MTLS Redirector Support

[kfiducia]

I would like to be able to redirect my C2 traffic as usual using disposable fronts but when generating mtls binaries the certs aren't provided to terminate/create TLS sessions. I would like to have the certs provided when an mtls binary is generated so I can (at least try to ) set up a redirector while keeping the security of mtls. Sliver server may need to also support this or pay attention to forwarded headers for client endpoint.

[rkervella]

I'm not quite sure I understand the issue. Can you provide more technical details? By just using a TCP forwarder (like socat for example) as your front you should be able to redirect everything to the Sliver server, without any issue.

As for the certificates, the certificate authority is stored in $HOME/.sliver/certs, so if you want to regenerate a new Sliver cert manually, you definitely can. I believe Sliver certificates are also stored in the Badger database, but we don't directly expose an interface to it. A less convenient way to retrieve implant certificates is to get them from the generated source code, in $HOME/.sliver/slivers.

[kfiducia]

I'm not quite sure I understand the issue. Can you provide more technical details? By just using a TCP forwarder (like socat for example) as your front you should be able to redirect everything to the Sliver server, without any issue.

As for the certificates, the certificate authority is stored in $HOME/.sliver/certs, so if you want to regenerate a new Sliver cert manually, you definitely can. I believe Sliver certificates are also stored in the Badger database, but we don't directly expose an interface to it. A less convenient way to retrieve implant certificates is to get them from the generated source code, in $HOME/.sliver/slivers.

rkervella, thanks for the prompt reply - my redirectors are usually nginx reverse proxies that listen based on servername and path have different behaviors based on that uri path and requesting host so any investigation gets different material than a targeted host e.g. malicious[.]tld/c2-path-here/ -- my understanding is that nginx wants to terminate the mtls when using a proxypass even if stuffing it down a socat tunnel. if you have a different methodology I perhaps haven't thought of I would be interested to hear it. (but i think the details you gave me are enough to get it working the way I planned!)

[rkervella]

Well if we're strictly talking about the Sliver mTLS transport, you can't really use nginx this way to do that. My understanding is that you would need to use the stream feature, as described here, to turn your nginx instance in a TCP forwarder. But you won't have control over HTTP headers and URLs, since there's no HTTP communication coming from the implant in the first place when you're using the mTLS transport.

Now, if you're using HTTP(s) as a transport for the agent, that's another story. You should be able to do what you want, the way you want it with nginx, but I believe there are certain headers that you would need to forward to the Sliver server. @moloch-- might know more about that.

[moloch--]

I'm working on a very comprehensive solution to this very problem, however I'm not sure if I'll be able to open source it (we'll see). In the mean time, specifically for mTLS you need to use TCP re-directors, Nginx should be able to handle this via feature @rkervella linked above though I've not personally tried it.

@kfiducia - Note that mTLS runs over raw TCP, and thus does not have the concept of paths/etc. For that you need to use HTTP/S.

[vctrferreira]

I was trying to use sliver behind a proxy using HTTP but actually I got some problems, this is my nginx conf

events {
  worker_connections 1024;
}

http {
  server {
    listen 80;
    server_name servernameexample.com;

    location /d {
      rewrite ^/d(.*)$ $1 break;
      proxy_pass http://<DOCKER_CONTAINER_NAME>:82;
    }

    location / {
      proxy_pass http://<HOST_IP>:81;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
  }
}

My implant was generate with HTTP to servernameexample.com:80 but for some reason I'm getting errors 400 and 499

[09/May/2023:19:19:57 +0000] "\x16\x03\x01\x01\x05\x01\x00\x01\x01\x03\x03\xE1\xAE\x9C\x1C\xE6\x06\xC2\xA3\x02\x18`\xC5njh2\xE5zi\xE33K\xFE8\x8D\xD5\x5C\xF5\xA5\xBAT( \xCF\xD2o\x09\xD3\x02\x13" 400 157 "-" "-"
"POST /samples.html?jt=973713c49&t=39e158s943 HTTP/1.1" 499 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.3631.353 Safari/537.36"
[09/May/2023:19:21:27 +0000] "\x16\x03\x01\x01\x05\x01\x00\x01\x01\x03\x03z*cE\xDD8\xC0\x8B\x9DFf\x01}\x8C\x99\xC5\x0B\xFF\xE6x\xB6\x1D[\x09`\x86\x87\xB1 7S\xC6 \xC3e\x01\xDA\xDA\xC8\xF9\xCD\xEF\xE1\xFD\x1A\x04j\xEE\xC9\x80)\xBDWk\xA7\xD7\xBBq\xF3\xE9\x08\xBEk \xB3\x00&\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xC0\x09\xC0\x13\xC0" 400 157 "-" "-"

Am I doing something wrong or missing any header or config?

[rkervella]

@vctrferreira here's a config I use frequently and I know works for nginx:

server {
    listen 443 ssl;
    listen [::]:443 ssl http2;

    root /var/www/html;

    index index.html;

    server_name example.com;
    # TLS stuff
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    location / {
        try_files $uri $uri/ @c2;
    }

    location @c2 {
        proxy_pass http://sliver:8080;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

[vctrferreira]

I made some changes here and it work well to me, thanks 👯

[YugoCode]

@rkervella and @vctrferreira, could you please also share the arguments you used for creating the implant? Thanks 🙏