pivoting with ssh and proxychains

single pivot

you want to address non-routable hosts within a private network (

you need

  • proxychains or proxychains-ng (AKA proxychains4) with default configuration (local port 9050)
  • ssh credentials for the gateway machine

root@kali:~# sshpass -p password ssh -D 9050 user@gateway

root@kali:~# proxychains nmap -n -p80 -sT 

nested pivots

you are already pivoting into a private network (, but you want to pivot through that into yet another private network (

you need

  • proxychains-ng, AKA proxychains4
  • ssh credentials for the gateway machine

root@kali:~# proxychains sshpass -p password ssh -D 9051 user@innergateway

root@kali:~# cp /etc/proxychains.conf .

root@kali:~# gedit proxychains.conf (change port to 9051)

root@kali:~# proxychains4 -f $PWD/proxychains.conf nmap -n -p80 -sT 



apt-get install proxychains
wget https://github.com/rofl0r/proxychains-ng/archive/master.zip
unzip master-zip
cd *master
./configure –prefix=/usr –sysconfdir=/etc
make install

proxychains and nmap

  • nmap via proxychains is many times slower than running nmap from the gateway host itself, but of course doesn’t touch disk
  • tcp syn scanning(-sS) via proxychains didn’t work for me, i had to use connect scanning (-sT)
  • nmap through a nested pivot with fingerprinting enabled (-sV, -O or -A) caused nmap to segfault

proxychains vs proxychains-ng

  • an app that doesn’t proxify well with one (in single or multiple pivot conditions), can often work fine with the other
  • proxychains-ng allows one to specify the configuration file to use (-f), whereas proxychains either uses the systemwide default or the one in the CWD
  • through experimentation with single and nested pivots, my preferences are:
    • proxychains for running apps over the initial pivot, and for establishing nested pivots
    • proxychains-ng for running apps over nested pivots

proxychains-ng/4 oddities

  • -f in proxychains4 only works properly if supplied the full path
    • proxychains4 -f proxychains.conf … => no
    • proxychains4 -f ./proxychains.conf => no
    • proxychains4 -f /path/to/proxychains.conf => yes

Leave a Reply

Your email address will not be published. Required fields are marked *