πModule Overview
Module Introduction
This module covers pivoting, tunneling, and port forwarding techniques essential for CPTS certification. Based on HTB Academy's comprehensive course, these techniques allow penetration testers to:
Pivot: Use compromised machines as stepping stones to access other network segments
Tunnel: Encapsulate traffic through established connections to bypass network restrictions
Port Forward: Redirect network traffic from one port to another to access services
What You'll Learn
Core Concepts
Understanding network segmentation and NAT
Identifying pivot opportunities
Traffic flow analysis and routing
Security implications of tunneling
Practical Techniques
SSH port forwarding (Local, Remote, Dynamic)
SOCKS proxy implementation
Tool integration through proxychains
Multiple hop scenarios
Modern tunneling tools (Chisel, Ligolo-ng)
Real-world Applications
DMZ to internal network pivoting
Firewall bypass techniques
Multi-segment network traversal
Maintaining persistent access
Network Scenarios Covered
Typical Corporate Network
Common Pivot Points
Web servers in DMZ with internal network access
Jump boxes with multiple network interfaces
VPN endpoints bridging networks
Dual-homed hosts spanning network segments
Module Structure
π File Organization
π Learning Path
Start Here: Dynamic Port Forwarding - HTB Academy Page 3 foundation
Reverse Shells: Remote Port Forwarding - HTB Academy Page 4 (Meterpreter)
SSH Mastery: SSH Tunneling - Complete SSH techniques
Tool Integration: Proxychains & SOCKS - Tool tunneling
Framework Integration: Metasploit Pivoting
Practice: Skills Assessment - Hands-on scenarios
Key HTB Academy Concepts
Dynamic Port Forwarding (Page 3)
Based on HTB Academy module demonstrating:
Local Port Forwarding (-L): Access specific services
Dynamic Port Forwarding (-D): Create SOCKS proxy
Network Discovery: Scanning internal networks via pivot
Tool Integration: Nmap, Metasploit, RDP through proxychains
Remote/Reverse Port Forwarding (Page 4)
Advanced HTB Academy scenarios covering:
Remote Port Forwarding (-R): Expose local services to remote networks
Reverse Shell Pivoting: Meterpreter payload through pivot host
Network Isolation: When targets can't directly reach attack host
Payload Delivery: File transfer and execution through pivot
Lab Scenario:
Network Topology:
Traffic Flow Understanding
Essential Commands Quick Reference
SSH Tunneling
Technique
Command
Use Case
Local Forward
ssh -L 1234:target:3306 user@pivot
Access specific service
Dynamic Forward
ssh -D 9050 user@pivot
SOCKS proxy for multiple tools
Remote Forward
ssh -R 8080:localhost:80 user@pivot
Expose local service
Background Tunnel
ssh -fNT -D 9050 user@pivot
Persistent background proxy
Proxychains Integration
Network Discovery
Common Network Ranges
Range
Type
Description
10.0.0.0/8
Private
Class A private networks
172.16.0.0/12
Private
Class B private networks
192.168.0.0/16
Private
Class C private networks
169.254.0.0/16
Link-Local
APIPA addresses
127.0.0.0/8
Loopback
Localhost
Pivoting Opportunities Identification
Multi-homed Hosts
Network Connectivity Testing
Service Discovery
Tool Compatibility Matrix
Tool
SSH Tunnel
SOCKS Proxy
HTTP Tunnel
Notes
Nmap
β (Local Forward)
β (TCP Connect only)
β
Use -sT scan type
Metasploit
β
β
β
Full framework support
Web Browsers
β
β
β
Configure proxy settings
cURL/wget
β
β
β
Use --proxy flag
Database Tools
β
β
β
Connect to forwarded ports
RDP/VNC
β
β
β
Remote desktop access
Security Considerations
Operational Security (OPSEC)
Encrypt tunnels when possible (SSH, HTTPS)
Mimic legitimate traffic patterns
Use standard ports when feasible (80, 443, 53)
Clean up connections after assessment
Monitor tunnel stability and performance
Network Detection
DPI (Deep Packet Inspection) may detect tunneling
Traffic analysis can reveal unusual patterns
Connection monitoring may alert on new services
Log correlation might expose pivot activities
Troubleshooting Guide
Common Issues
Problem
Cause
Solution
Connection timeout
Firewall blocking
Try different ports/protocols
DNS resolution fails
DNS not proxied
Enable proxy_dns in proxychains
Slow performance
Network latency
Use compression (-C flag)
Tool incompatibility
Partial packet support
Use TCP connect scans only
Debugging Commands
Lab Environment Setup
HTB Academy Lab Scenario
Credentials:
Ubuntu Server:
ubuntu:HTB_@cademy_stdnt!Windows Target:
victor:pass@123
Network Topology:
Objectives:
Enumerate network interfaces on pivot
Set up SOCKS proxy via SSH
Scan internal network through proxy
Access Windows host via RDP
Retrieve flag from Desktop
Best Practices Checklist
Pre-Assessment
During Assessment
Post-Assessment
Exam Tips for CPTS
Key Skills to Master
Quick tunnel setup under time pressure
Tool integration through proxies
Multi-hop scenarios planning
Troubleshooting common issues
Documentation of pivot paths
Practice Scenarios
Set up tunnels in under 2 minutes
Chain multiple pivots successfully
Use various tools through proxies
Handle connection failures gracefully
Maintain operational security
Next Steps
Start with Dynamic Port Forwarding: Review HTB Academy Page 3 concepts
Practice SSH Tunneling: Master all forwarding types
Learn Proxychains: Configure and use with various tools
Explore Modern Tools: Chisel and Ligolo-ng alternatives
Complete Skills Assessment: Hands-on lab scenarios
References
HTB Academy: Pivoting, Tunneling & Port Forwarding Module
SSH Documentation:
man ssh,man ssh_configProxychains:
/etc/proxychains.confconfigurationSOCKS Protocol: RFC 1928 (SOCKS5), RFC 1929 (Authentication)
Network Fundamentals: RFC 1918 (Private Address Space)
Last updated