Network pivoting like a pro!

Mar 2, 2018 · 3 min read

Often during penetration tests or security assessments you start from the external network and you try to get to the internal network and overtake as much systems as you can. And as a matter of fact, during penetration tests or security assessments you get shells (more on interactive tty shells here) or even ssh access via certain exploited vulnerabilities or via leaked credentials.

While you have access to a compromised server you also have access to it’s internal network. Unfortunately, you do not want to install lots of scanners and tools on that server (as it is not yours or you might break something), but you still need to scan the internal network. Then you need to pivot in the internal network.

What is pivoting?

Pivoting is the unique technique of using an instance (also referred to as a ‘plant’ or ‘foothold’) to be able to “move” around inside a network. Basically using the first compromise to allow and even aid in the compromise of other otherwise inaccessible systems. In this scenario we will be using it for routing traffic from a normally non-routable network.

What is the best way for pivoting?

Well if you are doing an penetration testing or security assessment and you need to test the internal network, don’t forget to request a VPN access. VPNs are the best way to tunnel your traffic through there internal networks without being restricted.

I do not have a VPN, but I have a shell.

You are in a “bad” spot and you have to be a bit inventive.

Option 1 :

Learn about Listen — Listen, Listen — Connect, Connect — Connect pivoting types and try harder!

Option 2 : Be a smart individual, hunt for stored or hardcoded credentials, hunt for users bash history or even cat /etc/shadow to future brute force them.

I do not have a VPN, but I have SSH access to a server.

Jackpot. One word: sshuttle

It even speaks by itself and solves the following common case:

  • Your client machine (or router) is Linux, FreeBSD, or MacOS.
  • You have access to a remote network via ssh.
  • You don’t necessarily have admin access on the remote network.
  • The remote network has no VPN, or only stupid/complex VPN protocols (IPsec, PPTP, etc). Or maybe you are the admin and you just got frustrated with the awful state of VPN tools.
  • You don’t want to create an ssh port forward for every single host/port on the remote network.
  • You hate openssh’s port forwarding because it’s randomly slow and/or stupid.
  • You can’t use openssh’s PermitTunnel feature because it’s disabled by default on openssh servers; plus it does TCP-over-TCP, which has terrible performance (see below).


sudo pip install sshuttle


sshuttle — dns -r USERNAME@IPADDRESS:PORT 0/0 -vv

And that is it! You are in.

SSHuttle demo:

The documentation for the latest development version is available at:

Thanks to:, and


Written by


A common IT Security Specialist, Hacker, Scout and much more.