# chisel Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network. [Source code and download on the github repo](https://github.com/jpillora/chisel). ## Cheat Sheet From attacker/server start listening on 9090: ```shell ./chisel server -p 9090 --reverse ``` From client/target: ```shell # listen on 80, forward to localhost:80 ./chisel client {server ip}:9090 R:80:127.0.0.1:80 # listen on 3000, forward to 172.17.0.1:3000 ./chisel client {server ip}:9090 R:3000:172.17.0.1:3000 # listen on 4242, forward to 172.17.0.1:3000 ./chisel client {server ip}:9090 R:4242:172.17.0.1:3000 # create SOCKS5 listener on default port (1080), proxy through client ./chisel client {server ip}:9090 R:socks ``` 0xdf's guide is pretty good for a deep understanding of chisel: ## Usage \--help flag: ```shell # ./chisel --help Usage: chisel [command] [--help] Version: 1.7.7 (go1.17.6) Commands: server - runs chisel in server mode client - runs chisel in client mode Read more: https://github.com/jpillora/chisel ``` ### Server \--help flag: ```shell # ./chisel server --help Usage: chisel server [options] Options: [...] ``` ### Client \--help flag: ```shell # ./chisel client --help Usage: chisel client [options] [remote] [remote] ... is the URL to the chisel server. s are remote connections tunneled through the server, each of which come in the form: :::/ ■ local-host defaults to 0.0.0.0 (all interfaces). ■ local-port defaults to remote-port. ■ remote-port is required*. ■ remote-host defaults to 0.0.0.0 (server localhost). ■ protocol defaults to tcp. which shares : from the server to the client as :, or: R::::/ which does reverse port forwarding, sharing : from the client to the server's :. example remotes 3000 example.com:3000 3000:google.com:80 192.168.0.5:3000:google.com:80 socks 5000:socks R:2222:localhost:22 R:socks R:5000:socks stdio:example.com:22 1.1.1.1:53/udp When the chisel server has --socks5 enabled, remotes can specify "socks" in place of remote-host and remote-port. The default local host and port for a "socks" remote is 127.0.0.1:1080. Connections to this remote will terminate at the server's internal SOCKS5 proxy. When the chisel server has --reverse enabled, remotes can be prefixed with R to denote that they are reversed. That is, the server will listen and accept connections, and they will be proxied through the client which specified the remote. Reverse remotes specifying "R:socks" will listen on the server's default socks port (1080) and terminate the connection at the client's internal SOCKS5 proxy. When stdio is used as local-host, the tunnel will connect standard input/output of this program with the remote. This is useful when combined with ssh ProxyCommand. You can use ssh -o ProxyCommand='chisel client chiselserver stdio:%h:%p' \ user@example.com to connect to an SSH server through the tunnel. Options: [...] ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.izenynn.com/tools/chisel.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.