Chisel
Pivoting using Chisel
Requirements
Requires a copy of the Chisel binary on both the target and attacker systems.
Advantages
Chisel is a portable binary that can be run on many operating systems
Either system can host the chisel server on a chosen TCP port
Allows for a high amount of flexibility in situations where restrictions on connectivity exist
No dependencies on SSH daemons/services running on the target
Supports authenticated proxies to prevent unwanted connections.
Individual Port Forwarding
Example: A service on a compromised host is listening on $RPORT
Run the Chisel server on the target and connect from the attack box
Specify the port forward on the client
Open a port on attack box and forward traffic to remote port
Open $LPORT
on attack box and port forward to $RPORT
on target
Reverse Individual Port Forwarding
Example: A service on a compromised host is listening on $LPORT
Run the Chisel server on the attack box in reverse mode and connect from the target
Specify the port forward on the target machine
Open a port on attack box and forward traffic to remote port
Open $RPORT
on attack box and forward to $LPORT
on target through reverse connection.
Socks Proxy
Server Running on Attack Box
Opens port 54321 on attack box as a reverse SOCKS proxy. Listens for connections from Chisel on this port.
Chisel Server Running on Target
Open port 54321 on attack machine as a forward SOCKS proxy
Forward Dynamic SOCKS Proxy
Run the Chisel server on the target box
Use the target box as a jump host to reach additional targets routable by the target
The traffic flows forward to the target box, which acts as a transparent SOCKS proxy
Reverse Dynamic SOCKS Proxy
Run the Chisel server on the attack box in reverse mode
Connect to the Chisel server from the target and specify a reverse port forward
The traffic flows through the port on the attack box in reverse to the target box, which acts as a transparent SOCKS proxy
Reverse Shell Tips
Run Chisel in the Background
Running chisel
in the foreground in a reverse shell will render your shell useless. Background the process in order to continue to use the shell while forwarding traffic.
Linux
Background a process with '&
'. Works for both client and server sides.
Windows - PowerShell
Client Side
Server Side
Note that in server
mode, you'll need to make sure your port is allowed through the firewall.
References
Last updated