c2

package
v1.5.34 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 5, 2023 License: GPL-3.0 Imports: 46 Imported by: 0

README

C2

The c2 package contains the server-side command and control implementations. This code talks the sliver binary (client implementations are in sliver/transports). The currently supported procotols are mutual-TLS, HTTP(S), and DNS.

mTLS - tcp-mtls.go

Mutual-TLS is the recommended default transport mechanism for Sliver implants, it provides robust security and throughput. mTLS does require the implant to route TCP traffic directly to the internet, which may not be desirable depending on the target environment. mTLS connections are authenticated and encrypted using per-binary X.509 certificates that are embedded into the implant at compile-time (ECDSA). Certificates are signed using a per-server-instance ECDSA certificate authority that is generated the first time you execute the server binary. Only TLS v1.2 is supported, the only cipher suite enabled is TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.

HTTP(S) - tcp-http.go

Sliver makes little distinction between HTTP and HTTPS C2 communication. This is because the C2 protocol implements it's own sub-HTTP authenticated encryption scheme and does not rely upon the HTTPS connection's certificate for security or authenticity. Therefore, secure communication is possible over a HTTPS connections with valid or invalid certificates, as well as "unencrypted" HTTP. By default Sliver using long-polling over HTTP 1.1 to achieve near-realtime communication over HTTP(S). System proxy setting are respected when present, however if the implant fails to connect using the system proxy settings it will also attempt a direct connection.

Sliver will attempt the following HTTP(S) connections per C2 domain:

  • HTTPS via proxy
  • HTTPS without proxy
  • HTTP via proxy
  • HTTP without proxy

DNS - udp-dns.go

DNS C2 is the slowest protocol but can offer various envasion properties. However, the current implementation is optimized for speed and stability, not for stealth. A stealthier version of the DNS implementation is planned for future versions of Sliver.

Documentation

Index

Constants

View Source 
const (
	DefaultMaxBodyLength   = 2 * 1024 * 1024 * 1024 // 2Gb
	DefaultHTTPTimeout     = time.Minute
	DefaultLongPollTimeout = time.Second
	DefaultLongPollJitter  = time.Second
)

Variables

View Source 
var (
	ErrInvalidMsg         = errors.New("invalid dns message")
	ErrNoOutgoingMessages = errors.New("no outgoing messages")
)
View Source 
var (
	ErrMissingNonce   = errors.New("nonce not found in request")
	ErrMissingOTP     = errors.New("otp code not found in request")
	ErrInvalidEncoder = errors.New("invalid request encoder")
	ErrDecodeFailed   = errors.New("failed to decode request")
	ErrDecryptFailed  = errors.New("failed to decrypt request")
)

Functions

func StartDNSListenerJob 

func StartDNSListenerJob(bindIface string, lport uint16, domains []string, canaries bool, enforceOTP bool) (*core.Job, error)

StartDNSListenerJob - Start a DNS listener as a job

func StartHTTPListenerJob 

func StartHTTPListenerJob(conf *HTTPServerConfig) (*core.Job, error)

StartHTTPListenerJob - Start a HTTP listener as a job

func StartHTTPStagerListenerJob 

func StartHTTPStagerListenerJob(conf *HTTPServerConfig, data []byte) (*core.Job, error)

StartHTTPStagerListenerJob - Start an HTTP(S) stager payload listener

func StartMTLSListenerJob 

func StartMTLSListenerJob(host string, listenPort uint16) (*core.Job, error)

StartMTLSListenerJob - Start an mTLS listener as a job

func StartMutualTLSListener 

func StartMutualTLSListener(bindIface string, port uint16) (net.Listener, error)

StartMutualTLSListener - Start a mutual TLS listener

func StartPersistentJobs 

func StartPersistentJobs(cfg *configs.ServerConfig) error

StartPersistentJobs - Start persistent jobs

func StartTCPListener 

func StartTCPListener(bindIface string, port uint16, data []byte) (net.Listener, error)

StartTCPListener - Start a TCP listener

func StartTCPStagerListenerJob 

func StartTCPStagerListenerJob(host string, port uint16, shellcode []byte) (*core.Job, error)

StartTCPStagerListenerJob - Start a TCP staging payload listener

func StartWGListener 

func StartWGListener(port uint16, netstackPort uint16, keyExchangeListenPort uint16) (net.Listener, *device.Device, *bytes.Buffer, error)

StartWGListener - First creates an inet.af network stack. then creates a Wireguard device/interface and applies configuration. Go routines are spun up to handle key exchange connections, as well as c2 comms connections.

func StartWGListenerJob 

func StartWGListenerJob(listenPort uint16, nListenPort uint16, keyExchangeListenPort uint16) (*core.Job, error)

StartWGListenerJob - Start a WireGuard listener as a job

Types

type DNSSession 

type DNSSession struct {
	ID         uint32
	ImplanConn *core.ImplantConnection
	CipherCtx  *cryptography.CipherContext
	// contains filtered or unexported fields
}

DNSSession - Holds DNS session information

func (*DNSSession) ClearOutgoingEnvelope 

func (s *DNSSession) ClearOutgoingEnvelope(msgID uint32)

ClearOutgoingEnvelope - Clear an outgoing envelope this will generally, but not always, be the first value in the list

func (*DNSSession) ForwardCompletedEnvelope 

func (s *DNSSession) ForwardCompletedEnvelope(msgID uint32, pending *PendingEnvelope)

ForwardCompletedEnvelope - Reassembles and forwards envelopes to core

func (*DNSSession) IncomingPendingEnvelope 

func (s *DNSSession) IncomingPendingEnvelope(msgID uint32, size uint32) *PendingEnvelope

IncomingPendingEnvelope - Get a pending message linked list, creates one if it doesn't exist

func (*DNSSession) OutgoingRead 

func (s *DNSSession) OutgoingRead(msgID uint32, start uint32, stop uint32) ([]byte, error)

OutgoingRead - Read request from implant

func (*DNSSession) PopOutgoingMsgID 

func (s *DNSSession) PopOutgoingMsgID() (uint32, uint32, error)

PopOutgoingMsgID - Pop the next outgoing message ID, FIFO returns msgID, len, err

func (*DNSSession) StageOutgoingEnvelope 

func (s *DNSSession) StageOutgoingEnvelope(envelope *sliverpb.Envelope) error

StageOutgoingEnvelope - Stage an outgoing envelope

type HTTPHandler 

type HTTPHandler func(resp http.ResponseWriter, req *http.Request)

HTTPHandler - Path mapped to a handler function

type HTTPServerConfig 

type HTTPServerConfig struct {
	Addr    string
	LPort   uint16
	Domain  string
	Website string
	Secure  bool
	Cert    []byte
	Key     []byte
	ACME    bool

	MaxRequestLength int

	EnforceOTP      bool
	LongPollTimeout time.Duration
	LongPollJitter  time.Duration
	RandomizeJARM   bool
}

HTTPServerConfig - Config data for servers

type HTTPSession 

type HTTPSession struct {
	ID          string
	ImplantConn *core.ImplantConnection
	CipherCtx   *cryptography.CipherContext
	Started     time.Time
}

HTTPSession - Holds data related to a sliver c2 session

type HTTPSessions 

type HTTPSessions struct {
	// contains filtered or unexported fields
}

HTTPSessions - All currently open HTTP sessions

func (*HTTPSessions) Add 

func (s *HTTPSessions) Add(session *HTTPSession)

Add - Add an HTTP session

func (*HTTPSessions) Get 

func (s *HTTPSessions) Get(sessionID string) *HTTPSession

Get - Get an HTTP session

func (*HTTPSessions) Remove 

func (s *HTTPSessions) Remove(sessionID string)

Remove - Remove an HTTP session

type PendingEnvelope 

type PendingEnvelope struct {
	Size uint32
	// contains filtered or unexported fields
}

PendingEnvelope - Holds data related to a pending incoming message

func (*PendingEnvelope) Insert 

func (p *PendingEnvelope) Insert(dnsMsg *dnspb.DNSMessage) bool

Insert - Pending message, returns true if message is complete

func (*PendingEnvelope) Reassemble 

func (p *PendingEnvelope) Reassemble() ([]byte, error)

Reassemble - Reassemble a completed message

type SliverDNSServer 

type SliverDNSServer struct {
	TTL          uint32
	MaxTXTLength int
	EnforceOTP   bool
	// contains filtered or unexported fields
}

SliverDNSServer - DNS server implementation

func StartDNSListener 

func StartDNSListener(bindIface string, lport uint16, domains []string, canaries bool, enforceOTP bool) *SliverDNSServer

StartDNSListener - Start a DNS listener

func (*SliverDNSServer) HandleDNSRequest 

func (s *SliverDNSServer) HandleDNSRequest(domains []string, canaries bool, writer dns.ResponseWriter, req *dns.Msg)

--------------------------- DNS Handler --------------------------- Handles all DNS queries, first we determine if the query is C2 or a canary

func (*SliverDNSServer) ListenAndServe 

func (s *SliverDNSServer) ListenAndServe() error

ListenAndServe - Listen for DNS requests and respond

func (*SliverDNSServer) Shutdown 

func (s *SliverDNSServer) Shutdown() error

Shutdown - Shutdown the DNS server

type SliverHTTPC2 

type SliverHTTPC2 struct {
	HTTPServer   *http.Server
	ServerConf   *HTTPServerConfig // Server config (user args)
	HTTPSessions *HTTPSessions
	SliverStage  []byte // Sliver shellcode to serve during staging process
	Cleanup      func()
	// contains filtered or unexported fields
}

SliverHTTPC2 - Holds refs to all the C2 objects

func StartHTTPListener 

func StartHTTPListener(conf *HTTPServerConfig) (*SliverHTTPC2, error)

StartHTTPListener - Start an HTTP(S) listener, this can be used to start both 

HTTP/HTTPS depending on the caller's conf

TODO: Better error handling, configurable ACME host/port

func (*SliverHTTPC2) DefaultRespHeaders 

func (s *SliverHTTPC2) DefaultRespHeaders(next http.Handler) http.Handler

DefaultRespHeaders - Configures default response headers

func (*SliverHTTPC2) LoadC2Config 

func (s *SliverHTTPC2) LoadC2Config() *configs.HTTPC2Config

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.