c2

package
v1.4.20 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 21, 2021 License: GPL-3.0 Imports: 45 Imported by: 7

README

C2

The c2 package contains the server-side command and control implementations. This code talks the sliver binary (client implementations are in sliver/transports). The currently supported procotols are mutual-TLS, HTTP(S), and DNS.

mTLS - tcp-mtls.go

Mutual-TLS is the recommended default transport mechanism for Sliver implants, it provides robust security and throughput. mTLS does require the implant to route TCP traffic directly to the internet, which may not be desirable depending on the target environment. mTLS connections are authenticated and encrypted using per-binary X.509 certificates that are embedded into the implant at compile-time (ECDSA). Certificates are signed using a per-server-instance ECDSA certificate authority that is generated the first time you execute the server binary. Only TLS v1.2 is supported, the only cipher suite enabled is TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.

HTTP(S) - tcp-http.go

Sliver makes little distinction between HTTP and HTTPS C2 communication. This is because the C2 protocol implements it's own sub-HTTP authenticated encryption scheme and does not rely upon the HTTPS connection's certificate for security or authenticity. Therefore, secure communication is possible over a HTTPS connections with valid or invalid certificates, as well as "unencrypted" HTTP. By default Sliver using long-polling over HTTP 1.1 to achieve near-realtime communication over HTTP(S). System proxy setting are respected when present, however if the implant fails to connect using the system proxy settings it will also attempt a direct connection.

Sliver will attempt the following HTTP(S) connections per C2 domain:

  • HTTPS via proxy
  • HTTPS without proxy
  • HTTP via proxy
  • HTTP without proxy

DNS - udp-dns.go

DNS C2 is the slowest protocol but can offer various envasion properties. However, the current implementation is optimized for speed and stability, not for stealth. A stealthier version of the DNS implementation is planned for future versions of Sliver.

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (

	// Pivots - holds the pivots, provides atomic access
	Pivots = &PivotsMap{
		Pivots: &map[uint32]*core.Session{},
		mutex:  &sync.RWMutex{},
	}
)

Functions

func HandlePivotClose 

func HandlePivotClose(session *core.Session, data []byte)

HandlePivotClose - Handles a PivotClose message

func HandlePivotData 

func HandlePivotData(session *core.Session, data []byte)

HandlePivotData - Handles a PivotData message

func HandlePivotOpen 

func HandlePivotOpen(session *core.Session, data []byte)

HandlePivotOpen - Handles a PivotOpen message

func StartDNSListener 

func StartDNSListener(bindIface string, lport uint16, domains []string, canaries bool) *dns.Server

StartDNSListener - Start a DNS listener

func StartDNSListenerJob 

func StartDNSListenerJob(bindIface string, lport uint16, domains []string, canaries bool) (*core.Job, error)

StartDNSListenerJob - Start a DNS listener as a job

func StartHTTPListenerJob 

func StartHTTPListenerJob(conf *HTTPServerConfig) (*core.Job, error)

StartHTTPListenerJob - Start a HTTP listener as a job

func StartHTTPStagerListenerJob 

func StartHTTPStagerListenerJob(conf *HTTPServerConfig, data []byte) (*core.Job, error)

StartHTTPStagerListenerJob - Start an HTTP(S) stager payload listener

func StartMTLSListenerJob 

func StartMTLSListenerJob(host string, listenPort uint16) (*core.Job, error)

StartMTLSListenerJob - Start an mTLS listener as a job

func StartMutualTLSListener 

func StartMutualTLSListener(bindIface string, port uint16) (net.Listener, error)

StartMutualTLSListener - Start a mutual TLS listener

func StartPersistentJobs 

func StartPersistentJobs(cfg *configs.ServerConfig) error

StartPersistentJobs - Start persistent jobs

func StartPivotListener 

func StartPivotListener() error

StartPivotListener - Starts listening for pivot messages

func StartTCPListener 

func StartTCPListener(bindIface string, port uint16, data []byte) (net.Listener, error)

StartTCPListener - Start a TCP listener

func StartTCPStagerListenerJob 

func StartTCPStagerListenerJob(host string, port uint16, shellcode []byte) (*core.Job, error)

StartTCPStagerListenerJob - Start a TCP staging payload listener

func StartWGListener added in v1.4.9 

func StartWGListener(port uint16, netstackPort uint16, keyExchangeListenPort uint16) (net.Listener, *device.Device, *bytes.Buffer, error)

StartWGListener - First ceates an inet.af network stack. then creates a Wireguard device/interface and applies configuration. Go routines are spun up to handle key exchange connections, as well as c2 comms connections.

func StartWGListenerJob added in v1.4.9 

func StartWGListenerJob(listenPort uint16, nListenPort uint16, keyExchangeListenPort uint16) (*core.Job, error)

StartWGListenerJob - Start a WireGuard listener as a job

Types

type DNSSession 

type DNSSession struct {
	ID      string
	Session *core.Session
	Key     cryptography.AESKey
	// contains filtered or unexported fields
}

DNSSession - Holds DNS session information

type HTTPHandler 

type HTTPHandler func(resp http.ResponseWriter, req *http.Request)

HTTPHandler - Path mapped to a handler function

type HTTPServerConfig 

type HTTPServerConfig struct {
	Addr    string
	LPort   uint16
	Domain  string
	Website string
	Secure  bool
	Cert    []byte
	Key     []byte
	ACME    bool
}

HTTPServerConfig - Config data for servers

type HTTPSession 

type HTTPSession struct {
	ID      string
	Session *core.Session
	Key     cryptography.AESKey
	Started time.Time
	// contains filtered or unexported fields
}

HTTPSession - Holds data related to a sliver c2 session

type HTTPSessions 

type HTTPSessions struct {
	// contains filtered or unexported fields
}

HTTPSessions - All currently open HTTP sessions

func (*HTTPSessions) Add 

func (s *HTTPSessions) Add(session *HTTPSession)

Add - Add an HTTP session

func (*HTTPSessions) Get 

func (s *HTTPSessions) Get(sessionID string) *HTTPSession

Get - Get an HTTP session

func (*HTTPSessions) Remove 

func (s *HTTPSessions) Remove(sessionID string)

Remove - Remove an HTTP session

type PivotsMap 

type PivotsMap struct {
	Pivots *map[uint32]*core.Session
	// contains filtered or unexported fields
}

PivotsMap - Mananges the pivots, provides atomic access

func (*PivotsMap) AddSession 

func (h *PivotsMap) AddSession(pivotID uint32, session *core.Session)

AddSession - Add a sliver to the core (atomically)

func (*PivotsMap) RemoveSession 

func (h *PivotsMap) RemoveSession(pivotID uint32)

RemoveSession - Remove a session from the core (atomically)

func (*PivotsMap) Session 

func (h *PivotsMap) Session(pivotID uint32) *core.Session

Session - Get Session by ID

type SendBlock 

type SendBlock struct {
	ID   string
	Data []string
}

SendBlock - Data is encoded and split into `Blocks`

type SliverHTTPC2 

type SliverHTTPC2 struct {
	HTTPServer   *http.Server
	Conf         *HTTPServerConfig
	HTTPSessions *HTTPSessions
	SliverStage  []byte // Sliver shellcode to serve during staging process
	Cleanup      func()
	// contains filtered or unexported fields
}

SliverHTTPC2 - Holds refs to all the C2 objects

func StartHTTPSListener 

func StartHTTPSListener(conf *HTTPServerConfig) (*SliverHTTPC2, error)

StartHTTPSListener - Start an HTTP(S) listener, this can be used to start both 

HTTP/HTTPS depending on the caller's conf

TODO: Better error handling, configurable ACME host/port

func (*SliverHTTPC2) DefaultRespHeaders 

func (s *SliverHTTPC2) DefaultRespHeaders(next http.Handler) http.Handler

DefaultRespHeaders - Configures default response headers

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.