Tunnels and Proxies
#Overview
Tunnels and proxies provide full network-layer access through a compromised host. Unlike port forwarding (one port at a time), tunnels give you a SOCKS proxy or TUN interface that supports any protocol — scanning, multi-service access, and lateral movement all become possible.
For foundational SOCKS/proxy setup (SSH -D, Chisel, Ligolo-ng, proxychains), see 07 - Post-Exploitation. This section covers advanced tools and configurations beyond those basics.
#Technique Selection
| Egress Available | Best Technique | File |
|---|---|---|
| All TCP (no filtering) | SSH -D / SSHuttle | SOCKS & HTTP Proxies |
| HTTP/HTTPS only | Neo-reGeorg / Earthworm | Web Tunnels |
| DNS only | dnscat2 / iodine | DNS & Protocol Tunnels |
| Cloud (NAT traversal) | ngrok / Cloudflare tunnel | Cloud Tunnels |
| Restricted/monitored | Rpivot / WireGuard | SOCKS & HTTP Proxies / Cloud Tunnels |
#Technique Files
| File | Covers | Complexity |
|---|---|---|
| SOCKS & HTTP Proxies | SSH -D extended, SSHuttle, Chisel/Ligolo advanced, Rpivot | Medium |
| Web Tunnels | Neo-reGeorg, reGeorg, Tunna, Earthworm | Medium-High |
| DNS & Protocol Tunnels | dnscat2, iodine, ICMP tunnels, httptunnel | High |
| Cloud Tunnels | ngrok, Cloudflare tunnel, WireGuard, NPS/FRP/3proxy | Medium |
#Cross-References
- 07 - Post-Exploitation — Foundational pivoting basics
- Port Forwarding — Single-port forwarding (simpler, less detectable)
- Multi-Hop Chains — Chaining through multiple pivot points