search
githubEdit

Pivots

hashtag
Pivots

hashtag
IMPORTANT: Pivots in Sliver are used for specifically pivoting C2 traffic, not to be confused with port forwarding portfwd, which is used for tunneling generic tcp connections into a target environment.

hashtag
Pivots can only be used in "session mode"

hashtag
Pivots allow you to create "chains" of implant connections, for example if you're trying to deploy a pivot into a highly restricted subnet that cannot route traffic directly to the internet you can instead create an implant that egresses all traffic via another implant in a less restricted subnet. Sliver v1.5 and later pivots can be arbitrarily nested, for example a pivot A can connect thru pivot B to a third egress implant.

hashtag
In Sliver you use an existing session to create a "pivot listener" and then generate new pivots that can connect back to that listener, just as you would with other C2 protocols/endpoints.

hashtag
Pivots perform an authenticated peer-to-peer cryptographic key exchange regardless of the underlying pivot protocol, therefore pivots can only communicate with other implants generated by the same server; this restriction cannot be disabled.

hashtag
TCP Pivots

hashtag
TCP pivots are implemented in pure Go and are supported on all platforms.

1) pivots tcp

hashtag
We can now use generate --tcp-pivot 192.168.1.1:9898 to generate an implant that will connect to the pivot listener, where 192.168.1.1 is the local IP of the server on which we started the listener.

2) generate --tcp-pivot 192.168.1.1:9898

hashtag
Named Pipe Pivots (SMB)

hashtag
Named pipe pivots are only supported on Windows. Select a session to start a named pipe listener, and then use the --bind flag to specify a pipe name. Pipes are automatically started on the local machine so you only need to specify a name, remote clients are always allowed to connect to the pipe, but the default ACL will only allow the current user/group. You can allow all user/groups by using the --allow-all flag:

1) use SESSION_NAME

2) pivots named-pipe --bind foobar

hashtag
Next we generate a named pipe implant using generate --named-pipe 192.168.1.1/pipe/foobar note here we may need to specify the IP address of the listener: 192.168.1.1. The syntax is HOST/pipe/PIPE_NAME, note that . is equivalent to 127.0.0.1. This is just the standard syntax for Windows named pipes.

3) sessions

hashtag
IMPORTANT: In some environments you may need to use the --allow-all flag when starting the pviot listener to allow all users/groups

PreviousLateral MovementNextPort Forwarding

Last updated