Chisel-Strike is a .NET XOR encrypted cobalt strike aggressor implementation for chisel to utilize faster proxy and advanced socks5 capabilities.
In my experience I found socks4/socks4a proxies quite slow in comparison to its socks5 counterparts and a lack of implementation of socks5 in most C2 frameworks. There is a C# wrapper around the go version of chisel called SharpChisel. This wrapper has a few issues and isn’t maintained to the latest version of chisel. It didn’t allow using shellcode with donut, reflection methods or execute-assembly
. I found a fix for this using the SharpChisel-NG project.
Since the SharpChisel assembly is around 16.7 MB
, execute-assembly
(has a hidden size limitation of 1 MB
) and similar in memory methods wouldn’t work. To maintain most of the execution in memory I incorporated the NetLoader project by Flangvik which is executed via execute-assembly
to reflectively host and load a XOR encrypted version of SharpChisel
with base64 arguments in memory.
As an alternative, it is also possible to implement similar C# proxies like SharpSocks by replacing the appropriate chisel binaries in the project.
Note: If using a Windows teamserver skip steps 2 and 3.
git clone https://github.com/m3rcer/Chisel-Strike.git
cd Chisel-Strike
chmod +x -R chisel-modules
chmod +x -R tools
Mingw-w64
and mono
:s
udo apt-get install mingw-w64
sudo apt install mono-complete
ChiselStrike.cna
in cobalt strike using the Script Manager
Recompile binaries from the src
folder if needed.
chisel can be executed on both the teamserver (windows/linux) and the beacon. With either acting as the server/client. A normal execution flow would be to setup a chisel server on the teamserver and create a client on the beacon connecting back to the teamserver.
chisel <client/server> <command>
: Run Chisel on a beaconchisel-tms <client/server> <command>
: Run Chisel on your teamserverchisel-enc
: XOR Encrypt SharpChisel.exe
with a password of choicechisel-jobs
: List active chisel jobs on the teamserver and beaconchisel-kill
: Kill active chisel jobs on a beaconchisel-tms-kill
: Kill active chisel jobs on teamserverNetLoader can easily be obfuscated and used to bypass defender using projects like NimCrypt2 and the like.
Yet SharpChisel.exe
drops a dll
on disk due to the use of Costura/Fody
packages at a location similar to: C:\Users\m3rcer\AppData\Local\Temp\Costura\CB9433C24E75EC539BF34CD1AA12B236\64\main.dll
which is detected by defender. It is advised to obfuscate chisel dll’s using projects like gobfuscate in the SharpChisel-NG project and re-build new SharpChisel-NG binaries as shown here.
The cp command, short for "copy," is the main Linux utility for duplicating files and directories. Whether…
Introduction In digital investigations, images often hold more information than meets the eye. With the…
The cat command short for concatenate, It is a fast and versatile tool for viewing and merging…
What is a Port? A port in networking acts like a gateway that directs data…
The ls command is fundamental for anyone working with Linux. It’s used to display the files and…
The pwd (Print Working Directory) command is essential for navigating the Linux filesystem. It instantly shows your…