A Detailed Guide on Chisel Part 2

Gauloran

Kıdemli Moderatör
7 Tem 2013
8,096
585
local

Local Port forwarding Example – 2​


There is another way to access the HTTP service, this time using the attacker's IP address instead of the loopback interface. We will have to install a chisel in the target machine to achieve the goal. In this example we are using Ubuntu system. Since the scissors is written in Golang language, we need to install Golang in the target system using below command.

Kod:
apt install golang

yY6R1.md.png


Then we download a chisel from its official repository to install it to the target system. Go build is an automated build tool that aims to replace makefiles for simple projects written in the Go programming language. This tool generates a dependency graph of all local imports and compiles them in the correct order using the GC Go compiler. The ldflags represent the linker flags and are used to pass the flags to the underlying linker in the Go toolchain. The -s and -w linker flags are not strictly necessary, but they do reduce the size of the resulting binary. Navigate to the scissor download folder, we just need to install it using go build.

Kod:
git clone https://github.com/jpillora/chisel.git
apt install golang
go build -ldflags="-s -w"

yYLbX.md.png


Next, we configured the punch server on port 5000 in the attack box as shown in the previous example. In the previous example, we accessed it from the loopback interface of the attack box, by connecting to a service hosted in the remote intranet. This time we will access the HTTP service on port 8888 on the attacker side. The Ubuntu machine, our client, will establish a connection to the remote server (192.168.1.205) and port 5000. Once a tunnel is created, it will allow access to the HTTP service hosted in a reverse loop (127.0.0.1) on the port 8888 remote.

Kod:
./chisel client 192.168.1.205:5000 R:8888:localhost:8080

When a connection is established with the chisel server, we can access the HTTP service from the attacking box on port 8888.

Establish Connection with SOCKS5 Proxy​


During the internal assessment, we may come across when we compromise a system, and that system is communicating with another system using a different adaptor or a different subnet. It can be checked using ipconfig/ifconfig, where we can view if that system is connected to a different network via a different adapter. In such scenarios, local port forwarding will not work, and we have to identify which ports are open for the outbound traffic. As shown in the screenshot below, we could not establish a connection with the remote host.

yYNhV.md.png


To overcome this issue, we have to go through multiple steps. First, we set up a chisel server in the attacking box on port 8000.

Then we establish a connection with the chisel server from the ubuntu box mentioning remote access on socks proxy. Just like most other proxy types, SOCKS proxies hide the client’s IP address and serve when bypassing geo-restrictions. Unlike HTTP, SOCKS cannot interpret web data. However, they are mainly used to facilitate communication with websites with firewalls and limit regular client access. All communication can be done on SOCKS5 proxy using utilities such as proxychains or proxychain4.

-p: listening port of the server (attacking box)

–socks5: start an internal SOCKS4/SOCKS5 proxy

–reverse: allows reverse port forwarding

yYVl3.md.png

We can also access an individual target’s port using the command below. We connect with the server hosted in the Attacking machine and then access the target service via a tunnel.

yYWNL.md.png


Also, we can specify socks proxy while setting up the chisel server. In the below example, we have set up a chisel server on port 9001 using the socks5 proxy.


yYAi0.md.png


All the configuration above is done at the system level, but how does the browser know that we want to access the HTTP service? So we configured it in the browser as well. Otherwise we cannot browse any HTTP or H TTPS services. To do this, we configured our browser manually by navigating through the settings as SOCKS proxy and host as the loopback interface's IP address, 127.0.0.1 and SOCKS version like SOCKS4 or SOCKS5, depending on which version we are using. In this example we are using SOCKS5 and port number 1080. And there is no proxy for the loopback interface. This can also be done using the foxyproxy addon available in Mozilla Firefox.



yYCZm.md.png


Now we can access the services without any issues. We can verify accessing the target HTTP service where the request will send via a proxy.

yYIBU.md.png

 
Üst

Turkhackteam.org internet sitesi 5651 sayılı kanun’un 2. maddesinin 1. fıkrasının m) bendi ile aynı kanunun 5. maddesi kapsamında "Yer Sağlayıcı" konumundadır. İçerikler ön onay olmaksızın tamamen kullanıcılar tarafından oluşturulmaktadır. Turkhackteam.org; Yer sağlayıcı olarak, kullanıcılar tarafından oluşturulan içeriği ya da hukuka aykırı paylaşımı kontrol etmekle ya da araştırmakla yükümlü değildir. Türkhackteam saldırı timleri Türk sitelerine hiçbir zararlı faaliyette bulunmaz. Türkhackteam üyelerinin yaptığı bireysel hack faaliyetlerinden Türkhackteam sorumlu değildir. Sitelerinize Türkhackteam ismi kullanılarak hack faaliyetinde bulunulursa, site-sunucu erişim loglarından bu faaliyeti gerçekleştiren ip adresini tespit edip diğer kanıtlarla birlikte savcılığa suç duyurusunda bulununuz.