README
¶
C2
The c2 package contains the server-side command and control implementations. This code talks the sliver binary (client implementations are in sliver/transports). The currently supported procotols are mutual-TLS, HTTP(S), and DNS.
mTLS - tcp-mtls.go
Mutual-TLS is the recommended default transport mechanism for Sliver implants, it provides robust security and throughput. mTLS does require the implant to route TCP traffic directly to the internet, which may not be desirable depending on the target environment. mTLS connections are authenticated and encrypted using per-binary X.509 certificates that are embedded into the implant at compile-time (ECDSA). Certificates are signed using a per-server-instance ECDSA certificate authority that is generated the first time you execute the server binary. Only TLS v1.2 is supported, the only cipher suite enabled is TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
HTTP(S) - tcp-http.go
Sliver makes little distinction between HTTP and HTTPS C2 communication. This is because the C2 protocol implements it's own sub-HTTP authenticated encryption scheme and does not rely upon the HTTPS connection's certificate for security or authenticity. Therefore, secure communication is possible over a HTTPS connections with valid or invalid certificates, as well as "unencrypted" HTTP. By default Sliver using long-polling over HTTP 1.1 to achieve near-realtime communication over HTTP(S). System proxy setting are respected when present, however if the implant fails to connect using the system proxy settings it will also attempt a direct connection.
Sliver will attempt the following HTTP(S) connections per C2 domain:
- HTTPS via proxy
- HTTPS without proxy
- HTTP via proxy
- HTTP without proxy
DNS - udp-dns.go
DNS C2 is the slowest protocol but can offer various envasion properties. However, the current implementation is optimized for speed and stability, not for stealth. A stealthier version of the DNS implementation is planned for future versions of Sliver.
Documentation
¶
Index ¶
- Variables
- func HandlePivotClose(session *core.Session, data []byte)
- func HandlePivotData(session *core.Session, data []byte)
- func HandlePivotOpen(session *core.Session, data []byte)
- func StartDNSListener(domains []string, canaries bool) *dns.Server
- func StartMutualTLSListener(bindIface string, port uint16) (net.Listener, error)
- func StartPivotListener() error
- func StartTCPListener(bindIface string, port uint16, data []byte) (net.Listener, error)
- type DNSSession
- type HTTPHandler
- type HTTPServerConfig
- type HTTPSession
- type HTTPSessions
- type PivotsMap
- type SendBlock
- type SliverHTTPC2
Constants ¶
This section is empty.
Variables ¶
Functions ¶
func HandlePivotClose ¶
HandlePivotClose - Handles a PivotClose message
func HandlePivotData ¶
HandlePivotData - Handles a PivotData message
func HandlePivotOpen ¶
HandlePivotOpen - Handles a PivotOpen message
func StartDNSListener ¶
StartDNSListener - Start a DNS listener
func StartMutualTLSListener ¶
StartMutualTLSListener - Start a mutual TLS listener
func StartPivotListener ¶
func StartPivotListener() error
StartPivotListener - Starts listening for pivot messages
Types ¶
type DNSSession ¶
type DNSSession struct {
ID string
Session *core.Session
Key cryptography.AESKey
LastCheckin time.Time
// contains filtered or unexported fields
}
DNSSession - Holds DNS session information
type HTTPHandler ¶
type HTTPHandler func(resp http.ResponseWriter, req *http.Request)
HTTPHandler - Path mapped to a handler function
type HTTPServerConfig ¶
type HTTPServerConfig struct {
Addr string
LPort uint16
Domain string
Website string
Secure bool
Cert []byte
Key []byte
ACME bool
}
HTTPServerConfig - Config data for servers
type HTTPSession ¶
type HTTPSession struct {
ID string
Session *core.Session
Key cryptography.AESKey
Started time.Time
// contains filtered or unexported fields
}
HTTPSession - Holds data related to a sliver c2 session
type HTTPSessions ¶
type HTTPSessions struct {
// contains filtered or unexported fields
}
HTTPSessions - All currently open HTTP sessions
func (*HTTPSessions) Add ¶
func (s *HTTPSessions) Add(session *HTTPSession)
Add - Add an HTTP session
func (*HTTPSessions) Get ¶
func (s *HTTPSessions) Get(sessionID string) *HTTPSession
Get - Get an HTTP session
func (*HTTPSessions) Remove ¶
func (s *HTTPSessions) Remove(sessionID string)
Remove - Remove an HTTP session
type PivotsMap ¶
type PivotsMap struct {
Pivots *map[uint32]*core.Session
// contains filtered or unexported fields
}
PivotsMap - Mananges the pivots, provides atomic access
func (*PivotsMap) AddSession ¶
AddSliver - Add a sliver to the hive (atomically)
func (*PivotsMap) RemoveSession ¶
RemoveSliver - Remove a session from the hive (atomically)
type SliverHTTPC2 ¶
type SliverHTTPC2 struct {
HTTPServer *http.Server
Conf *HTTPServerConfig
HTTPSessions *HTTPSessions
SliverStage []byte // Sliver shellcode to serve during staging process
Cleanup func()
// contains filtered or unexported fields
}
SliverHTTPC2 - Holds refs to all the C2 objects
func StartHTTPSListener ¶
func StartHTTPSListener(conf *HTTPServerConfig) (*SliverHTTPC2, error)
StartHTTPSListener - Start an HTTP(S) listener, this can be used to start both
HTTP/HTTPS depending on the caller's conf
TODO: Better error handling, configurable ACME host/port
func (*SliverHTTPC2) DefaultRespHeaders ¶
func (s *SliverHTTPC2) DefaultRespHeaders(next http.Handler) http.Handler
DefaultRespHeaders - Configures default response headers
Source Files