Chisel
Is used to quickly and easily set up a tunnelled proxy or port forward through a compromised system, regardless of whether you have SSH access or not. It's written in Golang and can be easily compiled for any system.
https://github.com/jpillora/chisel/releases
The chisel binary has two modes: client and server. You can access the help menus for either with the command:
chisel client|server --help
Chisel Reverse SOCKS Proxy:
This connects back from a compromised server to a listener waiting on our attacking machine.
On our own attacking box we would use a command that looks something like this:
Notice that, despite connecting back to port 1337 successfully, the actual proxy has been opened on 127.0.0.1:1080.
As such, we will be using port 1080 when sending data through the proxy.
Forward SOCKS Proxy:
In many ways the syntax for this is simply reversed from a reverse proxy.
First, on the compromised host we would use:
On our own attacking box we would then use:
In this command, PROXY_PORT is the port that will be opened for the proxy.
For example,
./chisel client 172.16.0.10:8080 1337:socks
would connect to a chisel server running on port8080
of172.16.0.10
.A SOCKS proxy would be opened on port
1337
of our attacking machine.
Proxychains Reminder:
When sending data through either of these proxies, we would need to set the port in our proxychains configuration.
As Chisel uses a SOCKS5 proxy, we will also need to change the start of the line from socks4 to socks5:
Chisel Remote Port Forward:
A remote port forward is when we connect back from a compromised target to create the forward.
For a remote port forward, on our attacking machine we use the exact same command as before:
Once again this sets up a chisel listener for the compromised host to connect back to.
The command to connect back is slightly different this time, however:
Let's assume that our own IP is
172.16.0.20
, the compromised server's IP is172.16.0.5
, and our target is port22
on172.16.0.10
. The syntax for forwarding172.16.0.10:22
back to port2222
on our attacking machine would be as follows:
Connecting back to our attacking machine, functioning as a chisel server started with:
This would allow us to access
172.16.0.10:22
(via SSH) by navigating to127.0.0.1:2222
.
Chisel Local Port Forward:
As with SSH, a local port forward is where we connect from our own attacking machine to a chisel server listening on a compromised target.
On the compromised target we set up a chisel server:
We now connect to this from our attacking machine like so:
For example, to connect to
172.16.0.5:8000
(the compromised host running a chisel server), forwarding our local port2222
to172.16.0.10:22
(our intended target), we could use:
Last updated