Double pivoting with Chisel


hello folks

in this topic, we will talk about a sensitive thing what if you got a shell on the machine but there aren’t SSH client or server and also you don’t have Meterpreter to run autoroute and start pivoting so today I will talk about chisel is best tools I like for pivoting you can read about it here

and let’s go

at first, when you start to use git clone command you will download the binaries files for chisel (chisel is written by (go) language ) and it needs to build it for each specific OS here is instructions

this is files after clone it from GitHub

then we start to build chisel

to build it we have one command

#GOOS=windows GOARCH=386 go build

\\GOOS =” OS” GOARCH=” ARCH of OS” go build

386= 32bit | amd64 =64

and you can choose your os such as Windows and Linux etc. all details in the link below

there is an example here for windows platform

#upx brute chisel

“ This is option command if you need to reduce size of the tool ”
here we finish the first part how to build chisel

after building it and reducing the size 

let’s begin our lab at first we will try double port forwarding 🙂 and don’t forget here I do not care about the exploitation method or how you will transfer tools to targets this is your responsibility I am just will show you some tricks for pivoting
our topology will same this photo

about IP’s of machines

our machine Kali Linux assuming as an attacker has IP =

the next win7 is assuming as first pivot point have 2nic first IP is = 2nd IP is =

the next win7 is assuming as second pivot point have 2nic first IP is = 2nd IP is =

and at last, our target metasploitable have only one IP =

let’s start

we will run chisel as a server on first pivot PC

# chisel server -p 8888 -reverse

then we will access to chisel server from second pivot pc and start remote port forward

#chisel client R:9001:

here from pivot pc2 I take the port 80 from metasploitable that I can access in my network ( and make a tunnel to the server (pivot pc 1) via port 9001 and now first pivot point can access HTTP of metasploitable via port 9001 locally

now we can do the same between attacker machine and pc1 pivot point via make remote port tunneling and send port 9001 to other local port on kali

so at first let’s run chisel as a server on kali


and now let’s connect from pc1 first pivot point

chisel client R:8001:

and now we have done

and here we finish port forward 🙂

now, what about dynamic port forward and use it with proxy chains 😉

let’s start run chisel as a server and use option –socks5

connect to the server via client and specify local port 9999 for proxy chains

and run another chisel as a server to start a connection with next pc (pivot-pc2)

here we run chisel as a client and choose port 8888 to be a local port for the proxy

now let’s configure our proxy chains config file

let’s try to scan our metasploitable and it works successfully

now we are finish




Leave A Reply

Your email address will not be published.

SignupSubscribe to our newsletter to get the latest ethical hacking & penetration testing tutorials & resources.

Subscribe to our newsletter to get the latest ethical hacking & penetration testing tutorials & resources.