common guides to pen test pivoting and tunneling (or tunnelling)

Tunneling and pivoting through a network can be a slightly mind-bending experience at first. I did plenty of this during my time in the PWK labs, and the guide, Explore Hidden Networks With Double Pivoting, proved to be very useful. Likewise, A Red Teamer’s guide to pivoting, looks like an excellent resource, largely if you have root access already and need a better way to get back out. (Edited to add this new one:

As a bonus, the second link also includes some shell upgrading techniques at the end.

Other links:

For my time in the labs, I started out using single hop local SSH forwards through a pivot point that I had owned in the remote network. This works just fine if you know that port 80 is open and all you want to do is connect to port 80 inside a network you don’t have direct access to. That looks something like:

ssh root@ -L 81:

Later on, I learned to do more dynamic SSH forwards with proxychains:


I used a dynamic ssh tunnel via John:
ssh -f -N -D j0hn@ -p 22000
Tested with :
proxychains nmap -sT -Pn

ssh -f -N -D sean@
leafpad /etc/proxychains.conf
proxychains ssh -f -N -D root@ -p 222
leafpad /etc/proxychains.conf
proxychains ssh luigi@

And even later, I did double pivoting using proxychains:

ssh -tt -L8080:localhost:8157 sean@ ssh -t -D 8157 mario@ -p 222
set up proxychains to use our forwarded port 8080:
leafpad /etc/proxychains.conf
strict_chain or dynamic_chain
socks4 8080

One thought on “common guides to pen test pivoting and tunneling (or tunnelling)

Leave a Reply

Your email address will not be published. Required fields are marked *