Skip to content
This repository has been archived by the owner on Mar 13, 2024. It is now read-only.

BishopFox/sliver-gui

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

398 Commits

.github

.github

 
 

build

build

 
 

builder

builder

 
 

main

main

 
 

src

src

 
 

.browserslistrc

.browserslistrc

 
 

.gitignore

.gitignore

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

SECURITY.md

SECURITY.md

 
 

angular.json

angular.json

 
 

main.ts

main.ts

 
 

package-lock.json

package-lock.json

 
 

package.json

package.json

 
 

tsconfig.app.json

tsconfig.app.json

 
 

tsconfig.json

tsconfig.json

 
 

tsconfig.main.json

tsconfig.main.json

 
 

tslint.json

tslint.json

 
 

version.ts

version.ts

 
 

Repository files navigation

Sliver GUI

Sliver GUI client.

⚠️ THIS PROJECT IS PRE-ALPHA AND FOR DEVELOPERS ONLY ⚠️

  • The GUI client is NOT feature complete, expect bugs and missing features.
  • Not accepting any issues/bug reports at this time, however feel free to submit PRs.
  • There's no documentation or tutorials aside from this readme (and the repo wiki).

Tagged Release License: GPL v3

Install

Download the latest release and connect to a Sliver server using a standard operator profile. See the wiki for more details.

Features

  • You can click on stuff!
  • Sandboxed JavaScript scripting engine (with built-in script editor)
  • i18n Language Support (French, Spanish, Japanese, Chinese)

FAQ

Why Electron!?

Because I value my development time more than your RAM.

Are Electron Apps Secure?

I tried ¯\(ツ)/¯. Having personally written multiple exploits for Electron apps, I like to think I have a fighting chance, and I really did go thru a lot of effort to make the Sliver GUI as secure as possible (the UI code is sandboxed and I even patched all of the evals out of the protobuf code). You can read more about the application architecture here. In short:

  • The renderer process is sandboxed, and preload scripts have context isolation enabled. Methods in the main process can only be called via postMessage(), and all JSON arguments must pass JSON-Schema checks.
  • No content runs in a file:// origin, all content is served from internal Electron protocol handlers (i.e. app://).
  • A strict content content security policy (CSP) is applied to all origins (script-src does not allow unsafe-inline or unsafe-eval).
  • Nearly the entire interface is implemented via Angular data binding; there are zero calls to bypassSecurityTrustHtml().

If you're concerned about security, I also encourage you to audit the code! See the repo security policy for bounties.

Why Not a Web Interface?

Sliver clients connect using gRPC over Mutual TLS (mTLS), which is not available from within a browser. Even sandboxed, Electron also lets us implement other native app integrations that would otherwise not be possible.

Build

From the root of the git repo, to build your local platform:

npm install
cd main/workers/worker && npm install && cd ../../..
sudo npm install -g electron-packager
sudo npm install -g @angular/cli
npm run electron:local

If that works, then you should be able to do platform specific builds (publish:macos will build both x64 and arm64):

npm run publish:macos
npm run publish:windows
npm run publish:linux

You can also use publish:windows_exe to build a portable (i.e., no installer) Windows executable.

To work on i18n/translations, you'll likely need to install the ngx-i18nsupport package:

npm install -g ngx-i18nsupport

About

A Sliver GUI Client

Topics

gui sliver security-tools redteam

Resources

Readme

License

View license

Security policy

Security policy
Activity
Custom properties

Stars

287 stars

Watchers

9 watching

Forks

30 forks
Report repository

Releases 9

v0.0.9 Latest
Jul 18, 2022
+ 8 releases

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages