A .NET XOR encrypted cobalt strike aggressor implementation for chisel to utilize faster proxy and advanced socks5 capabilities.
In my experience I found socks4/socks4a proxies quite slow in comparison to its socks5 counterparts and a lack of implementation of socks5 in most C2 frameworks. There is a C# wrapper around the go version of chisel called SharpChisel. This wrapper has a few issues and isn't maintained to the latest version of it's go counterpart. SharpChisel didn’t produce compatible shellcode with donut, reflection methods or execute-assembly
. A fix for this has been found using the SharpChisel-NG project: https://github.com/latortuga71/SharpChisel-NG.
Since the SharpChisel-NG assembly is around 16.7 MB
, execute-assembly
(has a hidden size limitation of 1 MB
) and similar in memory methods wouldn’t work. To maintain most of the execution in memory, the NetLoader project is incorporated and executed via execute-assembly
to reflectively host and load a XOR encrypted version of SharpChisel-NG with base64 arguments in memory.
As an alternative, it is also possible to implement similar C# proxies like SharpSocks by replacing the appropriate chisel binaries in the project.
Note: If using a Windows teamserver skip steps 2 and 3.
-
Clone / download the repository:
git clone https://github.com/m3rcer/Chisel-Strike.git
-
Make all binaries executable:
-
cd Chisel-Strike
-
chmod +x -R chisel-modules
-
chmod +x -R tools
- Install
Mingw-w64
andmono
:
-
sudo apt-get install mingw-w64
-
sudo apt install mono-complete
- Import
ChiselStrike.cna
in cobalt strike using theScript Manager
Recompile and replace updated binaries from the src
folder if needed.
chisel can be executed on both the CS teamserver client (windows / linux) and the beacon. With either acting as the server / client. A normal execution flow would be to setup a chisel server on the CS teamserver and then create a client on the beacon to connect back to the teamserver.
-
chisel <client/server> <command>
: Run chisel on a beacon -
chisel-tms <client/server> <command>
: Run chisel on your CS teamserver -
chisel-enc
: XOR encrypt SharpChisel-NG with a password of choice -
chisel-jobs
: List active chisel jobs on the CS teamserver and beacon -
chisel-kill
: Kill active chisel jobs on a beacon -
chisel-tms-kill
: Kill active chisel jobs on your CS teamserver client
SharpChisel-NG drops a DLL on disk due to the use of Costura / Fody
packages at a location similar to: C:\Users\m3rcer\AppData\Local\Temp\Costura\CB9433C24E75EC539BF34CD1AA12B236\64\main.dll
which is detected by defender. It is advised to obfuscate and update chisel DLL's and SharpChisel-NG in the project.
-
Figure a way to avoid SharpChisel dropping main.dll on disk / create a new C# wrapper for chisel.
-
Create a method to parse command output for the
chisel-tms
command.
-
shantanu561993 for the C# wrapper implementation of chisel: SharpChisel
-
latortuga71 for the
load-assembly
fix: SharpChisel-NG