sliver icon indicating copy to clipboard operation
sliver copied to clipboard
verified publisher icon BishopFox

clearing/pruning sessions from the a client doesnt work, and missing copy paste command?

Open CodeXTF2 opened this issue 3 years ago • 11 comments

Hi, I am running sessions prune/sessions -C from the client to clear out dead sessions, and it says this:

sliver > sessions

 ID         Transport   Remote Address         Hostname    Username         Operating System   Health
========== =========== ====================== =========== ================ ================== ========
 4e9f4ba3   http(s)     192.168.61.146:49937   Kaspersky   KASPERSKY\User   windows/amd64      [DEAD]
 6024d48a   http(s)     192.168.61.146:49879   Kaspersky   KASPERSKY\User   windows/amd64      [DEAD]
 82e6045d   http(s)     192.168.61.146:49827   Kaspersky   KASPERSKY\User   windows/amd64      [DEAD]

sliver > sessions prune

Pruning session 4e9f4ba3-5732-4012-8317-b84ab7704087 ... done!
Pruning session 6024d48a-4734-419a-9d2f-f9a474ae5aee ... done!
Pruning session 82e6045d-2d9c-4ccd-9525-947ca4389568 ... done!

sliver >

however, the sessions are still there.

sliver > sessions prune

Pruning session 4e9f4ba3-5732-4012-8317-b84ab7704087 ... done!
Pruning session 6024d48a-4734-419a-9d2f-f9a474ae5aee ... done!
Pruning session 82e6045d-2d9c-4ccd-9525-947ca4389568 ... done!

sliver > sessions

 ID         Transport   Remote Address         Hostname    Username         Operating System   Health
========== =========== ====================== =========== ================ ================== ========
 4e9f4ba3   http(s)     192.168.61.146:49937   Kaspersky   KASPERSKY\User   windows/amd64      [DEAD]
 6024d48a   http(s)     192.168.61.146:49879   Kaspersky   KASPERSKY\User   windows/amd64      [DEAD]
 82e6045d   http(s)     192.168.61.146:49827   Kaspersky   KASPERSKY\User   windows/amd64      [DEAD]

sliver >

clearing them from the server console works just fine. Any ideas?

CodeXTF2 avatar Aug 09 '22 09:08 CodeXTF2

also, i might just be being blind I cant seem to find a copy paste command in help. Is there one? I can only see mv rm and rename.

Sliver:
=======
  cat                Dump file to stdout
  cd                 Change directory
  close              Close an interactive session without killing the remote process
  download           Download a file
  execute            Execute a program on the remote system
  execute-shellcode  Executes the given shellcode in the sliver process
  extensions         Manage extensions
  getgid             Get session process GID
  getpid             Get session pid
  getuid             Get session process UID
  ifconfig           View network interface configurations
  info               Get info about session
  interactive        Task a beacon to open an interactive session (Beacon only)
  kill               Kill a session
  ls                 List current directory
  mkdir              Make a directory
  msf                Execute an MSF payload in the current process
  msf-inject         Inject an MSF payload into a process
  mv                 Move or rename a file
  netstat            Print network connection information
  ping               Send round trip message to implant (does not use ICMP)
  pivots             List pivots for active session
  portfwd            In-band TCP port forwarding
  procdump           Dump process memory
  ps                 List remote processes
  pwd                Print working directory
  reconfig           Reconfigure the active beacon/session
  rename             Rename the active beacon/session
  rm                 Remove a file or directory
  screenshot         Take a screenshot
  shell              Start an interactive shell
  sideload           Load and execute a shared object (shared library/DLL) in a remote process
  socks5             In-band SOCKS5 Proxy
  ssh                Run a SSH command on a remote host
  terminate          Terminate a process on the remote system
  upload             Upload a file
  whoami             Get session user execution context

CodeXTF2 avatar Aug 09 '22 09:08 CodeXTF2

It's a bug, I ran into this the other day.

moloch-- avatar Aug 09 '22 17:08 moloch--

There is no copy/paste commands, this will depend on your OS/terminal.

moloch-- avatar Aug 09 '22 17:08 moloch--

I think @CodeXTF2 meant a cp command. We don't currently have that IIRC.

rkervella avatar Aug 09 '22 17:08 rkervella

yeah, like @rkervella said i meant a cp command in slivers agent :P

CodeXTF2 avatar Aug 09 '22 19:08 CodeXTF2

is the cp command planned? it should be fairly straightforward to just use golangs builtin copy paste methods im guessing.

CodeXTF2 avatar Aug 09 '22 20:08 CodeXTF2

Feel free to open a PR for it.

rkervella avatar Aug 09 '22 20:08 rkervella

Alright. il try doing it tmw, tho I havent touched sliver codebase yet.

CodeXTF2 avatar Aug 09 '22 20:08 CodeXTF2

Gonna be figuring out how to add commands to sliver from looking at https://github.com/BishopFox/sliver/pull/638. Is that a good place to start?

CodeXTF2 avatar Aug 09 '22 20:08 CodeXTF2

Yup that sounds about right.

rkervella avatar Aug 09 '22 21:08 rkervella

It's a bug, I ran into this the other day.

did some testing, seems like session close is triggered by the implant proc dying. The kill command stops the implant but doesnt kill my proc when ran from a loader. The generated exes work fine. calling terminate on your own pid works, though i like to specify a low timeout like 1 or 2 to prevent it waiting 60s (since the dead implant cant call back to confirm the tasking)

CodeXTF2 avatar Aug 10 '22 09:08 CodeXTF2

The kill command stops the implant but doesnt kill my proc when ran from a loader.

This is by design, use the --force flag if you want to kill the host process. We made it this way because in case off remote process injection or DLL hijacking scenarios, you don't always want to kill the host process.

rkervella avatar Aug 10 '22 15:08 rkervella

ah! that seems to work. Yeah that reasoning for cleanly killing the agent without the process dying makes sense. Thanks!

CodeXTF2 avatar Aug 10 '22 16:08 CodeXTF2

Also, I havent touched protobuf until now. I saw when they were adding the mv command they had to regenerate the protobufs? Is there somewhere that documents how to do that etc after the code modifications are done?

CodeXTF2 avatar Aug 10 '22 17:08 CodeXTF2

There's a target in the Makefile to do that. Once you've added your protobuf messages and defined your RPC in services.proto you can run make pb to regenerate the protobuf definitions.

rkervella avatar Aug 10 '22 17:08 rkervella

Alright. il have a look tmw

CodeXTF2 avatar Aug 10 '22 17:08 CodeXTF2

See also: https://github.com/BishopFox/sliver/wiki/Compile-From-Source#developers

moloch-- avatar Aug 10 '22 23:08 moloch--