> For the complete documentation index, see [llms.txt](https://venator17.gitbook.io/bibliotheque/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://venator17.gitbook.io/bibliotheque/linux/post-exploitation/pivoting.md).

# Pivoting

## <mark style="color:yellow;">PREPARATION</mark>

### <mark style="color:blue;">Checking Network Interfaces</mark>

```bash
ifconfig
```

### <mark style="color:blue;">Netstat Check Port</mark>

```bash
netstat -antp | grep 1234
```

### <mark style="color:blue;">Proxychains</mark>

```bash
tail -4 /etc/proxychains.conf 
# CHECK IF THERE IS ALREADY PROXYCHAINS FILE, IT COULD BE CALLED LIKE PROXYCHAINS
proxychains {command}
```

## <mark style="color:yellow;">SOCAT</mark>

<mark style="color:red;">**Socat**</mark> is a <mark style="color:purple;">**bidirectional relay utility**</mark> that establishes communication between two separate network channels without relying on SSH tunneling. It functions as a redirector, capable of listening on a specific host and port and forwarding the data to a different IP address and port.

#### <mark style="color:blue;">Starting Listener</mark>

```bash
socat TCP4-LISTEN:8080,fork TCP4:13.13.13.13:80
# Listens on 8080 and redirects it to 13.13.13.13:80
```

## <mark style="color:yellow;">SSHUTTLE</mark>

<mark style="color:red;">**SSHuttle**</mark> is a Python-based tool that <mark style="color:purple;">**eliminates the need for configuring proxychains**</mark>. However, it is limited to pivoting over SSH and does not support pivoting through TOR or HTTPS proxy servers. Sshuttle is particularly valuable for automating the setup of iptables and adding pivot rules for the remote host.

```bash
sudo sshuttle -r ubuntu@13.13.13.13 69.69.6.0/23 -v 
```

## <mark style="color:yellow;">LIGOLO-NG</mark>

<mark style="color:red;">**Ligolo-ng**</mark> is a simple, lightweight and fast tool that allows pentesters to <mark style="color:purple;">**establish tunnels**</mark> from a reverse TCP/TLS connection using a **tun** *(short form from tunnel)* interface (without the need of SOCKS).

#### <mark style="color:blue;">Making a tun interface</mark>

```bash
sudo ip tuntap add user $(whoami) mode tun ligolo
```

#### <mark style="color:blue;">Deleting tun interface</mark>

```bash
sudo ip tuntap del dev ligolo mode tun
```

#### <mark style="color:blue;">Turning on ligolo</mark>

```bash
sudo ip link set ligolo up
```

```bash
sudo ip r add 69.69.6.0/24 dev ligolo
```

#### <mark style="color:blue;">Setting up ligolo</mark> <mark style="color:red;">agent</mark> <mark style="color:blue;">and</mark> <mark style="color:red;">proxy</mark>

```bash
./proxy -laddr 13.13.13.13:443 -selfcert # attack host
./agent -connect 13.13.13.13:443 -ignore-cert # target host
```

<mark style="color:blue;">**Connecting session**</mark>

```bash
ligolo-ng » session
? Specify a session : 1 - {MACHINE} - 13.13.13.13:51234
[Agent] » start
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://venator17.gitbook.io/bibliotheque/linux/post-exploitation/pivoting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.