Chisel-Strike is a .NET XOR encrypted cobalt strike aggressor implementation for chisel to utilize faster proxy and advanced socks5 capabilities.
In my experience I found socks4/socks4a proxies quite slow in comparison to its socks5 counterparts and a lack of implementation of socks5 in most C2 frameworks. There is a C# wrapper around the go version of chisel called SharpChisel. This wrapper has a few issues and isn’t maintained to the latest version of chisel. It didn’t allow using shellcode with donut, reflection methods or execute-assembly. I found a fix for this using the SharpChisel-NG project.
Since the SharpChisel assembly is around 16.7 MB, execute-assembly(has a hidden size limitation of 1 MB) and similar in memory methods wouldn’t work. To maintain most of the execution in memory I incorporated the NetLoader project by Flangvik which is executed via execute-assembly to reflectively host and load a XOR encrypted version of SharpChisel with base64 arguments in memory.
As an alternative, it is also possible to implement similar C# proxies like SharpSocks by replacing the appropriate chisel binaries in the project.
Note: If using a Windows teamserver skip steps 2 and 3.
git clone https://github.com/m3rcer/Chisel-Strike.gitcd Chisel-Strikechmod +x -R chisel-moduleschmod +x -R toolsMingw-w64 and mono:sudo apt-get install mingw-w64sudo apt install mono-completeChiselStrike.cna in cobalt strike using the Script ManagerRecompile binaries from the src folder if needed.
chisel can be executed on both the teamserver (windows/linux) and the beacon. With either acting as the server/client. A normal execution flow would be to setup a chisel server on the teamserver and create a client on the beacon connecting back to the teamserver.
chisel <client/server> <command>: Run Chisel on a beaconchisel-tms <client/server> <command>: Run Chisel on your teamserverchisel-enc: XOR Encrypt SharpChisel.exe with a password of choicechisel-jobs: List active chisel jobs on the teamserver and beaconchisel-kill: Kill active chisel jobs on a beaconchisel-tms-kill: Kill active chisel jobs on teamserverNetLoader can easily be obfuscated and used to bypass defender using projects like NimCrypt2 and the like.
Yet SharpChisel.exe drops a dll on disk due to the use of Costura/Fody packages at a location similar to: C:\Users\m3rcer\AppData\Local\Temp\Costura\CB9433C24E75EC539BF34CD1AA12B236\64\main.dll which is detected by defender. It is advised to obfuscate chisel dll’s using projects like gobfuscate in the SharpChisel-NG project and re-build new SharpChisel-NG binaries as shown here.
The cp command, short for "copy," is the main Linux utility for duplicating files and directories. Whether…
Introduction In digital investigations, images often hold more information than meets the eye. With the…
The cat command short for concatenate, It is a fast and versatile tool for viewing and merging…
What is a Port? A port in networking acts like a gateway that directs data…
The ls command is fundamental for anyone working with Linux. It’s used to display the files and…
The pwd (Print Working Directory) command is essential for navigating the Linux filesystem. It instantly shows your…