How To Pivot Through a Network with Chisel

Просмотров 122 тыс.

% 3 294

jh.live/7a-john40 || 7ASecurity offers training and penetration tests with a free fix verification -- get 40% off training with JOHN40, $1000 off a pentest, or a enter their contest to win a completely FREE pentest! jh.live/7a-freepentest
00:00 - Chisel
00:23 - Setup
01:30 - Recon
05:55 - On static binaries
12:44 - Using chisel
14:35 - Put it in reverse
19:22 - Socks Proxy
20:49 - Proxychains
23:12 - HTTP service
27:40 - Forward Shell
32:54 - Final Thoughts
🔥RU-vid ALGORITHM ➡ Like, Comment, & Subscribe!
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware

Опубликовано:

14 сен 2023

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 154

@LzX000 10 месяцев назад

You are the only RU-vid channel that I actually watch the adds for because they are on topic and actually useful. Please keep up the good work!

@benjaminlocker8484 Месяц назад

Best pivoting explanation I've come across.

@grzegorztlusciak 10 месяцев назад

John, you have no idea how much that helps in my OSCP preparation :) Huge thanks for this vid!

@dARTh_k3LLy 10 месяцев назад

I am on the same road. helps big-time! Thanks a lot John!

@TheJohnObraz 9 месяцев назад

recently I joined the journey. good luck bois

@sh3bu 10 месяцев назад

Nice video John ! Love the way how you simplify complex stuff for us to understand.. Thanks a lot ❤

@bufordmaddogtannen 10 месяцев назад

Pretty much everything you described is already available natively using SSH chains, including socks support and dynamic port forwarding to access remote ports as if they are local once the connection to the last endpoint has been established. Using the SSH client config file you can easily create a chain where you start from your local box, reach the jumphost and SSH through one or more hosts transparently and without the need to deploy additional software. Chisel is basically SSH over HTTP. Edit: in the scenario depicted in this video, with SSH available on the various hosts, Chisel seems redundant.

@corpse307 10 месяцев назад

yes but if you don't have ssh access or the password on the compromised machine 😅

@bufordmaddogtannen 10 месяцев назад

@@corpse307 in a real world scenario you would compromise a web application and get a shell running as the web user. From there you'd try to escalate privileges to root or at least get access to a local account. Then you'd establish persistent access via SSH keys. Chisel is more useful in a scenario where you need to evade a firewall since SSH access is blocked.

@corpse307 10 месяцев назад

@@bufordmaddogtannen I agree but I was thinking in a scenario where the compromised machine has no ssh and no internet access to install it

@bufordmaddogtannen 10 месяцев назад

@@corpse307 you still need some form of access.

@StrawHatSecurity 10 месяцев назад

I get that SSH is powerful and can do a lot of what Chisel does, but it's not always an option. Not every target system has SSH enabled, and some networks even block or monitor SSH traffic. Chisel can be a lifesaver in those scenarios. Even if the only external-facing machine isn't a web app or doesn't have SSH enabled, having alternative tools like Chisel becomes invaluable. A pentester should always have multiple tools and/or commands that can achieve the same outcome. This is essential in case one method is blocked, doesn't work, or lacks viability in a particular situation. SSH, Chisel, and Ligolo are all tools that fulfill this role, each with its own unique advantages. They all have their places in real-world scenarios.

@scottp8329 10 месяцев назад

Absolutely fantastic John you just make it sound so easy thanks for the vid buddy🤙🏼

@OldSnake1883 10 месяцев назад

Thank you very much John for this walkthrough. This is a very important part.

@neffisback9729 10 месяцев назад

That looks like a really useful tool for internal pentesting. Thank you for your awesome videos❤️

@nelmatrix3942 10 месяцев назад

Wow, this is fascinating. Your skill set is incredible. 🤩

@creatormike1853 10 месяцев назад

Thanks John, this is really helpful and more understandable than adding routes through metasploit ect, keep it up!

@brymstoner 9 месяцев назад

quality episode! worthwhile takeaways here for any linux up and comers; ping sweeping and static binaries. nice one, john. thank you!

@JackOfAllThreatsMasterOfNone 10 месяцев назад

Thanks for this video, I'll watch it for sure. Hope you'll do another for ligolo. It seems to be simpler, but right now youtube is the only resource for learning about it... Well, if I don't ask too much, you could add a tools comparison at the end of your ligolo tutorial 😜

@DanT89 9 месяцев назад

This video is incredibly helpful. Thank you for all the help you provide. Also for the work you do with the dinosaurs ❤

@cy_wareye7395 10 месяцев назад

I using Chisel already 2 years but here John explain main functionality in rly easy way. Listen, forward ...

@Logan-vw8bg 10 месяцев назад

Thank you, thank you, thank you! Amazing video.

@DoomerzZ 5 месяцев назад

Thanks to your explanations, I understood the concept well, thank you very much

@janekmachnicki2593 10 месяцев назад

Great stuff John .Great tutoriall for OSCP chalange .Thanks

@Lupinicus1664 10 месяцев назад

Nice video, well explained. Thank you.

@night0x1 10 месяцев назад

Thanks for doing a pivoting video!! Gonna use chisel for eCPPT!

@PowerUsr1 10 месяцев назад

excellent demo of lateral movement...

@Jesse_Johnson 4 месяца назад

Awesome. Super excited to work this in.

@justkiddieng6317 10 месяцев назад

definitely will save this for future works. thanks

@hack_well 10 месяцев назад

This awesome 🌟 Thank John H. for my Pentesting path/

@hoodietramp 10 месяцев назад

was waiting for this😄📈

@sanja909 9 месяцев назад

Great video ! Thanks for the hard work :)

@DocGMoney 2 месяца назад

This was like infinitely better than the Offsec Teachings.... Thank you so much! Edit: I say like because I don't think Offsec really tried to teach it... so yeah THANK YOU!

@dotcaodin 10 месяцев назад

Thank you for sharing this superb content!

@andrewlentz1205 10 месяцев назад

Great video John!!

@davidetl8241 10 месяцев назад

That was awsome! excelent explanation, thank you!

@ramenpradhan2836 9 месяцев назад

Thanks for providing me this session i want to use this one in my oscp exam .

@sagar12527 9 месяцев назад

Hey Thanks for this video. I was really strugling in the lateral movemet.

@scottspa74 10 месяцев назад

Awesome demonstration.

@faker-scambait 10 месяцев назад

Nice John well done bro 👍👍

@mdiaztoledo 10 месяцев назад

Very interesting demo, thanks ^^

@KellenBegin 10 месяцев назад

very helpful, not just chisel but hoaxshell should be quite useful too. thanks!

@JohnE-jy7zr 2 месяца назад

Ok what a super cours thanks very much master 😊 keep teaching us

@PurpleTeamer 10 месяцев назад

John is on FIRE

@lb5429 8 месяцев назад

Really good explanation !

@mmm-cake 9 месяцев назад

Thanks John!

@Gobillion160 10 месяцев назад

amazing video john

@thisoldhooptie 9 месяцев назад

Nice work 👍

@WyldeZk 9 месяцев назад

Awesome video. Other great tools for pivoting are sshuttle and ligolo

@jessefmoore 10 месяцев назад

❤CyberForce T-shirt! I was core-RedTeam that year😊

@ttrss 10 месяцев назад

this is such a hassle, why would you not use normal ssh dynamic port forwarding, or ssh reverse port forwarding? genuine question

@thirdeyeblind6369 9 месяцев назад

ssh is not always available

@asdfasddfs5484 10 месяцев назад

Thanks john

@j4ke_exe 10 месяцев назад

that music during the sponsor clip was 🔥

@egenexyegenexy7592 10 месяцев назад

Much information❤

@FutBol-mx9no 9 месяцев назад

Excellent!

@Supp772 2 месяца назад

John makes me beast day by day ❤

@KCM25NJL 9 месяцев назад

Can't help but feel this video was inspired by your recent work with the Scam baiters / Anydesk :).

@j4n0w5k1 10 месяцев назад

Has anyone ever told you that you are like the Bill Nye of Cybersecurity. I definitely got that feel at 15:18 to 15:43. It is pretty entertaining.

@notta3d 9 месяцев назад

Great video. John does mostly red team work. Is there a John Hammond equivalent for the Blue Team? Your stuff is fantastic.

@Simple0x0 10 месяцев назад

Great Video John .. On your next pivoting video.. try showcase metasploit pivoting

@gamingwithcloud007 10 месяцев назад

Awesome 👍👍👍

@ELIAS-og5vf 10 месяцев назад

GOOD TECHNIQ

@0xdefensive 6 месяцев назад

Nice and good explanation but I have query what if we double pivoting ? Is we need pivot third network to second and then to first or any good way to do it.

@spyrosbariabas9452 10 месяцев назад

Dude, yesterday i started playing with a HackTheBox machine called PC 2 hours after i saw your video, i am glad i did because i bet i could not solve that box without chisel. Thank you so much, that video saved me time! + a new tool on my utility belt xd ! Thank you so much John. Nice content as always!

@Kullaisec 10 месяцев назад

Nice

@SzaboB33 9 месяцев назад

Off topic: your webcam's white circle was so high contrast, I only looked at it for 2 seconds and then the wall and blinked twice and I could see it crystal clear :D

@felixkiprop48 10 месяцев назад

As always John is disciple preaching the gospel of hacker.

@couldibwearingmoreclothes 9 месяцев назад

Network Interface Card... but network identification card sounds cool too.

@dadobe20 7 месяцев назад

Super video!! I have some questions. I understand that you can load the binaries to the PIVOTING machine due to the fact that this one has open the port 22, but how can you do something similar for a machine that has open another port such as 5000 with an HTTP service? (tcp if I'm not wrong). Many thanks in advance!! :) As additional info, I see that the victim machine on the LAB has no WGET or CURL option to upload files from Kali machine.

@berthold9582 10 месяцев назад

John 🎉 I understand all

@lewisfaraitimba4338 3 месяца назад

Thanks a lot John but i wanted to ask that can i use psexec to get reverse shell without using the method of paste the url to the rdp session?

@CTF_Walkthroughs 10 месяцев назад

Is there a link for this as a cloud lab or a download for installing it locally?

@neoninsv 10 месяцев назад

Hair looking glorious today

@Allen-TAN 9 месяцев назад

Excellenttttttttttttttttttttttttttttttttt

@karanb2067 2 дня назад

wait wait wait, so basic concept of a reverse port forward is to connect on a certain server, which is our compromised machine which makes a reverse connection to the internal .5 machine.... my DMZ in this case is the compromised machine, so there should also be a port mapping from the my compromised machine to the specific port on internal machine. What is that port number? I am sorry if I am getting confused somewhere and I'm open to being corrected....

@jajuang.videos 10 месяцев назад

can chisel be used in reverse where the server is on the box which is dual nic'd and the client is on the attacking machine?

@MFoster392 10 месяцев назад

Love the hair :-)

@surendharramakrishnan8544 10 месяцев назад

Hi dude Can you please tell me any best malware analysis course or pls upload more video malware analysis

@user-xv4ns1os7m 9 месяцев назад

good job can you do a video on ligolo-ng please

@KpFriendly 10 месяцев назад

Really good explanation, I read the htb and was lost, but you explain everything really well, can you make a tutorial for ptunnel-ng and dnscat2

@swagmuffin9000 10 месяцев назад

Man! Every htb module i do, i have to go somewhere else for explanations to understand the material.

@KpFriendly 10 месяцев назад

@@swagmuffin9000 exactly! i just hate how slow videos can be sometimes. yesterday I just found out microsoft edge has built in chat gpt and text to voice which i will try on htb to learn better maybe it will help

@swagmuffin9000 10 месяцев назад

@@KpFriendly haven't tried that yet, hope it works out for you 👍🏻

@jasonv6303 10 месяцев назад

great

@nvs-different-ideas 5 месяцев назад

Is it possible to don't trigger the trap from Canary trap/device?

@BrutusMaximusAurelius 10 месяцев назад

And this friends, is why you also want host based detection on your Linux machines. Wouldn’t be the first time an organization goes all out on EDR on Windows but neglects other OS’s.

@uncleburu9464 10 месяцев назад

Please I need a video on how to create computer warm and how it works

@jeremysilverstein1894 10 месяцев назад

Would WGETing nmap from the pivot box not work?

@ChairmanHehe 10 месяцев назад

doesnt openssh do socks5 natively ?

@pridem55555 10 месяцев назад

Hi John! Great video! Just wondering how would this work if the pivotbox was a windows machine?

@grzegorztlusciak 10 месяцев назад

Same, there's chisel.exe for Windows as well.

@wolfrevokcats7890 10 месяцев назад

use chisel for windows version

@Tea20024 5 месяцев назад

sorry i didnt get the part about the reverse proxy , why do we need the connection to be reversed , client to server? whats wrong with the server to client connection?

@user-py6bv3sd6i 10 месяцев назад

where did you buy that dope ass shirt man, I'd love such an item in my wardrobe.

@pillslifestylereviews6714 10 месяцев назад

MGM should watch your vids

@user-rp7po9iq6v 9 месяцев назад

The greatest good you can do for another is not just to share your riches but to reveal to him his own.

@scottspa74 10 месяцев назад

At 18:02 I got confused. Chisel on Kali is listening on 8080, so why (on the pivot box) did you set the R:8000 ? I would have thought the R: should point to 8080 on Kali cuz that's what chisel is running on (is it because 8080 is what is 'serving' chisel and not the 'listening' port?) Hoping anybody can help me understand. Thanks.

@thisoldhooptie 9 месяцев назад

He is not bringing up chisel in the local browser. He wants port 80 from the remote browser brought local. That's the 80 reversed to 8000. So he uses 8000 in the local browser to get the remote 80. Hope that makes sense.