You are here: a compromised host can reach a network — or hosts — that your attack box cannot. Internal targets are only visible from the foothold.
The pivot host is a periscope. Build the tunnel, point your tooling through it, then run the rest of the decision trees against the newly visible scope.
▶️ Next moves (in order)
- Map the foothold’s networks. Interfaces, routes, ARP cache, hosts file — find which subnets it bridges. → Pivoting_Cheat_Sheet
- Pick a tunnel that fits the access you have:
- SSH access on the pivot → Pivoting_SSH_Tunneling
- Drop a binary, no SSH → Pivoting_Chisel · Pivoting_Socat
- Meterpreter session → Pivoting_Meterpreter
- Windows pivot, native tools → Pivoting_Rpivot_Netsh
- Restricted egress / odd protocols → Pivoting_Protocol_Tunnels
- Route tooling through it. proxychains +
-sT -Pnscans; enumerate internal hosts and services. → NetExec_Proxychains_Pivot - Re-run discovery on the internal scope, add new hosts to
/etc/hosts, then loop each new target back through Decision_Trees (treat them as fresh No_Foothold / Have_Creds targets).
⚠️ Common stalls
- SYN scans through a SOCKS proxy (use
-sT -Pn— half-open won’t traverse SOCKS). - Didn’t add internal hostnames to
/etc/hosts, breaking Kerberos/vhosts. - Never reused existing credentials against the internal targets.
- Built one tunnel and stopped — multi-level pivots are common.
⏱️ Stop condition
Once the tunnel is up and internal hosts are enumerated, stop tuning it — pivoting is plumbing, not the objective. Hand each internal target back to Decision_Trees. If a tunnel won’t stabilize after one alternate attempt, switch tools (SSH ↔ Chisel ↔ Socat) rather than debugging one endpoint forever. A working pivot beats a perfect one — don’t sink time into elegance the engagement won’t reward.
🔀 Route on
- Reached and enumerated internal targets → back to Decision_Trees for each
- Back to the hub → Engagement_Cockpit