A .NET XOR encrypted cobalt strike aggressor implementation for chisel to utilize faster proxy and advanced socks5 capabilities.
Why write this?
In my experience I found socks4/socks4a proxies quite slow in comparison to its socks5 counterparts and a lack of implementation of socks5 in most C2 frameworks. There is a C# wrapper around the go version of chisel called SharpChisel. This wrapper has a few issues and isn’t maintained to the latest version of chisel. It didn’t allow using shellcode with donut, reflectio n methods or
execute-assembly. I found a fix for this using the SharpChisel-NG project.
Since the SharpChisel assembly is around
execute-assembly(has a hidden size limitation of
1 MB) and similar in memory methods wouldn’t work. To maintain most of the execution in memory I incorporated the NetLoader project by Flangvik which is executed via
execute-assembly to reflectively host and load a XOR encrypted version of
SharpChisel with base64 arguments in memory.
Note: If using a Windows teamserver skip steps 2 and 3.
Clone/download the repository:
git clone https://github.com/m3rcer/Chisel-Strike.git
Make all binaries executable:
chmod +x -R chisel-modules
chmod +x -R tools
sudo apt-get install mingw-w64
sudo apt install mono-complete
ChiselStrike.cnain cobalt strike using the
Recompile binaries from the
src folder if needed.
chisel can be executed on both the teamserver (windows/linux) and the beacon. With either acting as the server/client. A normal execution flow would be to setup a chisel server on the teamserver and create a client on the beacon connecting back to the teamserver.
chisel <client/server> <command>: Run Chisel on a beacon
chisel-tms <client/server> <command>: Run Chisel on your teamserver
chisel-enc: XOR Encrypt
SharpChisel.exewith a password of choice
chisel-jobs: List active chisel jobs on the teamserver and beacon
chisel-kill: Kill active chisel jobs on a beacon
chisel-tms-kill: Kill active chisel jobs on teamserver
SharpChisel.exe drops a
dll on disk due to the use of
Costura/Fody packages at a location similar to:
C:Usersm3rcerAppDataLocalTempCosturaCB9433C24E75EC539BF34CD1AA12B23664main.dll which is detected by defender. It is advised to obfuscate chisel dll’s using projects like gobfuscate in the SharpChisel-NG project and re-build new SharpChisel-NG binaries as shown here.
Figure a way to avoid
main.dllon disk / Create a new C# wrapper for chisel.
Create a method to parse command output for the