Display os version with the info command

[rkervella]

Is your feature request related to a problem? Please describe.
The current info command does display a lot of useful stuff, but not the actual OS version the Sliver is running on. It could be useful to have that information.

Describe the solution you'd like
Implement some kind of GetVersion function to fill out the gap here. As far as I'm aware, there is currently no cross-platform feature in the standard library to do that, so we would need platform specific code for each.
The windows version could rely on GetVersion, whereas the Linux and Darwin ones could rely on unix.Uname.

Describe alternatives you've considered
Right now the only alternative I can think of is using the shell command to use uname or sysinfo, which is not really OPSEC friendly.

[moloch--]

Yea, I was already running into this when thinking of how to apply https://j00ru.vexillium.org/syscalls/nt/64/

[capnspacehook]

I actually ended up using https://godoc.org/github.com/shirou/gopsutil/host#PlatformInformation for that purpose, works well and supports Windows, Darwin and a bunch of Linux distros

[rkervella]

@capnspacehook thanks for the suggestion, I started a PoC with syscall.GetVersion on windows 10, but looks like it's a fucking mess:

Gonna check gopsutil, see if I can get something working reliably.

[capnspacehook]

Yeah it really is a mess, and gopsutil is pretty reliable

[rkervella]

Alright, RtlGetVersion seems to do the job pretty well, thanks for the pointer !

PS C:\Users\lab\source\repos\win-version> go run .\main.go
syscall.GetVersion(): 6.2 build 9200
RtlGetVersion(): 10 0 18362 2

Since this code will be inside the agent, I don't really want to embed more packages, especially for small tasks like this.

[capnspacehook]

Makes sense, and no problem!

[rkervella]

Alright, got something working for windows, kernel version for Linux, but nothing for macos right now:

sliver > use 2

[*] Active sliver RUDE_RAY (2)

sliver (RUDE_RAY) > info

            ID: 2
          Name: RUDE_RAY
      Hostname: rocket
      Username: lesnuages
           UID: 1000
           GID: 1000
           PID: 858
            OS: linux
       Version: Linux rocket 5.0.16-100.fc28.x86_64
          Arch: amd64
Remote Address: 127.0.0.1:40924

sliver (RUDE_RAY) > use 1

[*] Active sliver IMPLICIT_HATRED (1)

sliver (IMPLICIT_HATRED) > info

            ID: 1
          Name: IMPLICIT_HATRED
      Hostname: DESKTOP-TENOHCP
      Username: DESKTOP-TENOHCP\lab
           UID: S-1-5-21-1310408947-2331606187-3983266644-1001
           GID: S-1-5-21-1310408947-2331606187-3983266644-513
           PID: 9296
            OS: windows
       Version: 10.0 build 18362
          Arch: amd64
Remote Address: 192.168.122.140:51225

sliver (IMPLICIT_HATRED) >

Basic implementation is here

[capnspacehook]

Huh, unix.Uname doesn't work for MacOS?

[rkervella]

No idea, it should, but I don't have a mac os box to test that =/

[moloch--]

Not to worry, I am of the acended MacOS clan:

Code

 package main

 import (
     "fmt"
     "golang.org/x/sys/unix"
 )

 func main() {
     foo := &unix.Utsname{}
     unix.Uname(foo)
     fmt.Printf("    Sysname: %s\n", foo.Sysname)
     fmt.Printf("   Nodename: %s\n", foo.Nodename)
     fmt.Printf("    Release: %s\n", foo.Release)
     fmt.Printf("    Version: %s\n", foo.Version)
     fmt.Printf("    Machine: %s\n", foo.Machine)
 }

Output

➜  Desktop ./test
    Sysname: Darwin
   Nodename: narvi
    Release: 18.6.0
    Version: Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64
    Machine: x86_64

[rkervella]

Closed by 23e7987