Sliver C2 Introduction

![[sliver-banner.png|center]] Published: 10/25/23 By [Steven Peterson](https://www.linkedin.com/in/steven--peterson) Chief Hacking Officer at White Box Security ## Introduction Cobalt Strike is the de facto standard for C2 frameworks, which is both good and bad. It is very customizable, has good documentation, and tons of community tooling. One of the significant drawbacks to this popularity is the number of detections and signatures written for all aspects of Cobalt Strike. For good reason, the Sliver C2 framework has grown in popularity and use. Sliver is an excellent C2 alternative to Cobalt Strike. Sliver was created about 5 years ago by Bishop Fox. It is an open-source C2 framework available on [GitHub](https://github.com/BishopFox/sliver). It is written in Go and was designed with operational security as the foundation. We started using it at WBS about a year ago. It began with us testing it in our labs but quickly changed to using it on engagements. Many fantastic features make Sliver a great framework. This will be the first of a series of posts on Sliver. The series will cover basic operations to advanced features and then to customization. There will be ongoing posts as we test and customize Sliver. ## Architecture To start, let's dive into Sliver's setup and initial operation. Sliver works in a client (operator) and server architecture, similar to CS. There is a C2 server, team server in CS terms. This is where implants call back to over the various C2 channels. Operators also connect to the C2 server to create listeners, interact with the implants, etc. ![Sliver C2 Architecture](https://user-images.githubusercontent.com/43555923/59543161-56a38c00-8ebe-11e9-8eb2-ecea457976d1.png) One of the advantages of using Go is that the Sliver client and Sliver server binaries can be cross-compiled for many different OSs and architectures. Sliver can run on Linux, Mac, and Windows. The best part is you don't need Java installed to run them! ![[no-java.png|center]] ## Server Setup We recommend using a Linux distro for running the C2 server, but that is a personal preference. We typically use Kali for our C2 server. The easiest way to get the Sliver binaries is to use the Bishop Fox bash one-liner, `curl https://sliver.sh/install|sudo bash` (https://github.com/BishopFox/sliver#linux-one-liner). ![[curl-bash.png|center]] There are other ways to get the binaries for those uncomfortable running curl to sudo bash. There is the one-liner we created for our [Azure Sliver Terraform](https://github.com/WhiteBoxSec/Kali-Sliver-Azure-Terraform/blob/9c860a98c461a7f0ee38345eed7dd63535ecee0e/main.tf#L186C6-L188C213). ```bash # My dumb one-liner to download the latest Sliver client and server. There is probably a better way to do this. wget -O sliver-client_linux -q $(curl -s 'https://api.github.com/repos/BishopFox/sliver/releases/latest' | awk -F '\"' '/browser_download_url/{print $4}' | grep sliver-client_linux | grep -iv 'sig') wget -O sliver-server_linux -q $(curl -s 'https://api.github.com/repos/BishopFox/sliver/releases/latest' | awk -F '\"' '/browser_download_url/{print $4}' | grep sliver-server_linux | grep -iv 'sig') ``` The pre-compiled binaries are available from [GitHub](https://github.com/BishopFox/sliver/releases/tag/v1.5.41). Download the version, OS, and CPU arch you want. Sliver can also be installed with apt on Kali. Keep an eye on the versions. Kali is sometimes not up to date with the latest version on GitHub. ```bash sudo apt install sliver -y ``` ![[kali-apt-install.png|center]] Once the server binary is in place, run it `./sliver-server_linux`. The C2 server is now up and running! This is all that is needed to start testing out Sliver. However, we recommend enabling multiplayer mode and connecting to the C2 server as an operator. The operator can be run on the C2 server or connected remotely. ![[sliver-server.png|center]] ## Client Setup There are two steps to enabling operators to connect to the C2 server. The first is enabling multiplayer mode. Run `multiplayer -L <listening IP> -p` on the server. The `-p` enables the multiplayer to persist if the Sliver server binary is restarted. Next, generate a config for an operator to connect to the Sliver server, ```Sliver new-operator -l <server IP or hostname> -n <name of operator> -s <name and location to save config file> ``` ![[sliver-multiplayer.png|center]] Copy the file or the file contents over to the operator's system. The file contains the server's connection information and the authentication certificates. The operator and C2 server authenticate with certificates on both sides, making a secure communication channel. ![[sliver-config.png|center]] Import the config using the Sliver client binary on the operator's system. ```bash ./sliver-client_linux import steven-lab ``` ![[sliver-import.png|center]] Then, run the client to connect to the server. ```shell ./sliver-client_linux ``` ![[sliver-client.png|center]] The sliver server and client setup are complete! ![[Pasted image 20231025100513.png]] Next, [[Sliver C2 Channels]] --- ![[Circle.jpg|200]]