Skip to content

Pivoting, Tunneling, and Port Forwarding

Pivoting in the security context means accessing otherwise unreachable networks using a compromised "pivot host".

Techniques

For forwarding a single TCP port, SSH port forwarding is quick and easy. Many Linux SSH users know about -L but not -R!

On Windows, netsh can be used for port forwarding.

Dynamic port forwarding with SSH implements SOCKS over SSH to access an otherwise inaccessible network segment. It's slow, and the types of connections are limited; e.g., you can't do half-open scans with nmap via proxychains.

But, for dynamic network traffic my first choice is usually LigoloNG.

Metasploit has several tools for pivoting, including a SOCKS proxy (auxiliary/server/socks_proxy).

Socat can be used to forward TCP traffic from one network segment to another using a pivot host.

Dnscat2 can proxy network traffic via obfuscated DNS TXT records.

PtunnelNG encapsulates network traffic inside of ICMP echo requests and replies.

Practicing

HackTheBox machines Reddish, Enterprise, and Inception are good for practicing pivoting.