When it comes to tools used in Penetration Testing or Red Team operations, most people immediately think of Metasploit Framework — a long-standing, widely popular framework with an enormous library of exploit modules.
In recent years, however, a new generation of Command & Control (C2) tools has emerged. One of them is Sliver C2, developed by Bishop Fox.
Sliver was purpose-built for Red Team operations and Adversary Simulation. Its key strengths include:
Written in Go
Cross-platform support
Small implant footprint
Supports HTTP, HTTPS, mTLS, DNS, and WireGuard
Better OPSEC than legacy frameworks
Free and Open Source
In this post, we'll explore Sliver from the ground up, compare it against Metasploit, and build a lab to try it hands-on.
What Is Sliver C2?
Sliver is a Command and Control Framework (C2) used to control target machines after initial access has been achieved (Post-Exploitation).
Core capabilities of Sliver include:
Generate implants
Receive beacons from targets
Execute commands
Upload / Download files
Screenshot
Port Forwarding
Pivot
Execute Assembly (.NET)
Process Injection
Extensions via Armory
Simply put, Sliver acts as a "command center" for controlling machines you've already gained access to.
Once an implant runs on the target machine, it connects back to your listener. The operator can then send commands through the Sliver Server to the target.
Sliver Server first launch — Sliver v1.7.3
Sliver vs Metasploit
Many people assume Sliver competes directly with Metasploit. In reality, they serve different purposes.
Comparison
Sliver
Metasploit
Primary Purpose
Command & Control
Exploitation Framework
Language
Go
Ruby
Exploit Modules
Minimal
Extensive
Payload
Modern Implant
Meterpreter
OPSEC
Good
Moderate
Beacon
Full support
Limited
Extensions
Armory
Post Modules
Performance
High
Moderate
Metasploit is best for
Exploiting CVEs
Validating Vulnerabilities
Privilege Escalation
Meterpreter sessions
Sliver is best for
Long-term Engagements
Red Team Operations
Beacon Management
Command & Control
In practice, both frameworks are often used together — Metasploit for initial exploitation, Sliver for long-term post-exploitation control.
Setting Up a Lab
Before you begin, prepare a lab environment:
Kali Linux — Operator Machine
Windows 10 / Windows Server — Target Machine
Active Directory (Optional) — for AD attack testing
Ubuntu Server (Optional) — for Linux targets
All machines should be on the same virtual network for easy connectivity.
💡 You can use HTB Labs, TryHackMe, or VirtualBox/VMware to build a private lab.
Installing Sliver
Download Sliver from GitHub Releases and install on Kali Linux:
# Download Sliver server binary
curl -L https://github.com/BishopFox/sliver/releases/latest/download/sliver-server_linux -o sliver-server
chmod +x sliver-server
# Run Sliver server
./sliver-server
Or use the installer script:
curl -sSL https://sliver.sh/install | sudo bash
Sliver v1.7.3 server ready
Getting Started — Create a Listener
After launching Sliver Server, the first step is creating a Listener to receive connections from your implant.
Sliver supports multiple protocols:
HTTP / HTTPS — works where outbound HTTP/S is allowed
mTLS — Mutual TLS, highly secure, great for labs and internal networks
mimikatz sekurlsa::logonpasswords — extracting NTLM hash of DC$ machine account
From this output we can extract the NTLM hash of the DC$ machine account, which can be used for Pass-the-Hash or Silver Ticket attacks.
Sliver doesn't replace Metasploit — it enhances the Post-Exploitation phase with flexibility suited for long-term operations.
Summary
From firing up ./sslarm, creating a Listener with mtls, generating an implant, watching a Session come back ALIVE, all the way to dumping credentials — that's the full flow Sliver handles in a real Red Team engagement.
Sliver isn't here to replace Metasploit. It fills the gap Metasploit was never great at: long-term control with better OPSEC, flexible beaconing, and Armory extensions that cover nearly every AD attack path you'll need.
If you've only ever used Metasploit + Meterpreter, give Sliver a spin — it's not as complex as it looks, and the workflow fits real-world engagements far better than you'd expect.