sliver 's Server component has the important role of
serving as the location implants will communicate back to, and Sliver 's Client
component has the role of being the location the user will execute the commands and tools
needed to fulfill their objectives. Sliver can also be installed using a linux one-liner script.
One of the drawbacks of using that approach is one can accidently use the Ctrl + C key
combination, and risk losing every callback previously established. A callback is the term
used when an implant has been executed on the target system and is actively
communicating back to the server.

Having that in mind and knowing that Sliver is mostly command line based, we execute
commands and other actions from the command line interface of the C2.

Sliver , like any other command and control software, can be deployed on a different host
than the operator, and depending on the required infrastructure, can also be positioned in a
remote network. Additionally, having the ability of a multiplayer mode has some advantages
whenever it comes to a multi-operator engagement.

Installation
Running a Sliver Server allows multiple operators to join, allowing them to streamline the
activities in one place. Visiting the GitHub releases page of Sliver , we can see that the
authors have provided pre-compiled versions of the server and client components for
various operating systems.

Server setup
Installing both components is relatively easy, and we must download the respective binary
based on the operating system we are using, which in our case is Linux .

wget -q
https://github.com/BishopFox/sliver/releases/download/v1.5.42/sliver-
server_linux
chmod +x ./sliver-server_linux

Upon the first start of the server component, it could take up to a few minutes to finish
unpacking the assets. A critical method of differentiating the Server and Client
components of Sliver is the prefixes in the CLI.

./sliver-server_linux

Sliver Copyright (C) 2022 Bishop Fox


This program comes with ABSOLUTELY NO WARRANTY; for details type

https://t.me/offenciveSec
'licenses'.
This is free software, and you are welcome to redistribute it
under certain conditions; type 'licenses' for details.

Unpacking assets ...

.------..------..------..------..------..------.
|S.--. ||L.--. ||I.--. ||V.--. ||E.--. ||R.--. |
| :/\: || :/\: || (\/) || :(): || (\/) || :(): |
| :\/: || (__) || :\/: || ()() || :\/: || ()() |
| '--'S|| '--'L|| '--'I|| '--'V|| '--'E|| '--'R|
`------'`------'`------'`------'`------'`------'

All hackers gain infect


[*] Server v1.5.41 - f2a3915c79b31ab31c0c2f0428bbd53d9e93c54b
[*] Welcome to the sliver shell, please type 'help' for options

[*] Check for updates with the 'update' command

[server] sliver >

As with any other tool, every person using it must be aware of the commands and their
usage. The help command can be used in the console to get a more comprehensive list of
the available commands.

[server] sliver > help

Commands:
=========
clear clear the screen
exit exit the shell
help use 'help [command]' for command help
monitor Monitor threat intel platforms for Sliver implants
wg-config Generate a new WireGuard client config
wg-portfwd List ports forwarded by the WireGuard tun interface
wg-socks List socks servers listening on the WireGuard tun interface

Generic:
========
aliases List current aliases
armory Automatically download and install extensions/aliases
background Background an active session
beacons Manage beacons
builders List external builders
canaries List previously generated canaries
cursed Chrome/electron post-exploitation tool kit (∩

You might also like