πModule Overview
Module Introduction
This module covers pivoting, tunneling, and port forwarding techniques essential for CPTS certification. Based on HTB Academy's comprehensive course, these techniques allow penetration testers to:
Pivot: Use compromised machines as stepping stones to access other network segments
Tunnel: Encapsulate traffic through established connections to bypass network restrictions
Port Forward: Redirect network traffic from one port to another to access services
What You'll Learn
Core Concepts
Understanding network segmentation and NAT
Identifying pivot opportunities
Traffic flow analysis and routing
Security implications of tunneling
Practical Techniques
SSH port forwarding (Local, Remote, Dynamic)
SOCKS proxy implementation
Tool integration through proxychains
Multiple hop scenarios
Modern tunneling tools (Chisel, Ligolo-ng)
Real-world Applications
DMZ to internal network pivoting
Firewall bypass techniques
Multi-segment network traversal
Maintaining persistent access
Network Scenarios Covered
Typical Corporate Network
[Internet] β [Edge Router] β [Firewall] β [DMZ] β [Internal Firewall] β [LAN]
β β
Web Servers Workstations
Mail Servers Domain Controllers
Database ServersCommon Pivot Points
Web servers in DMZ with internal network access
Jump boxes with multiple network interfaces
VPN endpoints bridging networks
Dual-homed hosts spanning network segments
Module Structure
π File Organization
pivoting-tunneling-port-forwarding/
βββ pivoting-overview.md # This overview file
βββ dynamic-port-forwarding.md # SSH SOCKS tunneling (HTB Page 3)
βββ remote-port-forwarding.md # SSH Remote/Reverse forwarding (HTB Page 4)
βββ ssh-tunneling.md # Complete SSH forwarding guide
βββ proxychains-socks.md # Proxychains configuration and usage
βββ chisel-tunneling.md # Modern HTTP tunneling
βββ ligolo-ng.md # Next-gen tunneling agent
βββ metasploit-pivoting.md # MSF autoroute and pivoting
βββ windows-pivoting-tools.md # Windows native tools
βββ dns-icmp-tunneling.md # Alternative tunneling protocols
βββ skills-assessment.md # Practical scenarios and labsπ Learning Path
Start Here: Dynamic Port Forwarding - HTB Academy Page 3 foundation
Reverse Shells: Remote Port Forwarding - HTB Academy Page 4 (Meterpreter)
SSH Mastery: SSH Tunneling - Complete SSH techniques
Tool Integration: Proxychains & SOCKS - Tool tunneling
Framework Integration: Metasploit Pivoting
Practice: Skills Assessment - Hands-on scenarios
Key HTB Academy Concepts
Dynamic Port Forwarding (Page 3)
Based on HTB Academy module demonstrating:
Local Port Forwarding (-L): Access specific services
Dynamic Port Forwarding (-D): Create SOCKS proxy
Network Discovery: Scanning internal networks via pivot
Tool Integration: Nmap, Metasploit, RDP through proxychains
Remote/Reverse Port Forwarding (Page 4)
Advanced HTB Academy scenarios covering:
Remote Port Forwarding (-R): Expose local services to remote networks
Reverse Shell Pivoting: Meterpreter payload through pivot host
Network Isolation: When targets can't directly reach attack host
Payload Delivery: File transfer and execution through pivot
Lab Scenario:
Attack Host (10.10.15.x) β Ubuntu Server (10.129.202.64) β Windows Target (172.16.5.19)
MSF Handler :8000 SSH -R :8080 Forward Meterpreter PayloadNetwork Topology:
Attack Host (10.10.15.x) β Ubuntu Server (10.129.202.64) β Internal Network (172.16.5.0/23)
ens192: 10.129.202.64 ens224: 172.16.5.129Traffic Flow Understanding
[Attack Host] β [SOCKS Client] β [SSH Tunnel] β [Pivot Host] β [Target Network]
β β β β β
Tool Request β Proxychains β SSH Port 22 β Internal Interface β Target ServiceEssential Commands Quick Reference
SSH Tunneling
Technique
Command
Use Case
Local Forward
ssh -L 1234:target:3306 user@pivot
Access specific service
Dynamic Forward
ssh -D 9050 user@pivot
SOCKS proxy for multiple tools
Remote Forward
ssh -R 8080:localhost:80 user@pivot
Expose local service
Background Tunnel
ssh -fNT -D 9050 user@pivot
Persistent background proxy
Proxychains Integration
# Configure proxychains
echo "socks4 127.0.0.1 9050" >> /etc/proxychains.conf
# Use tools through proxy
proxychains nmap -Pn -sT 172.16.5.19
proxychains msfconsole
proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123Network Discovery
# Check pivot interfaces
ifconfig # Linux
ipconfig /all # Windows
# Scan internal networks
proxychains nmap -sn 172.16.5.1-200
proxychains nmap -Pn -sT -p 22,80,135,139,443,445,3389 172.16.5.19Common Network Ranges
Range
Type
Description
10.0.0.0/8
Private
Class A private networks
172.16.0.0/12
Private
Class B private networks
192.168.0.0/16
Private
Class C private networks
169.254.0.0/16
Link-Local
APIPA addresses
127.0.0.0/8
Loopback
Localhost
Pivoting Opportunities Identification
Multi-homed Hosts
# Linux
ip route show
ip addr show
arp -a
# Windows
route print
ipconfig /all
arp -aNetwork Connectivity Testing
# Test common private ranges
ping -c 1 192.168.1.1
ping -c 1 10.10.10.1
ping -c 1 172.16.1.1
# Port connectivity
nc -zv 192.168.1.100 22
telnet 172.16.5.19 3389Service Discovery
# Through SOCKS proxy
proxychains nmap -Pn -sT --top-ports 1000 172.16.5.0/24
proxychains masscan -p1-65535 --rate=1000 172.16.5.0/24Tool Compatibility Matrix
Tool
SSH Tunnel
SOCKS Proxy
HTTP Tunnel
Notes
Nmap
β (Local Forward)
β (TCP Connect only)
β
Use -sT scan type
Metasploit
β
β
β
Full framework support
Web Browsers
β
β
β
Configure proxy settings
cURL/wget
β
β
β
Use --proxy flag
Database Tools
β
β
β
Connect to forwarded ports
RDP/VNC
β
β
β
Remote desktop access
Security Considerations
Operational Security (OPSEC)
Encrypt tunnels when possible (SSH, HTTPS)
Mimic legitimate traffic patterns
Use standard ports when feasible (80, 443, 53)
Clean up connections after assessment
Monitor tunnel stability and performance
Network Detection
DPI (Deep Packet Inspection) may detect tunneling
Traffic analysis can reveal unusual patterns
Connection monitoring may alert on new services
Log correlation might expose pivot activities
Troubleshooting Guide
Common Issues
Problem
Cause
Solution
Connection timeout
Firewall blocking
Try different ports/protocols
DNS resolution fails
DNS not proxied
Enable proxy_dns in proxychains
Slow performance
Network latency
Use compression (-C flag)
Tool incompatibility
Partial packet support
Use TCP connect scans only
Debugging Commands
# Check tunnel status
netstat -antp | grep :9050
ss -tlnp | grep :9050
# Test connectivity
nc -v 127.0.0.1 9050
telnet 127.0.0.1 9050
# Verbose output
proxychains -v nmap target
ssh -v -D 9050 user@pivotLab Environment Setup
HTB Academy Lab Scenario
Credentials:
Ubuntu Server:
ubuntu:HTB_@cademy_stdnt!Windows Target:
victor:pass@123
Network Topology:
Attack Host β Ubuntu Server (10.129.202.64) β Windows DC (172.16.5.19)
ens192: 10.129.202.64 ens224: 172.16.5.129Objectives:
Enumerate network interfaces on pivot
Set up SOCKS proxy via SSH
Scan internal network through proxy
Access Windows host via RDP
Retrieve flag from Desktop
Best Practices Checklist
Pre-Assessment
During Assessment
Post-Assessment
Exam Tips for CPTS
Key Skills to Master
Quick tunnel setup under time pressure
Tool integration through proxies
Multi-hop scenarios planning
Troubleshooting common issues
Documentation of pivot paths
Practice Scenarios
Set up tunnels in under 2 minutes
Chain multiple pivots successfully
Use various tools through proxies
Handle connection failures gracefully
Maintain operational security
Next Steps
Start with Dynamic Port Forwarding: Review HTB Academy Page 3 concepts
Practice SSH Tunneling: Master all forwarding types
Learn Proxychains: Configure and use with various tools
Explore Modern Tools: Chisel and Ligolo-ng alternatives
Complete Skills Assessment: Hands-on lab scenarios
References
HTB Academy: Pivoting, Tunneling & Port Forwarding Module
SSH Documentation:
man ssh,man ssh_configProxychains:
/etc/proxychains.confconfigurationSOCKS Protocol: RFC 1928 (SOCKS5), RFC 1929 (Authentication)
Network Fundamentals: RFC 1918 (Private Address Space)
Last updated