Merge master

Dockerfile

@@ -52,11 +52,9 @@ RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@${PROTOC_GEN_GO_VER}
 
 # Go assets
 WORKDIR /go/src/github.com/bishopfox/sliver
-ADD ./go-assets.sh /go/src/github.com/bishopfox/sliver/go-assets.sh
-RUN ./go-assets.sh
-
-# Compile sliver server
 ADD . /go/src/github.com/bishopfox/sliver/
+RUN make clean-all
+RUN ./go-assets.sh
 RUN make \
     && cp -vv sliver-server /opt/sliver-server \
     && /opt/sliver-server unpack --force 

Makefile

@@ -5,7 +5,7 @@
 GO ?= go
 ARTIFACT_SUFFIX ?= 
 ENV =
-TAGS = -tags osusergo,netgo,cgosqlite,sqlite_omit_load_extension
+TAGS ?= -tags osusergo,netgo,cgosqlite,sqlite_omit_load_extension
 
 
 #

client/command/beacons/beacons.go

@@ -109,7 +109,8 @@ func renderBeacons(beacons []*clientpb.Beacon, filter string, filterRegex *regex
 
 	tw := table.NewWriter()
 	tw.SetStyle(settings.GetTableStyle(con))
-	if con.Settings.SmallTermWidth < width {
+	wideTermWidth := con.Settings.SmallTermWidth < width
+	if wideTermWidth {
 		tw.AppendHeader(table.Row{
 			"ID",
 			"Name",
@@ -119,6 +120,7 @@ func renderBeacons(beacons []*clientpb.Beacon, filter string, filterRegex *regex
 			"Hostname",
 			"Username",
 			"Operating System",
+			"Locale",
 			"Last Check-in",
 			"Next Check-in",
 		})
@@ -141,42 +143,10 @@ func renderBeacons(beacons []*clientpb.Beacon, filter string, filterRegex *regex
 			color = console.Green
 		}
 
-		nextCheckin := time.Unix(beacon.NextCheckin, 0)
-		nextCheckinDateTime := nextCheckin.Format(time.UnixDate)
-
-		var next string
-		var interval string
-
-		if time.Unix(beacon.NextCheckin, 0).Before(time.Now()) {
-			if con.Settings.SmallTermWidth < width {
-				interval = fmt.Sprintf("%s (%s ago)", nextCheckinDateTime, time.Since(nextCheckin).Round(time.Second))
-
-			} else {
-				interval = time.Since(nextCheckin).Round(time.Second).String()
-			}
-			next = fmt.Sprintf("%s%s%s", console.Bold+console.Red, interval, console.Normal)
-		} else {
-			if con.Settings.SmallTermWidth < width {
-				interval = fmt.Sprintf("%s (in %s)", nextCheckinDateTime, time.Until(nextCheckin).Round(time.Second))
-			} else {
-				interval = time.Until(nextCheckin).Round(time.Second).String()
-			}
-
-			next = fmt.Sprintf("%s%s%s", console.Bold+console.Green, interval, console.Normal)
-		}
-
 		// We need a slice of strings so we can apply filters
 		var rowEntries []string
 
-		/*
-			Round the duration to the nearest second to be more output friendly.
-			We deal in seconds for everything, so it makes sense to show outputs
-			in seconds to remain consistent.
-		*/
-		timeSinceLastCheckin := time.Since(time.Unix(beacon.LastCheckin, 0)).Round(time.Second)
-		lastCheckinDateTime := time.Unix(beacon.LastCheckin, 0).Format(time.UnixDate)
-
-		if con.Settings.SmallTermWidth < width {
+		if wideTermWidth {
 			rowEntries = []string{
 				fmt.Sprintf(color+"%s"+console.Normal, strings.Split(beacon.ID, "-")[0]),
 				fmt.Sprintf(color+"%s"+console.Normal, beacon.Name),
@@ -186,8 +156,9 @@ func renderBeacons(beacons []*clientpb.Beacon, filter string, filterRegex *regex
 				fmt.Sprintf(color+"%s"+console.Normal, beacon.Hostname),
 				fmt.Sprintf(color+"%s"+console.Normal, strings.TrimPrefix(beacon.Username, beacon.Hostname+"\\")),
 				fmt.Sprintf(color+"%s/%s"+console.Normal, beacon.OS, beacon.Arch),
-				fmt.Sprintf(color+"%s (%s ago)"+console.Normal, lastCheckinDateTime, timeSinceLastCheckin),
-				next,
+				fmt.Sprintf(color+"%s"+console.Normal, beacon.Locale),
+				con.FormatDateDelta(time.Unix(beacon.LastCheckin, 0), wideTermWidth, false),
+				con.FormatDateDelta(time.Unix(beacon.NextCheckin, 0), wideTermWidth, true),
 			}
 		} else {
 			rowEntries = []string{
@@ -196,8 +167,8 @@ func renderBeacons(beacons []*clientpb.Beacon, filter string, filterRegex *regex
 				fmt.Sprintf(color+"%s"+console.Normal, beacon.Transport),
 				fmt.Sprintf(color+"%s"+console.Normal, strings.TrimPrefix(beacon.Username, beacon.Hostname+"\\")),
 				fmt.Sprintf(color+"%s/%s"+console.Normal, beacon.OS, beacon.Arch),
-				fmt.Sprintf(color+"%s ago"+console.Normal, timeSinceLastCheckin),
-				next,
+				con.FormatDateDelta(time.Unix(beacon.LastCheckin, 0), wideTermWidth, false),
+				con.FormatDateDelta(time.Unix(beacon.NextCheckin, 0), wideTermWidth, true),
 			}
 		}
 		// Build the row struct

client/command/commands.go

@@ -23,7 +23,7 @@ package command
 
 	Guidelines when adding a command:
 
-		* Try to reuse the same short/long flags for the same paramenter,
+		* Try to reuse the same short/long flags for the same parameter,
 		  e.g. "timeout" flags should always be -t and --timeout when possible.
 		  Try to avoid creating flags that conflict with others even if you're
 		  not using the flag, e.g. avoid using -t even if your command doesn't
@@ -66,6 +66,7 @@ import (
 	"github.com/bishopfox/sliver/client/command/reaction"
 	"github.com/bishopfox/sliver/client/command/reconfig"
 	"github.com/bishopfox/sliver/client/command/registry"
+	"github.com/bishopfox/sliver/client/command/rportfwd"
 	"github.com/bishopfox/sliver/client/command/screenshot"
 	"github.com/bishopfox/sliver/client/command/sessions"
 	"github.com/bishopfox/sliver/client/command/settings"
@@ -456,6 +457,7 @@ func BindCommands(con *console.SliverConsoleClient) {
 			f.String("c", "cert", "", "PEM encoded certificate file")
 			f.String("k", "key", "", "PEM encoded private key file")
 			f.Bool("e", "lets-encrypt", false, "attempt to provision a let's encrypt certificate")
+			f.Bool("E", "disable-randomized-jarm", false, "disable randomized jarm fingerprints")
 
 			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
 			f.Bool("p", "persistent", false, "make persistent across restarts")
@@ -482,6 +484,7 @@ func BindCommands(con *console.SliverConsoleClient) {
 			f.StringL("aes-encrypt-key", "", "encrypt stage with AES encryption key")
 			f.StringL("aes-encrypt-iv", "", "encrypt stage with AES encryption iv")
 			f.String("C", "compress", "none", "compress the stage before encrypting (zlib, gzip, deflate9, none)")
+			f.Bool("P", "prepend-size", false, "prepend the size of the stage to the payload (to use with MSF stagers)")
 		},
 		Run: func(ctx *grumble.Context) error {
 			con.Println()
@@ -517,7 +520,6 @@ func BindCommands(con *console.SliverConsoleClient) {
 		Help:     "Reconfigure the active beacon/session",
 		LongHelp: help.GetHelpFor([]string{consts.ReconfigStr}),
 		Flags: func(f *grumble.Flags) {
-			f.String("n", "name", "", "change implant name to")
 			f.String("r", "reconnect-interval", "", "reconnect interval for implant")
 			f.String("i", "beacon-interval", "", "beacon callback interval")
 			f.String("j", "beacon-jitter", "", "beacon callback jitter (random up to)")
@@ -900,6 +902,9 @@ func BindCommands(con *console.SliverConsoleClient) {
 		Args: func(a *grumble.Args) {
 			a.String("session", "session ID", grumble.Default(""))
 		},
+		Completer: func(prefix string, args []string) []string {
+			return use.BeaconAndSessionIDCompleter(prefix, args, con)
+		},
 		Run: func(ctx *grumble.Context) error {
 			con.Println()
 			info.InfoCmd(ctx, con)
@@ -1340,6 +1345,7 @@ func BindCommands(con *console.SliverConsoleClient) {
 			f.String("y", "limit-username", "", "limit execution to specified username")
 			f.String("z", "limit-hostname", "", "limit execution to specified hostname")
 			f.String("F", "limit-fileexists", "", "limit execution to hosts with this file in the filesystem")
+			f.String("L", "limit-locale", "", "limit execution to hosts that match this locale")
 
 			f.String("f", "format", "exe", "Specifies the output formats, valid values are: 'exe', 'shared' (for dynamic libraries), 'service' (see `psexec` for more info) and 'shellcode' (windows only)")
 			f.String("s", "save", "", "directory/file to the binary to")
@@ -1397,6 +1403,7 @@ func BindCommands(con *console.SliverConsoleClient) {
 			f.String("y", "limit-username", "", "limit execution to specified username")
 			f.String("z", "limit-hostname", "", "limit execution to specified hostname")
 			f.String("F", "limit-fileexists", "", "limit execution to hosts with this file in the filesystem")
+			f.String("L", "limit-locale", "", "limit execution to hosts that match this locale")
 
 			f.String("f", "format", "exe", "Specifies the output formats, valid values are: 'exe', 'shared' (for dynamic libraries), 'service' (see `psexec` for more info) and 'shellcode' (windows only)")
 			f.String("s", "save", "", "directory/file to the binary to")
@@ -1549,6 +1556,7 @@ func BindCommands(con *console.SliverConsoleClient) {
 			f.String("y", "limit-username", "", "limit execution to specified username")
 			f.String("z", "limit-hostname", "", "limit execution to specified hostname")
 			f.String("F", "limit-fileexists", "", "limit execution to hosts with this file in the filesystem")
+			f.String("L", "limit-locale", "", "limit execution to hosts that match this locale")
 
 			f.String("f", "format", "exe", "Specifies the output formats, valid values are: 'exe', 'shared' (for dynamic libraries), 'service' (see `psexec` for more info) and 'shellcode' (windows only)")
 
@@ -1612,6 +1620,7 @@ func BindCommands(con *console.SliverConsoleClient) {
 			f.String("y", "limit-username", "", "limit execution to specified username")
 			f.String("z", "limit-hostname", "", "limit execution to specified hostname")
 			f.String("F", "limit-fileexists", "", "limit execution to hosts with this file in the filesystem")
+			f.String("L", "limit-locale", "", "limit execution to hosts that match this locale")
 
 			f.String("f", "format", "exe", "Specifies the output formats, valid values are: 'exe', 'shared' (for dynamic libraries), 'service' (see `psexec` for more info) and 'shellcode' (windows only)")
 
@@ -2529,6 +2538,59 @@ func BindCommands(con *console.SliverConsoleClient) {
 	})
 	con.App.AddCommand(registryCmd)
 
+	// [ Reverse Port Forwarding ] --------------------------------------------------------------
+
+	rportfwdCmd := &grumble.Command{
+		Name:     consts.RportfwdStr,
+		Help:     "reverse port forwardings",
+		LongHelp: help.GetHelpFor([]string{consts.RportfwdStr}),
+		Flags: func(f *grumble.Flags) {
+			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
+		},
+		Run: func(ctx *grumble.Context) error {
+			con.Println()
+			rportfwd.RportFwdListenersCmd(ctx, con)
+			con.Println()
+			return nil
+		},
+		HelpGroup: consts.SliverHelpGroup,
+	}
+	rportfwdCmd.AddCommand(&grumble.Command{
+		Name:     consts.AddStr,
+		Help:     "Add and start reverse port forwarding",
+		LongHelp: help.GetHelpFor([]string{consts.RportfwdStr}),
+		Run: func(ctx *grumble.Context) error {
+			con.Println()
+			rportfwd.StartRportFwdListenerCmd(ctx, con)
+			con.Println()
+			return nil
+		},
+		Flags: func(f *grumble.Flags) {
+			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
+			f.String("r", "remote", "", "remote address <ip>:<port> connection is forwarded to")
+			f.String("b", "bind", "", "bind address <ip>:<port> implants listen on")
+		},
+		HelpGroup: consts.SliverWinHelpGroup,
+	})
+	rportfwdCmd.AddCommand(&grumble.Command{
+		Name:     consts.RmStr,
+		Help:     "Stop and remove reverse port forwarding",
+		LongHelp: help.GetHelpFor([]string{consts.RportfwdStr}),
+		Run: func(ctx *grumble.Context) error {
+			con.Println()
+			rportfwd.StopRportFwdListenerCmd(ctx, con)
+			con.Println()
+			return nil
+		},
+		Flags: func(f *grumble.Flags) {
+			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
+			f.Int("i", "id", 0, "id of portfwd to remove")
+		},
+		HelpGroup: consts.SliverWinHelpGroup,
+	})
+
+	con.App.AddCommand(rportfwdCmd)
+
 	// [ Pivots ] --------------------------------------------------------------
 
 	pivotsCmd := &grumble.Command{
@@ -3365,7 +3427,7 @@ func BindCommands(con *console.SliverConsoleClient) {
 		LongHelp:  help.GetHelpFor([]string{consts.Cursed, consts.CursedConsole}),
 		HelpGroup: consts.GenericHelpGroup,
 		Flags: func(f *grumble.Flags) {
-			f.Int("r", "remote-debugging-port", 21099, "remote debugging tcp port")
+			f.Int("r", "remote-debugging-port", 0, "remote debugging tcp port (0 = random)`")
 
 			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
 		},
@@ -3382,14 +3444,19 @@ func BindCommands(con *console.SliverConsoleClient) {
 		LongHelp:  help.GetHelpFor([]string{consts.Cursed, consts.CursedChrome}),
 		HelpGroup: consts.GenericHelpGroup,
 		Flags: func(f *grumble.Flags) {
-			f.Int("r", "remote-debugging-port", 21099, "remote debugging tcp port")
+			f.Int("r", "remote-debugging-port", 0, "remote debugging tcp port (0 = random)")
 			f.Bool("R", "restore", true, "restore the user's session after process termination")
 			f.String("e", "exe", "", "chrome/chromium browser executable path (blank string = auto)")
 			f.String("u", "user-data", "", "user data directory (blank string = auto)")
 			f.String("p", "payload", "", "cursed chrome payload file path (.js)")
+			f.Bool("k", "keep-alive", false, "keeps browser alive after last browser window closes")
+			f.Bool("H", "headless", false, "start browser process in headless mode")
 
 			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
 		},
+		Args: func(a *grumble.Args) {
+			a.StringList("args", "additional chrome cli arguments", grumble.Default([]string{}))
+		},
 		Run: func(ctx *grumble.Context) error {
 			con.Println()
 			cursed.CursedChromeCmd(ctx, con)
@@ -3403,14 +3470,19 @@ func BindCommands(con *console.SliverConsoleClient) {
 		LongHelp:  help.GetHelpFor([]string{consts.Cursed, consts.CursedEdge}),
 		HelpGroup: consts.GenericHelpGroup,
 		Flags: func(f *grumble.Flags) {
-			f.Int("r", "remote-debugging-port", 21099, "remote debugging tcp port")
+			f.Int("r", "remote-debugging-port", 0, "remote debugging tcp port (0 = random)")
 			f.Bool("R", "restore", true, "restore the user's session after process termination")
 			f.String("e", "exe", "", "edge browser executable path (blank string = auto)")
 			f.String("u", "user-data", "", "user data directory (blank string = auto)")
 			f.String("p", "payload", "", "cursed chrome payload file path (.js)")
+			f.Bool("k", "keep-alive", false, "keeps browser alive after last browser window closes")
+			f.Bool("H", "headless", false, "start browser process in headless mode")
 
 			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
 		},
+		Args: func(a *grumble.Args) {
+			a.StringList("args", "additional edge cli arguments", grumble.Default([]string{}))
+		},
 		Run: func(ctx *grumble.Context) error {
 			con.Println()
 			cursed.CursedEdgeCmd(ctx, con)
@@ -3419,37 +3491,57 @@ func BindCommands(con *console.SliverConsoleClient) {
 		},
 	})
 	cursedCmd.AddCommand(&grumble.Command{
-		Name:      consts.ScreenshotStr,
-		Help:      "Take a screenshot of a cursed process debug target",
-		LongHelp:  help.GetHelpFor([]string{consts.Cursed, consts.ScreenshotStr}),
+		Name:      consts.CursedElectron,
+		Help:      "Curse a remote Electron application",
+		LongHelp:  help.GetHelpFor([]string{consts.Cursed, consts.CursedElectron}),
+		HelpGroup: consts.GenericHelpGroup,
+		Flags: func(f *grumble.Flags) {
+			f.String("e", "exe", "", "remote electron executable absolute path")
+			f.Int("r", "remote-debugging-port", 0, "remote debugging tcp port (0 = random)")
+
+			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
+		},
+		Args: func(a *grumble.Args) {
+			a.StringList("args", "additional electron cli arguments", grumble.Default([]string{}))
+		},
+		Run: func(ctx *grumble.Context) error {
+			con.Println()
+			cursed.CursedElectronCmd(ctx, con)
+			con.Println()
+			return nil
+		},
+	})
+	cursedCmd.AddCommand(&grumble.Command{
+		Name:      consts.CursedCookies,
+		Help:      "Dump all cookies from cursed process",
+		LongHelp:  help.GetHelpFor([]string{consts.Cursed, consts.CursedCookies}),
 		HelpGroup: consts.GenericHelpGroup,
 		Flags: func(f *grumble.Flags) {
-			f.Int64("q", "quality", 100, "screenshot quality (1 - 100)")
 			f.String("s", "save", "", "save to file")
 
 			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
 		},
 		Run: func(ctx *grumble.Context) error {
 			con.Println()
-			cursed.CursedScreenshotCmd(ctx, con)
+			cursed.CursedCookiesCmd(ctx, con)
 			con.Println()
 			return nil
 		},
 	})
 	cursedCmd.AddCommand(&grumble.Command{
-		Name:      consts.CursedElectron,
-		Help:      "Curse a remote Electron application",
-		LongHelp:  help.GetHelpFor([]string{consts.Cursed, consts.CursedElectron}),
+		Name:      consts.ScreenshotStr,
+		Help:      "Take a screenshot of a cursed process debug target",
+		LongHelp:  help.GetHelpFor([]string{consts.Cursed, consts.ScreenshotStr}),
 		HelpGroup: consts.GenericHelpGroup,
 		Flags: func(f *grumble.Flags) {
-			f.String("e", "exe", "", "remote electron executable absolute path")
-			f.Int("r", "remote-debugging-port", 21099, "remote debugging tcp port")
+			f.Int64("q", "quality", 100, "screenshot quality (1 - 100)")
+			f.String("s", "save", "", "save to file")
 
 			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
 		},
 		Run: func(ctx *grumble.Context) error {
 			con.Println()
-			cursed.CursedElectronCmd(ctx, con)
+			cursed.CursedScreenshotCmd(ctx, con)
 			con.Println()
 			return nil
 		},

client/command/cursed/cursed-chrome.go

@@ -175,7 +175,7 @@ func startCursedChromeProcess(isEdge bool, session *clientpb.Session, ctx *grumb
 	con.Printf("success!\n")
 
 	con.PrintInfof("Starting %s process ... ", name)
-	debugPort := uint16(ctx.Flags.Int("remote-debugging-port"))
+	debugPort := getRemoteDebuggerPort(ctx)
 	args := []string{
 		fmt.Sprintf("--remote-debugging-port=%d", debugPort),
 	}
@@ -185,6 +185,16 @@ func startCursedChromeProcess(isEdge bool, session *clientpb.Session, ctx *grumb
 	if ctx.Flags.Bool("restore") {
 		args = append(args, "--restore-last-session")
 	}
+	if ctx.Flags.Bool("keep-alive") {
+		args = append(args, "--keep-alive-for-test")
+	}
+	if ctx.Flags.Bool("headless") {
+		args = append(args, "--headless")
+	}
+	additionalArgs := ctx.Args.StringList("args")
+	if len(additionalArgs) > 0 {
+		args = append(args, additionalArgs...)
+	}
 
 	// Execute the Chrome process with the extra flags
 	// TODO: PPID spoofing, etc.