Awesome
Chisel-Strike
A .NET XOR encrypted cobalt strike aggressor implementation for chisel to utilize faster proxy and advanced socks5 capabilities.
Why write this?
In my experience I found socks4/socks4a proxies quite slow in comparison to its socks5 counterparts and a lack of implementation of socks5 in most C2 frameworks. There is a C# wrapper around the go version of chisel called SharpChisel. This wrapper has a few issues and isn't maintained to the latest version of it's go counterpart. SharpChisel didn’t produce compatible shellcode with donut, reflection methods or execute-assembly
. A fix for this has been found using the SharpChisel-NG project: https://github.com/latortuga71/SharpChisel-NG.
Since the SharpChisel-NG assembly is around 16.7 MB
, execute-assembly
(has a hidden size limitation of 1 MB
) and similar in memory methods wouldn’t work. To maintain most of the execution in memory, the NetLoader project is incorporated and executed via execute-assembly
to reflectively host and load a XOR encrypted version of SharpChisel-NG with base64 arguments in memory.
As an alternative, it is also possible to implement similar C# proxies like SharpSocks by replacing the appropriate chisel binaries in the project.
Setup
Note: If using a Windows teamserver skip steps 2 and 3.
-
Clone / download the repository:
git clone https://github.com/m3rcer/Chisel-Strike.git
-
Make all binaries executable:
-
cd Chisel-Strike
-
chmod +x -R chisel-modules
-
chmod +x -R tools
- Install
Mingw-w64
andmono
:
-
sudo apt-get install mingw-w64
-
sudo apt install mono-complete
- Import
ChiselStrike.cna
in cobalt strike using theScript Manager
Recompile and replace updated binaries from the src
folder if needed.
Usage
chisel can be executed on both the CS teamserver client (windows / linux) and the beacon. With either acting as the server / client. A normal execution flow would be to setup a chisel server on the CS teamserver and then create a client on the beacon to connect back to the teamserver.
Commands
-
chisel <client/server> <command>
: Run chisel on a beacon -
chisel-tms <client/server> <command>
: Run chisel on your CS teamserver -
chisel-enc
: XOR encrypt SharpChisel-NG with a password of choice -
chisel-jobs
: List active chisel jobs on the CS teamserver and beacon -
chisel-kill
: Kill active chisel jobs on a beacon -
chisel-tms-kill
: Kill active chisel jobs on your CS teamserver client
Example
OPSEC
SharpChisel-NG drops a DLL on disk due to the use of Costura / Fody
packages at a location similar to: C:\Users\m3rcer\AppData\Local\Temp\Costura\CB9433C24E75EC539BF34CD1AA12B236\64\main.dll
which is detected by defender. It is advised to obfuscate and update chisel DLL's and SharpChisel-NG in the project.
TODO
-
Figure a way to avoid SharpChisel dropping main.dll on disk / create a new C# wrapper for chisel.
-
Create a method to parse command output for the
chisel-tms
command.
Credits
-
shantanu561993 for the C# wrapper implementation of chisel: SharpChisel
-
latortuga71 for the
load-assembly
fix: SharpChisel-NG