Chisel is a super useful tool for use on both Windows and Linux machines. It allows us to conveniently obtain practically the same functions as SSH (in terms of Port Forwarding).

Index

Introduction

It can be downloaded from its official Chisel repository on GitHub. There we can find the different packages for different systems, both Windows and Linux:

Chisel packages available for download

Chisel Packages

In this case, the “laboratory” is as follows:

  • 3 Machines
    • Kali —> My attacker machine
      • IP: 192.168.10.10
    • Windows 7 32 Bits
      • IP: 192.168.10.30 and 192.168.20.30 —> 2 Network Interfaces
    • Debian —> Web Server and SSH - Port 22 and 80 enabled
      • IP: 192.168.20.20 and 192.168.30.10 —> 2 Network Interfaces (although the second one is irrelevant for this post)

Pivoting laboratory diagram with Chisel

Lab

Since Chisel is also a tool that works on Windows, we are going to mix both systems, as it is fully compatible.

First of all, we download the corresponding chisel versions for both the Kali machine and the Windows machine, since Chisel works through a client-server architecture. Once downloaded, we make sure it works:

Chisel verification on Kali

Kali

Chisel verification on Windows 7

Windows 7 - 32 Bits

Once we have everything ready, let’s see the possibilities that Chisel offers us. Actually, with this tool we can simulate and do all the forwardings that SSH can do, that is:

  • Local Port Forwarding
  • Remote Port Forwarding
  • Dynamic Port Forwarding

And all without the need for SSH, which allows us to practically use Chisel in almost any situation without depending on this protocol. In addition, conceptually, all forwardings work in the same way as in SSH.

Local Port Forwarding

Knowing that the architecture is client-server, and that we are dealing with Local Port Forwarding, we have to establish the server, in this case, on the Windows machine. To do this, the syntax is quite simple:

chisel server -p <port>

We have to establish a port which will be where chisel runs and the client subsequently connects, so knowing this, I am going to establish the server on port 1234:

Chisel server configuration for Local Port Forwarding

Chisel Server in Local Port Forwarding

With this established, now we just have to go to our Kali to connect as a client, the syntax in this case is a little more complex since we have to specify which IP and port we want to reach:

chisel client <chisel server address>:<chisel server port> <local port to open>:<address to point to>:<port to point to on the target address>

In this case:

Chisel client configuration for Local Port Forwarding

Chisel Client in Local Port Forwarding

As we see, chisel indicates that we have successfully connected, if this were not the case, it would behave as follows:

Chisel connection error

Error if Chisel does not connect

But in this case, we connect without problems. With this, we just have to go to the local port we have opened, in this case port 80, which supposedly is pointing to port 80 of 192.168.20.20 (the web server):

Successful access to web server through tunnel

Web Server

As we see, we arrive without problems.

Chisel also allows tunneling multiple ports at the same time, with the syntax as follows:

A = chisel client <chisel server address>:<chisel server port>

B = <local port to open>:<address to point to>:<port to point to on the target address>

The syntax for tunneling multiple ports would then be as follows:

A + B + B + B + B… etc…

Example:

Multiple port tunneling with Chisel

Tunneling multiple ports

In addition to port 80, we are tunneling port 22 (SSH), so:

Successful SSH connection through tunnel

SSH Connection

We see that we connect to the machine we have specified.

Remote Port Forwarding

Unlike Local Port Forwarding, in Remote Port Forwarding, the server is placed on Kali, while the client would be Windows.

The syntax for both the client and the server has some variations, in this case, the commands would be:

  • Server —> Kali
chisel server -p <port> --reverse
  • Client —> Windows
chisel client <chisel server address>:<chisel server port> R:<port to open on chisel server>:<address to point to>:<port to point to on the target address>

Knowing this, we establish the server on our Kali:

Chisel server configuration on Kali

Chisel Server on port 1234

With this, we connect from Windows to our Kali machine:

Windows client connection to Chisel server

Client-Server Connection

If we now look at our Kali we can see how it has connected correctly:

Successful connection confirmation on server

Successful connection with Chisel

Thus, analyzing and bringing the command executed on the client:

chisel client 192.168.10.10:1234 R:80:192.168.20.20:80

We should be able to access port 80 of 192.168.20.20 (the Web Server) from our Kali from our port 80:

Access to web server via Remote Port Forwarding

Accessing the Web Server

As we see, we arrive without problems.

Just like in Local Port Forwarding, we can tunnel multiple ports with the same Chisel connection, it would be done in the same way:

A = chisel client <chisel server address>:<chisel server port>

B = R:<port to open on chisel server>:<address to point to>:<port to point to on the target address>

The syntax for tunneling multiple ports would then be as follows:

A + B + B + B + B… etc…

Example:

Multiple port tunneling from client

Tunneling 2 Ports from Client

Server response to tunneling

Response to two-port tunneling

This way, we can access not only port 80 of the machine, but also port 22:

SSH connection via multiple tunneling

Successful SSH connection

We see that it works perfectly.

Dynamic Port Forwarding

With Dynamic Port Forwarding we can tunnel all ports, creating a SOCKS proxy. The operation and use is exactly the same as the SSH proxy.

Chisel allows us to create both a Forward Proxy and a Reverse Proxy. In terms of usage, the Reverse Proxy is used more, for the same reason that Reverse Shells are more famous than Bind Shells. Generally speaking, a Reverse Proxy or a Reverse Shell will give you fewer problems with firewalls than the other two options (Forward and Bind). In any case, whichever proxy you choose, both will do their job.

For each one, the syntax is a little different:

  • Forward Proxy
    • Server —> Windows
      • chisel server -p <port> --socks5
    • Client —> Kali
      • chisel client <chisel server address>:<chisel server port> <port that will act as proxy>:socks
  • Reverse Proxy
    • Server —> Kali
      • chisel server -p <port> --reverse
    • Client —> Windows
      • chisel client <chisel server address>:<chisel server port> R:<port that will act as proxy>:socks

Laboratory diagram reminder

Lab Reminder

We are going to see both in practice, but first, we configure firefox to use port 1080, which will be the port where in each case each proxy will work (so we don’t have to change it).

SOCKS proxy configuration in Firefox

Firefox Configuration

With this ready, let’s start.

  • Forward Proxy

Server configuration for Forward Proxy

Server

Client configuration for Forward Proxy

Client

This way, if we try to access IP 192.168.20.20 in Firefox:

Successful access via Forward Proxy

Successful connection

We see that we access it.

  • Reverse Proxy:

Server configuration for Reverse Proxy

Server

Client configuration for Reverse Proxy

Client

This way, if we try again to access the Web Server:

Successful access via Reverse Proxy

Successful connection

We continue to arrive without problems.

In this case, we are only using the proxy for firefox, but it can be used for other programs or commands. To do this, we can use Proxychains, which will leverage this created SOCKS proxy to route all traffic. This can be seen in more detail in the post about Pivoting with Proxychains.

Share on X Share on LinkedIn Share on Telegram
Comment on Discord Visit the author page