Penetration testing

Tunneling and port forwarding tools used during red teaming assessments

Pedro Tavares
January 17, 2022 by
Pedro Tavares

Security experts traverse network boundaries to access internal infrastructures and sensitive information even over the most protected and secure environments. With tunneling and port-forwarding methods, a pivot machine inside the internal network can be used as a bounce machine to connect with other unrouted networks, critical devices, active directory assets, including the AD controller, and all the perimeter. 

Most Popular Tools


Sshuttle is a transparent proxy server over ssh that works as a simple VPN. It doesn’t require admin access ad forwards the traffic over SSH protocol. This tool also supports DNS tunneling when TCP communication is blocked by default.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

To transfer traffic to via the pivot, we can use the following command:

sshuttle -r ptavares@

After that, sshuttle will create the iptables rules, and the communication can be done by using a command like this:

curl --head


SSH Tunneling

Suppose you find a way to communicate with the SSH server installed on the target server, connect with the -D flag. With this parameter in place, the tool will spawn a socks server on the client side.

ssh ptavares@ -D 1080

On the other hand, specifying a single port to forward is also possible using -L fag.

ssh ptavares@ -L 445:

nmap -p 445 

More details can be found here.


Rpivot is a SOCKS proxy based on a pivot tool that works like an SSH dynamic proxy (-D option). However, it works in reverse order.

Server - auditor’s machine

python --proxy-port 1080 --server-port 9443 --server-ip

Client target machine

python --server-ip <ip> --server-port 9443

The server will create a SOCKS proxy over the port 1080 that will forward all the traffic through the client — the target machine.

This kind of approach can also be used in active directory networks with the following syntax:

python --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \

--ntlm-proxy-port 8080 --domain CORP --username ptavares--password !


Meterpreter - autoroute

Port forwarding and pivoting can also be done using the meterpreter framework and the powerful tool: proxychains.

To automatically route, use the following:

run autoroute -s

run autoroute -p

use auxiliary/server/socks4a

set SRVPORT 8080


proxychains curl

More information about this scenario is here.



Chisel is a tool that encapsulates a TCP session in an HTTP tunnel while securing it via SSH. In detail, the communication is full-encrypted via SSH, and it supports mutual authentication, automatic reconnection and has its private SOCKS 5 proxy server.

Local port forwarding via Chisel  

Pivot machine:

$ chisel server -p 8080 --host -v

Auditor’s machine:

$ chisel client -v

$ curl --head

Reverse remote port forwarding

Auditor’s machine:

$ chisel server -p 8888 --host --reverse -v

Pivot machine:

$ chisel client -v R:

$ curl --head

A full scenario using Chisel can be found here.


Web-proxies / reGeorg and Tunna

ReGeorg and Tunna are very similar and work with a web shell to create a local SOCKS proxy. This is an excellent way in the most challenging scenarios, for instance, when all the TCP communication, bind services, and outgoing traffic is blocked.

The steps to create the scenario are the following:

  • Upload the tunnel file (aspx|ashx|jsp|php) to the target webserver (by using how the server was compromised or accessed).
  • Use:

$ python -p 8080 -u http://server:8080/tunnel.jsp



Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

A list of real scenario examples and the effectiveness of various port forwarding and tunneling methods can also be accessed in this article.



Pedro Tavares
Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog

In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.