Setting up C2 for fun & profit

[rain-kun]

sudo apt-get update && upgrade

- Install the Metasploit framework:

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
./msfinstall

- Install AutoSSH (used for tunnel connections):

sudo apt-get install autossh

.
- Generate an SSH Key Pair for communication between the Sliver Server and the Proxy:

ssh-keygen

Installation:
- Download and install Sliver:

sudo curl https://sliver.sh/install | sudo bash

- Confirm installation by checking the Sliver Daemon service status:

sudo systemctl status sliver

- Enable the service to start on boot:

sudo systemctl enable sliver

- Verify that Sliver has been installed correctly by running

sudo /root/./sliver-server

Note: Sliver is configured to run as a service, so there's no need to follow guides online regarding enabling the 'Multiplayer' option. This option is enabled by default, and the service will automatically bind to port 31337 when it starts.
Configuring Operators
To configure operators for Sliver, follow these steps. Note that most of these steps require root access.
1. Open a root shell by running:

sudo /bin/bash

2. Navigate to the "Configs" directory:

cd /root/.sliver/configs

This directory stores server configurations.
3. For each operator (individuals who should have access to Sliver), run the following command:

sudo /root/./sliver-server operator --name Operatorname --lhost IP_address_of_server --save Operatorname.cfg

- Replace Operatorname with the desired name for the operator. This name will appear in the Sliver portal when the operator connects or disconnects, and when you run the 'operators' command in the Sliver server console.
- IP_address_of_server should be the IP address where the client will connect to the Sliver server. Use a public IP if the Sliver server is in the cloud or a private IP if it's on-premises.
Installing Sliver Client and Importing Client Configuration
Now, let's set up the Sliver Client and import the client configuration. If you already have a Linux installation (such as Ubuntu or Kali), you can proceed from there.
1. If you don't have a Linux installation, download and install Kali or Ubuntu.
2. Install Sliver by running the following command, which also includes the Sliver Client:

sudo curl https://sliver.sh/install | sudo bash

3. From the Sliver Server, obtain your configuration file. There are a few ways to do this:
- Use 'cat' on the Sliver server to display your specific config file:

cat /root/.sliver/configs/operatorname.cfg

Copy and paste the content into a file on your Sliver client machine.
- Use WinSCP or SCP to copy the config file from the server to your Sliver client machine.
4. Import your configuration into the Sliver client by running:

./sliver-client import /path/to/file/operatorname.cfg

5. Verify that the Sliver client is running by executing either of these commands:

sliver

or

./sliver-client

This will prompt you to select your server from the list. Press Enter, and you should enter the Sliver Server.
Installing the Proxy Server (Redirector/SSH Reverse Tunnel Server)
To set up the proxy server, which will be hosted in a cloud environment, follow these steps. This server will handle incoming connections and pass data over the tunnel to the Sliver Server without storing any data.
1. Install Ubuntu Server in the Cloud
Begin by installing an Ubuntu Server in your chosen cloud environment.
2. Update the Ubuntu Server
Ensure that the Ubuntu Server is up to date by running the following command:

sudo apt-get update && sudo apt-get upgrade

3. Install SoCat
Install the SoCat utility with the following command:

sudo apt-get install socat

4. Copy the Public Key
Copy the public key generated earlier (in step 1.2.1, bullet 4) by running:

cat /home/sliveradmin/.ssh/id_rsa.pub

Paste the copied key into the

authorized_keys

file located on the proxy server in

/home/sliveradmin/.ssh/authorized_keys

5. Firewall Rules
Configure firewall rules to allow the required hosts to check in. Open the following ports based on the ports you intend to communicate over:
- Port 22: Restrict access to Waterstons Head Office and the Sliver Server (Sliver Server IP may change).
- Port 8443: Allow connections to any source.
- Port 8444: Allow connections to any source.
- Port 8888: Allow connections to any source.
- All other ports: Block traffic.
6. Configure SSH Tunnels and Listeners
6.1. Proxy Server
The proxy server will be exposed to the internet and requires listeners to forward traffic over designated SSH tunnels. Currently, SoCat is used for TCP traffic redirection, providing a simple solution.
As SoCat doesn't support multiple listeners in one command, three services have been created:
- Tunnel = 11111, Listener = 8443
- Tunnel = 11112, Listener = 8444
- Tunnel = 11113, Listener = 8888
6.2. Create Services for SoCat
Navigate to

/etc/systemd/system

cd /etc/systemd/system

Create a new service file for each listener. For example:

sudo nano socat11111.service

Copy and paste the service configuration from Appendix B (3.2) into each file. Save the service by pressing

Ctrl + X

Y

, and then

Enter

. Start each service with:

sudo systemctl start socat11111

Check that the ports are listening on the proxy server:

ss -plant

Repeat these steps for the other two services (socat11112 and socat11113) while updating the service name accordingly.
6.3. Sliver Server
On the Sliver Server side, configure reverse port forwarding or tunnels. This establishes an SSH connection to the Proxy Server and sets up tunnels over ports 11111, 11112, and 11113. Any data received on the Sliver Server side is forwarded to ports 8443, 8444, and 8888, respectively (these ports can be customized).
6.4. Create Services for Reverse Tunnels
Navigate to

/etc/system/system

:

cd /etc/system/system

Create a new service file for each tunnel, for instance:

sudo nano reversetunnel.service

Copy and paste the configuration provided below into each file (see Appendix A for customization details):

[Unit]
Description=Reverse SSH connection
After=network.target[Service]
Type=simple
ExecStart=/usr/bin/autossh -nNTg \
-o "ServerAliveCountMax 3" \
-o "ServerAliveInterval 10" \
-o "ExitOnForwardFailure yes" \
-o "StrictHostKeyChecking no" \
-R 11111:localhost:8443 \
-R 11112:localhost:8444 \
-R 11113:localhost:8888 \
-i /home/sliveradmin/.ssh/id_rsa sliveradmin@
Restart=always
RestartSec=30s[Install]
WantedBy=multi-user.target

Make necessary changes to the highlighted sections:
- Modify the tunnel and listener ports as needed. The first port (e.g., 11111) represents the tunnel, while the second port (e.g., 8443) is the listener port on the Sliver Server.
- Adjust the path to the private SSH key and the SSH connection details, replacing "Proxy_Server_IP" with the public IP address of the proxy server and "sliveradmin" with your username.
Save the service by pressing Ctrl + X, Y, and then Enter. Enable the service:

sudo systemctl enable reversetunnel

Start the service:

sudo systemctl start reversetunnel

On the Proxy Server, check that the ports are listening:

ss -plant

These steps guide you through installing and configuring the proxy server, SSH tunnels, and listeners, maintaining all technical details.
Tunnels and Data Transfer Explained
There may be situations where you need to change the default ports (8443 and 8888) for Sliver "Jobs" or listeners. By default, the Sliver server creates three reverse tunnels using SSH from the Proxy server, and SoCat listens on specific public-facing ports, forwarding data over the corresponding SSH tunnel.
In this setup, we have the following tunnels:
Command (Sliver to Proxy) - Sliver (Listen) - Tunnel Port - Proxy (Listen)
- SSH -R 11111:localhost:8443 socat tcp-listen:8443,reuseaddr,fork,bind=10.1.1.4 tcp:127.0.0.1:11111
- Sliver (Listen): 8443
- Tunnel Port: 11111
- Proxy (Listen): 8443
- SSH -R 11112:localhost:8444 socat tcp-listen:8444,reuseaddr,fork,bind=10.1.1.4 tcp:127.0.0.1:11112
- Sliver (Listen): 8444
- Tunnel Port: 11112
- Proxy (Listen): 8444
- SSH -R 11113:localhost:8888 socat tcp-listen:8888,reuseaddr,fork,bind=10.1.1.4 tcp:127.0.0.1:11113
- Sliver (Listen): 8888
- Tunnel Port: 11113
- Proxy (Listen): 8888
How Traffic Flows from an Agent to Sliver
Here's the flow of traffic:
1. Payload is activated on the target machine.
2. The target machine initiates a connection to the Proxy on port 8443.
3. The Proxy, using SoCat, listens on port 8443 and sends the incoming traffic over Tunnel 11111.
4. The Sliver Server listens on port 8443 and receives the data.
5. Once the connection is established, the full agent is downloaded to the target machine from the Sliver Server.
6. Subsequent traffic flows between the agent on the target machine and the Sliver Server through the same established path.
Adding a New Listener Port in Sliver
If you want to add a new listener or "Job" in Sliver, follow these steps:
Changes on Sliver Server
1. Stop the reverse tunnel service: sudo systemctl stop reversetunnel
2. Modify the reversetunnel.service file: sudo nano /etc/system/system/reversetunnel.service
3. Add a new line under the existing R 111113... line.
4. Add the new line, e.g., R 111114:localhost:8889 \ (11111 is the tunnel port, 8889 is the listener port from the job, \ is not the end of the command).
5. Save the file (Ctrl+ X, Y, Enter).
6. Reload the daemon since changes have been made: sudo systemctl daemon-reload
7. Start the tunnel service: sudo systemctl start reversetunnel
8. On the proxy server, confirm that the tunnel has been established by running ss -plant, and ensure your port is in the list.
Changes on the Proxy
1. On the proxy server, create a new service file with an appropriate name: sudo nano /etc/systemd/system/socat11114.service
2. Copy and paste the service configuration from Appendix B. It doesn't matter which one, as long as it's one of them.
3. Make the necessary changes in the file as per the example in Appendix B (tcp-listen is the port Sliver is listening on, and tcp:127.0.0.1: should include your tunnel IP).
4. For example: /usr/bin/socat tcp-listen:8889,reuseaddr,fork,bind=10.1.1.4 tcp:127.0.0.1:11114
5. Enable the new service: sudo systemctl enable socat11114
6. Start the service: sudo systemctl start socat11114
7. Confirm that the port is listening: ss -plant, and make sure it's in the list.
Appendix A – ReverseTunnel.service

[Unit]
Description=Reverse SSH connection
After=network.target[Service]
Type=simple
ExecStart=/usr/bin/autossh -nNTg \
-o "ServerAliveCountMax 3" \
-o "ServerAliveInterval 10" \
-o "ExitOnForwardFailure yes" \
-o "StrictHostKeyChecking no" \
-R 11111:localhost:8443 \
-R 11112:localhost:8444 \
-R 11113:localhost:8888 \
-i /home/sliveradmin/.ssh/id_rsa [email protected]
Restart=always
RestartSec=30s[Install]
WantedBy=multi-user.target

This configuration defines a Reverse SSH connection service using autossh with various tunnel ports (11111, 11112, 11113) while ensuring continuous operation and security.
Appendix B – SoCat Listener Services
Here's an example service configuration that can be copied and customized as needed. Each part of the configuration is explained below.
Line - Description
- 1: Unit declaration and service information
- 2: A friendly description of the service's purpose (customize as needed)
- 3: Specifies that the service should start after the network is available
- 4: Declaration of the service itself and its intended function
- 5: Defines the service type as "simple"
- 6: The command that the service will execute
- 7: Configures the service to always attempt to restart
- 8: Sets a 30-second delay before restarting the service
- 9: Information to be handled by systemctl
- 10: Allows any user to start and stop the service
NNow, let's break down the command within the ExecStart line:

ExecStart=/usr/bin/socat tcp-listen:$publiclistenport,reuseaddr,fork,bind=$LocalIP tcp:127.0.0.1:$tunnelport

- `/usr/bin/socat` is the absolute path to the `socat` software and typically doesn't need to be changed.
- `tcp-listen:$publiclistenport` specifies the port on which the service will listen publicly. This port should match the one declared in your listener/job configuration.
- `reuseaddr,fork` are arguments that allow the address to be reused and fork the process, enabling the port to be used for multiple incoming connections. These settings generally do not need to be changed.
- `bind=$LocalIP` indicates the local IP to which `socat` will bind for listening. This IP may vary depending on your installation.
- `tcp:127.0.0.1:$tunnelport` designates where the data should be tunneled to after it's received on the TCP listener. The tunnelport must match the one specified in your reverse tunnel configuration.
Here's the complete example:

[Unit]
Description=Socat tunnel on 11111
After=network.target[Service]
Type=simple
ExecStart=/usr/bin/socat tcp-listen:$publiclistenport,reuseaddr,fork,bind=$LocalIP tcp:127.0.0.1:$tunnelport
Restart=always
RestartSec=30s[Install]
WantedBy=multi-user.target

For instance, if your tunnel is set to use port 5555, the local IP of the proxy is 192.168.1.5, and your Sliver job is configured to run on port 8333, the command would be:

ExecStart=/usr/bin/socat tcp-listen:8333,reuseaddr,fork,bind=192.168.1.5 tcp:127.0.0.1:5555

This configuration can be customized for different ports and IP addresses as needed.
Listener service 8443
Line - Description
- [Unit]: Description=Socat tunnel on 11111
- After=network.target
- [Service]: Type=simple
- ExecStart=/usr/bin/socat tcp-listen:8443,reuseaddr,fork,bind=10.1.1.4 tcp:127.0.0.1:11111
- Restart=always
- RestartSec=30s
- [Install]: WantedBy=multi-user.target
Listener service 8444
Line - Description
- [Unit]: Description=Socat tunnel on 11112
- After=network.target
- [Service]: Type=simple
- ExecStart=/usr/bin/socat tcp-listen:8444,reuseaddr,fork,bind=10.1.1.4 tcp:127.0.0.1:11112
- Restart=always
- RestartSec=30s
- [Install]: WantedBy=multi-user.target
Listener service 8888
Line - Description
- [Unit]: Description=Socat tunnel on 11113
- After=network.target
- [Service]: Type=simple
- ExecStart=/usr/bin/socat tcp-listen:8888,reuseaddr,fork,bind=10.1.1.4 tcp:127.0.0.1:11113
- Restart=always
- RestartSec=30s
- [Install]: WantedBy=multi-user.target
In this process, we've configured listener services for ports 8443, 8444, and 8888, which play a crucial role in handling data flow through tunnels in the system. These listener services ensure that data is properly routed to and from the Sliver server and proxy server, allowing for effective communication and control.
The use of `socat` and reverse tunnels provides a secure and reliable means of managing and transferring data in the Sliver C2 setup.