Pivoting & Tunneling

Overview

Pivoting routes traffic through a compromised host to reach internal networks that are not directly accessible from the attacker. When initial access lands on a DMZ or perimeter host, pivoting extends reach into internal segments — database servers, domain controllers, and management networks. Tunneling tools encapsulate traffic through the compromised host, creating a bridge between the attacker and internal systems.

Topics in This Section

• Chisel
• Ligolo-ng
• SSH Tunneling
• Port Forwarding
• SOCKS Proxy

General Approach

1. Map the network — identify subnets reachable from the compromised host but not from the attacker
2. Choose tunneling method — SSH tunneling (if SSH available), Chisel/Ligolo-ng (binary transfer), or built-in tools
3. Set up the tunnel — establish reverse connection from compromised host to attacker
4. Configure proxychains — route tools through the SOCKS proxy to reach internal targets
5. Enumerate internal network — scan and enumerate through the tunnel