You've compromised a host with a second network interface. How do you pivot?
Short answer
Use the compromised host as a relay into the unreachable subnet. Set up port forwarding for a single service, or a dynamic SOCKS proxy (SSH -D or chisel) and route your tools through it with proxychains, so your attacker box can reach internal hosts via the pivot.
Many environments place the real targets on an internal subnet your attacker box cannot route to. A host straddling both networks (a "dual-homed" machine) becomes your bridge. Pivoting is using that bridge to relay your traffic into the hidden network.
The main techniques
- Local port forwarding maps a single internal service to a port on your attacker box — good when you need one specific service (e.g. an internal web app or database).
- Remote port forwarding pushes a port from the target back to you, useful when the pivot cannot reach your machine directly but you reached it.
- Dynamic forwarding (SOCKS proxy) is the workhorse:
ssh -D 1080 user@pivot(orchiselwhen SSH is unavailable) opens a SOCKS proxy that can reach any internal host and port through the pivot.
Routing your tools
Configure proxychains to point at the SOCKS port, then prefix your tools: proxychains nmap, proxychains curl, proxychains crackmapexec. Traffic now tunnels through the compromised host into the internal network.
Tooling caveats
SOCKS proxies only carry TCP, so connect (-sT) scans work but SYN scans and ICMP do not — adjust nmap accordingly and scan only the ports you care about, since proxied scans are slow. chisel is invaluable when the pivot has no SSH server, giving you the same SOCKS capability over an HTTP-friendly channel that often beats egress filtering.
Why it matters
Without pivoting, the entire internal subnet — often where the high-value targets and the domain controller live — is invisible. The technique converts one foothold into reach across a whole network.
What interviewers look for
Clear distinction between local, remote, and dynamic forwarding, naming SSH -D/chisel and proxychains, and awareness of the TCP-only SOCKS limitation that breaks naive nmap usage. This is a senior signal because it requires solid networking understanding.
Likely follow-ups
- What's the difference between local, remote, and dynamic port forwarding?
- Why does nmap behave oddly through a SOCKS proxy, and how do you adapt?