Double pivoting with Chisel
hello folks
in this topic, we will talk about a sensitive thing what if you got a shell on the machine but there aren’t SSH client or server and also you don’t have Meterpreter to run autoroute and start pivoting so today I will talk about chisel is best tools I like for pivoting you can read about it here
“ https://github.com/jpillora/chisel
“
and let’s go
at first, when you start to use git clone command you will download the binaries files for chisel (chisel is written by (go) language ) and it needs to build it for each specific OS here is instructions
“https://gist.github.com/asukakenji/f15ba7e588ac42795f421b48b8aede63#a-list-of-valid-goarch-values “
this is files after clone it from GitHub
then we start to build chisel
to build it we have one command
#GOOS=windows GOARCH=386 go build
\\GOOS =” OS” GOARCH=” ARCH of OS” go build
386= 32bit | amd64 =64
and you can choose your os such as Windows and Linux etc. all details in the link below
“https://gist.github.com/asukakenji/f15ba7e588ac42795f421b48b8aede63#a-list-of-valid-goarch-values “
there is an example here for windows platform
#upx brute chisel
“ This is option command if you need to reduce size of the tool ”
here we finish the first part how to build chisel
after building it and reducing the size
let’s begin our lab at first we will try double port forwarding 🙂 and don’t forget here I do not care about the exploitation method or how you will transfer tools to targets this is your responsibility I am just will show you some tricks for pivoting
our topology will same this photo
about IP’s of machines
our machine Kali Linux assuming as an attacker has IP = 192.168.40.128
the next win7 is assuming as first pivot point have 2nic first IP is =192.168.40.130 2nd IP is = 192.168.30.130
the next win7 is assuming as second pivot point have 2nic first IP is =192.168.30.131 2nd IP is = 192.168.20.131
and at last, our target metasploitable have only one IP = 192.168.20.128
let’s start
we will run chisel as a server on first pivot PC
# chisel server -p 8888 -reverse
then we will access to chisel server from second pivot pc and start remote port forward
#chisel client 192.168.30.130:8888 R:9001:192.168.20.128:80
here from pivot pc2 I take the port 80 from metasploitable that I can access in my network (192.168.20.128) and make a tunnel to the server (pivot pc 1) via port 9001 and now first pivot point can access HTTP of metasploitable via port 9001 locally
now we can do the same between attacker machine and pc1 pivot point via make remote port tunneling and send port 9001 to other local port on kali
so at first let’s run chisel as a server on kali
and now let’s connect from pc1 first pivot point
chisel client 192.168.40.128:8000 R:8001:127.0.0.1:9001
and now we have done
and here we finish port forward 🙂
now, what about dynamic port forward and use it with proxy chains 😉
let’s start run chisel as a server and use option –socks5
connect to the server via client and specify local port 9999 for proxy chains
and run another chisel as a server to start a connection with next pc (pivot-pc2)
here we run chisel as a client and choose port 8888 to be a local port for the proxy
now let’s configure our proxy chains config file
let’s try to scan our metasploitable and it works successfully
now we are finish
special thanks for EBRAHIM KHADI AND ESLAM MEDHAT