README
¶
C2
The c2 package contains the server-side command and control implementations. This code talks the sliver binary (client implementations are in sliver/transports). The currently supported procotols are mutual-TLS, HTTP(S), and DNS.
mTLS - tcp-mtls.go
Mutual-TLS is the recommended default transport mechanism for Sliver implants, it provides robust security and throughput. mTLS does require the implant to route TCP traffic directly to the internet, which may not be desirable depending on the target environment. mTLS connections are authenticated and encrypted using per-binary X.509 certificates that are embedded into the implant at compile-time (ECDSA). Certificates are signed using a per-server-instance ECDSA certificate authority that is generated the first time you execute the server binary. Only TLS v1.2 is supported, the only cipher suite enabled is TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
HTTP(S) - tcp-http.go
Sliver makes little distinction between HTTP and HTTPS C2 communication. This is because the C2 protocol implements it's own sub-HTTP authenticated encryption scheme and does not rely upon the HTTPS connection's certificate for security or authenticity. Therefore, secure communication is possible over a HTTPS connections with valid or invalid certificates, as well as "unencrypted" HTTP. By default Sliver using long-polling over HTTP 1.1 to achieve near-realtime communication over HTTP(S). System proxy setting are respected when present, however if the implant fails to connect using the system proxy settings it will also attempt a direct connection.
Sliver will attempt the following HTTP(S) connections per C2 domain:
- HTTPS via proxy
- HTTPS without proxy
- HTTP via proxy
- HTTP without proxy
DNS - udp-dns.go
DNS C2 is the slowest protocol but can offer various envasion properties. However, the current implementation is optimized for speed and stability, not for stealth. A stealthier version of the DNS implementation is planned for future versions of Sliver.
Documentation
¶
Index ¶
- func StartDNSListener(domains []string, canaries bool) *dns.Server
- func StartMutualTLSListener(bindIface string, port uint16) (net.Listener, error)
- func StartTCPListener(bindIface string, port uint16, data []byte) (net.Listener, error)
- type DNSSession
- type HTTPHandler
- type HTTPServerConfig
- type HTTPSession
- type SendBlock
- type SliverHTTPC2
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func StartDNSListener ¶
StartDNSListener - Start a DNS listener
func StartMutualTLSListener ¶
StartMutualTLSListener - Start a mutual TLS listener
Types ¶
type DNSSession ¶
type DNSSession struct {
ID string
Sliver *core.Sliver
Key cryptography.AESKey
LastCheckin time.Time
// contains filtered or unexported fields
}
DNSSession - Holds DNS session information
type HTTPHandler ¶
type HTTPHandler func(resp http.ResponseWriter, req *http.Request)
HTTPHandler - Path mapped to a handler function
type HTTPServerConfig ¶
type HTTPServerConfig struct {
Addr string
LPort uint16
Domain string
Website string
Secure bool
Cert []byte
Key []byte
ACME bool
}
HTTPServerConfig - Config data for servers
type HTTPSession ¶
type HTTPSession struct {
ID string
Sliver *core.Sliver
Key cryptography.AESKey
Started time.Time
// contains filtered or unexported fields
}
HTTPSession - Holds data related to a sliver c2 session
type SliverHTTPC2 ¶
type SliverHTTPC2 struct {
HTTPServer *http.Server
Conf *HTTPServerConfig
Sessions *httpSessions
SliverShellcode []byte // Sliver shellcode to serve during staging process
Cleanup func()
}
SliverHTTPC2 - Holds refs to all the C2 objects
func StartHTTPSListener ¶
func StartHTTPSListener(conf *HTTPServerConfig) *SliverHTTPC2
StartHTTPSListener - Start an HTTP(S) listener, this can be used to start both
HTTP/HTTPS depending on the caller's conf
Source Files