📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
🎯 ETHICAL HACKING COURSE
FREE
Part of the Free Ethical Hacking Course — 100 Days
Day 36 of 100 · 36% complete
⚠️ Authorised Engagements Only: Pivoting & tunneling extend access through segmented networks. All exercises use isolated lab environments — your own VMs, TryHackMe, or HackTheBox. Never deploy pivoting tools on networks you do not have explicit written authorisation to test. SecurityElites.com accepts no liability for misuse.
On a red team engagement two years ago, I compromised a web server in the client’s DMZ. The scope was to confirm whether network segmentation between DMZ and the internal corporate network was effective. The firewall was correctly configured — I could not reach the internal segment directly. But the web server had two network interfaces: one facing the internet, one facing the internal network. Twenty minutes after establishing my initial foothold, I had a Chisel tunnel running, my Nmap output was scanning the internal subnet, and I had identified the domain controller. The client’s firewall had done exactly what it was designed to do. Pivoting bypassed it entirely by routing through a host that was already trusted to bridge both sides.
Network segmentation is a valid control against external attackers — but once an attacker has an internal foothold, the segmentation becomes a map of where to go next rather than a barrier. Day 36 gives you the full toolkit: SSH tunnels for quick single-service access, Chisel for HTTP-based tunneling through restrictive firewalls, Ligolo-ng for transparent network routing without proxychains limitations, and SOCKS5 to route any tool through any pivot. These are the techniques that C2 operators deploy after the initial beacon from Day 35 to reach isolated network segments.
What is your current pivoting experience level?
None — I have never pivoted through a network SSH port forwarding only Proxychains and Metasploit autoroute Chisel and Ligolo-ng on real engagements
🎯 What You’ll Master in Day 36
Understand the segmented network problem that pivoting solves
SSH local, remote, and dynamic port forwarding — command and use case for each
Chisel HTTP tunneling — reverse SOCKS5 when SSH is unavailable or firewalled
Ligolo-ng transparent proxying — native tool routing without proxychains overhead
SOCKS5 proxychains configuration and routing Nmap through a pivot
Double pivot — chaining two hops to reach isolated network segments
⏱️ Day 36 · 3 exercises · Think Like Hacker + TryHackMe + Kali Lab ### ✅ Prerequisites - Day 35 — C2 Frameworks — SMB C2 relay chains from Day 35 connect directly to today’s pivot techniques; the agent relay model is pivoting at the C2 layer - Day 34 — Payload Obfuscation — Chisel and Ligolo-ng agents are binaries transferred to pivot hosts; EDR evasion from Day 34 applies to delivery - Day 23 — Active Directory Basics — the internal hosts you pivot to are AD-joined; knowing what to look for prioritises your targets - Kali Linux with two VMs on an isolated host-only network for Exercise 3 ### 📋 Pivoting & Tunneling Day 36 — Contents 1. The Segmented Network Problem — Why Pivoting Exists 2. SSH Port Forwarding — Local, Remote, and Dynamic 3. Chisel — HTTP Tunneling When SSH is Not Available 4. Ligolo-ng — Transparent Routing Without Proxychains 5. SOCKS5 Proxychains — Routing Tools Through Your Tunnel 6. Double Pivot — Reaching Isolated Segments Yesterday in Day 35 you set up a C2 framework and maintained persistent access through a beacon callback loop. Today’s techniques extend that access through the network — reaching hosts your beacon cannot contact directly because they sit in a separate segment with no internet access. Pivoting is the bridge between initial access and full internal network compromise in the 100-day course. The tools here are what every professional red teamer runs in the first hour after establishing a foothold inside a segmented enterprise.
The Segmented Network Problem — Why Pivoting Exists
Enterprise networks are not flat. A mature organisation separates systems into segments: a DMZ for internet-facing services, a production network for application servers, a corporate network for workstations, a management network for infrastructure. Firewall rules control what can communicate with what. The theory: compromising one segment does not give access to the others.
The problem is that some hosts legitimately need to communicate across segment boundaries. A web server in the DMZ queries a database in the production network. A jump box sits at the intersection of multiple segments for administrator access. These trusted hosts are your pivot points — they already have the network access you need, and once you are on them, you inherit their routing.
The first thing I do after establishing a foothold is map the network interfaces. Every additional interface beyond the one you entered through is a connection to another segment. That mapping tells you exactly where to pivot before you run a single tunneling tool.
NETWORK RECONNAISSANCE FROM PIVOT HOSTCopy
Map all interfaces on the foothold host
ip addr
eth0: 10.10.10.5/24 ← your entry point (internet-facing)
eth1: 192.168.1.50/24 ← internal network — NEW SEGMENT
Check the routing table — what can this host reach?
ip route
10.10.10.0/24 dev eth0
192.168.1.0/24 dev eth1 ← reachable from here, not from your Kali
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)