[HN Gopher] Chisel: A fast TCP/UDP tunnel over HTTP
___________________________________________________________________
Chisel: A fast TCP/UDP tunnel over HTTP
Author : lyu07282
Score : 137 points
Date : 2024-04-04 10:47 UTC (2 days ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| MuffinFlavored wrote:
| I've used this before and it's great as a "reverse tunnel" when
| you have a VM in the cloud that _does_ allow configurable port
| forwarding /firewall rules but need to connect "peer to peer" to
| a customer in a workshop who has the typical "my router blocks
| everything and we aren't going to spend the time supporting every
| workshop's possible inbound network connection setup".
|
| It helps for "flipping" the "server connects to client".
|
| But... it gets detected as malware really easily haha
| asib wrote:
| > But... it gets detected as malware really easily haha
|
| It's a common tool in the red teamer's toolbox.
|
| Just search "chisel" on https://ippsec.rocks to see how often
| it's utilised in a pentest type of scenario.
| mike_d wrote:
| It is used by red teamers because it is used by attackers.
|
| https://malpedia.caad.fkie.fraunhofer.de/details/win.chisel
| passion__desire wrote:
| by that you mean, the traffic is suspicious or the binary?
| magnoliakobus wrote:
| Both the protocol tunneling activity and the binary would
| likely be flagged by most enterprise security software.
| amelius wrote:
| That makes it kinda useless.
|
| What we need is a self-updating mechanism. See for instance yt-
| dlp, which breaks every now and then but a simple update almost
| always puts you back in action. We need something similar for
| tunnels.
| Thorrez wrote:
| What benefit would a self-updating mechanism provide?
| globular-toast wrote:
| Assuming they mean a cat and mouse game like ytdl where the
| software is updated once it starts getting detected by the
| enemy.
| jpillora wrote:
| I was tempted to play the cat and mouse AV detection game
| though decided against it. It's open source and with effort,
| one can make it avoid detection, but I'll leave that up the
| reader
| dang wrote:
| Related:
|
| _Chisel - A fast TCP tunnel over HTTP_ -
| https://news.ycombinator.com/item?id=13353457 - Jan 2017 (38
| comments)
| mattmerr wrote:
| I am curious to see benchmark results for the same use cases but
| with 10ms and 100ms latency added between the client and server.
| It looks like the bench currently just stays within the same
| machine.
|
| I do not often operate below application layer, but as I
| understand it both the HTTP and SSH layers would add back-and-
| forths from client to server that UDP does not perform. Would UDP
| over HTTP over SSH have a slowdown steeply (but linearly?)
| correlated with the ping to the server? And (>linear) increased
| effects on packet loss? Crowbar seems to only do HTTP, so saves
| some considerable amount of backs-and-forths... but doesn't have
| the benefit from websockets...
| jpillora wrote:
| You're right, that'd be a better test - and I think the gap
| between chisel and crowbar would grow even more. Chisel is
| effectively doing ssh tunnelling, with extra layers.
| Performance is lost in packet wrapping/unwrapping, reduced MTU
| but it shouldn't result in more round trips
| lxgr wrote:
| How does this compare to something like MASQUE (i.e. TCP, UDP, or
| even IP proxied over HTTP/3, /2 or /1)? Does this just predate it
| and it's basically the same principle?
| niux wrote:
| How does this compare to Tailscale/Headscale?
| killingtime74 wrote:
| Tailscale is Wireguard this is HTTP. Different protocol?
| lxgr wrote:
| Tailscale does actually support Wireguard packet forwarding
| over HTTP (a custom addition to the protocol; standard
| Wireguard only runs on UDP) for tricky NAT traversal use
| cases, but that's only used in pretty gnarly situations.
| Otherwise, it's a regular VPN, i.e. encapsulated and
| encrypted IP over UDP.
|
| https://tailscale.com/blog/how-tailscale-works#encrypted-
| tcp...
| killingtime74 wrote:
| Very interesting! Always wondered what the value add was
| and this is one of them
| jpillora wrote:
| Tailscale is a virtual network device (works on L3, tun not tap
| device) whereas chisel just listens on ports (works on L4)
| nurettin wrote:
| I've used both chisel and frp to tunnel connections, then ended
| up using good old autossh. Just nothing beats it when you need a
| ubiquitous tool to provide a near permanent tunnel that will keep
| the connection up and use standard encryption.
| veganjay wrote:
| Chisel is a handy red-team tool. I learned about it training for
| the OSCP (Offsec Certified Professional). It comes in handy under
| certain situations.
|
| Another tool I recommend is Ligolo-ng [1]. You set up a network
| interface and use "ip route" to send traffic through it. In a
| way, it "feels like a VPN".
|
| [1] https://github.com/nicocha30/ligolo-ng
| spxneo wrote:
| is it possible to turn this into an executable that can run
| cross-platform ?
| jpillora wrote:
| That's exactly what it is, see releases
| TZubiri wrote:
| I feel afraid to ask, but considering HTTP is transmitted over
| TCP, why would you tunnel TCP back again?
|
| Actually, nvm I don't need to know, you can keep your cursed
| ourobouros protocol to yourself.
| mordechai9000 wrote:
| Yes, it can cause a problem called TCP Meltdown where the inner
| TCP and the outer TCP both try resending data and the
| connection degrades significantly. I think you can work around
| it, somewhat, by tweaking the TCP timing. But generally it's
| best to use UDP for the outer protocol when you're tunneling
| TCP
| Thorrez wrote:
| I don't think that's the case here. I think it's just
| tunneling the data, not the full TCP packets.
| mordechai9000 wrote:
| I was not aware, thanks.
| jpillora wrote:
| Correct, it's equivalent to ssh tunneling except there's
| some HTTP/websocket wrappers around it
| Thorrez wrote:
| I don't think it's tunneling the full TCP packets. I think it's
| extracting the data stream from the incoming TCP stream,
| tunneling that data, and creating a new TCP stream to the
| destination on the other end of the tunnel.
|
| So basically the same as ssh -L or ssh -R .
| globular-toast wrote:
| It's for getting arbitrary traffic out of corporate firewalls
| by disguising it as regular HTTP traffic.
| jpillora wrote:
| Hey all, I'm the author of chisel. Feel free to send any
| questions my way
| 090rf wrote:
| My initial investment capital was $3,200, but I made a profit of
| $38,000 in just the first week of trading with lady
| Elisa_mayer_fx on Instagram/Facebook. It was very important to me
| considering the fact that I have lost money in the past trying to
| trade by myself. I highly recommend her to anyone who needs a
| reliable supplier.
| teaearlgraycold wrote:
| To the person running the botnet for this "campaign" - please
| take a look in the mirror. Who do you want to be?
___________________________________________________________________
(page generated 2024-04-06 23:00 UTC)