Chisel-Strike - A .NET XOR Encrypted Cobalt Strike Aggressor Implementation For Chisel To Utilize Faster Proxy And Advanced Socks5 Capabilities

2 years ago 159
BOOK THIS SPACE FOR AD
ARTICLE AD

A .NET XOR encrypted cobalt strike aggressor implementation for chisel to utilize faster proxy and advanced socks5 capabilities.

Why write this?

In my experience I found socks4/socks4a proxies quite slow in comparison to its socks5 counterparts and a lack of implementation of socks5 in most C2 frameworks. There is a C# wrapper around the go version of chisel called SharpChisel. This wrapper has a few issues and isn't maintained to the latest version of chisel. It didn’t allow using shellcode with donut, reflectio n methods or execute-assembly. I found a fix for this using the SharpChisel-NG project.

Since the SharpChisel assembly is around 16.7 MB, execute-assembly(has a hidden size limitation of 1 MB) and similar in memory methods wouldn’t work. To maintain most of the execution in memory I incorporated the NetLoader project by Flangvik which is executed via execute-assembly to reflectively host and load a XOR encrypted version of SharpChisel with base64 arguments in memory.

As an alternative, it is also possible to implement similar C# proxies like SharpSocks by replacing the appropriate chisel binaries in the project.

Setup

Note: If using a Windows teamserver skip steps 2 and 3.

Clone/download the repository: git clone https://github.com/m3rcer/Chisel-Strike.git

Make all binaries executable:

cd Chisel-Strike

chmod +x -R chisel-modules

chmod +x -R tools

Install Mingw-w64 and mono:

sudo apt-get install mingw-w64

sudo apt install mono-complete

Import ChiselStrike.cna in cobalt strike using the Script Manager

Recompile binaries from the src folder if needed.

Usage

chisel can be executed on both the teamserver (windows/linux) and the beacon. With either acting as the server/client. A normal execution flow would be to setup a chisel server on the teamserver and create a client on the beacon connecting back to the teamserver.

Commands

chisel <client/server> <command>: Run Chisel on a beacon

chisel-tms <client/server> <command>: Run Chisel on your teamserver

chisel-enc: XOR Encrypt SharpChisel.exe with a password of choice

chisel-jobs: List active chisel jobs on the teamserver and beacon

chisel-kill: Kill active chisel jobs on a beacon

chisel-tms-kill: Kill active chisel jobs on teamserver

Example

OPSEC

NetLoader can easily be obfuscated and used to bypass defender using projects like NimCrypt2 and the like.

Yet SharpChisel.exe drops a dll on disk due to the use of Costura/Fody packages at a location similar to: C:\Users\m3rcer\AppData\Local\Temp\Costura\CB9433C24E75EC539BF34CD1AA12B236\64\main.dll which is detected by defender. It is advised to obfuscate chisel dll's using projects like gobfuscate in the SharpChisel-NG project and re-build new SharpChisel-NG binaries as shown here.

TODO

Figure a way to avoid SharpChisel dropping main.dll on disk / Create a new C# wrapper for chisel.

Create a method to parse command output for the chisel-tms command.

Credits

Flangvik and Arno0x for the NetLoader project.

shantanu561993 for the C# wrapper implementation of chisel: SharpChisel

latortuga71 for the load-assembly fix: SharpChisel-NG

Chisel-Strike - A .NET XOR Encrypted Cobalt Strike Aggressor Implementation For Chisel To Utilize Faster Proxy And Advanced Socks5 Capabilities Chisel-Strike - A .NET XOR Encrypted Cobalt Strike Aggressor Implementation For Chisel To Utilize Faster Proxy And Advanced Socks5 Capabilities Reviewed by Zion3R on 8:30 AM Rating: 5

Read Entire Article