You've compromised a host on a segmented network. Explain how you pivot to reach systems you can't touch directly.
Short answer
Pivoting turns a compromised host into a relay so you can reach internal segments your machine can't route to. You use port forwarding, a SOCKS proxy over your C2 channel (e.g. Chisel, SSH dynamic forwarding), or agent-based routing, then run tools through that tunnel to attack the next subnet.
In any realistic network the juicy targets — domain controllers, databases, internal apps — live on segments your attacking machine can't route to. Pivoting solves the routing problem: it turns a host you already own into a relay. Lateral movement is the broader goal of expanding access across the environment, and pivoting is how you reach the hosts to do it.
The reachability problem
You compromise a DMZ web server. Your laptop can reach that server, but the internal 10.10.0.0/16 subnet behind it is invisible to you — there's no route. The web server, however, can talk to it. So you make the web server carry your traffic.
Tunneling techniques
- Local port forwarding: expose a single internal service through the pivot to a port on your machine. Good for "I just need to hit one RDP/SMB host."
- Remote port forwarding: push a port from your side into the target network — useful for catching callbacks behind NAT.
- Dynamic forwarding / SOCKS proxy: the real workhorse.
ssh -D, Chisel, Ligolo-ng, or Metasploit'sautoroute+socks_proxystand up a SOCKS proxy over your channel. You then run tools through it withproxychains, so an entire toolkit can attack the hidden subnet as if you were local.
Doing it operationally
You enumerate the new segment through the tunnel, harvest credentials on the pivot (Mimikatz, tickets), and reuse them to move laterally — Pass-the-Hash, WinRM, SMB exec, or scheduled tasks. Each newly owned host can become its own pivot, chaining you deeper. Multi-hop tunneling lets you reach segments two or three networks removed from your entry point.
Why segmentation matters
Every pivot hop is friction. Strong segmentation, internal firewalls, and egress controls force you through chokepoints that defenders can monitor — which is exactly why you flag weak segmentation as a finding.
What interviewers look for
That you distinguish pivoting (routing) from lateral movement (credential reuse), name concrete tooling (SOCKS proxy, Chisel/Ligolo, proxychains), and connect the technique back to the defensive control — segmentation — that would have stopped you.
Likely follow-ups
- What's the difference between local, remote, and dynamic port forwarding?
- How would you run Nmap or a Metasploit exploit through a SOCKS proxy?
- How does network segmentation by a defender raise the cost of lateral movement?