Nmap Through SSH Pivot: Why Proxychains and sshuttle Fail

If you’ve tried pivoting nmap through an SSH jump host, you’ve probably hit one of two outcomes: every port comes back as filtered, or every port comes back as open. Both are wrong and in this post I will show you how I got to a satisifying result. (Spoiler: Using ligolo-ng) Scenario: You’ve got an attack host, a pivot you can SSH into, and a target on an internal subnet that’s only reachable from the pivot: Attack Host (10.10.14.12) --> Pivot (10.129.229.129) --> Target (172.16.5.35) The target lives on 172.16.5.0/24. You want to scan it from your attack host and get real results. Failed approach 1: SSH dynamic forward + proxychains The textbook answer (or rather the one I learned in HTB Academy) Open a SOCKS proxy with SSH, point proxychains at it, run nmap. > ssh -D 9050 -i ~/.ssh/id_rsa user@pivot-host > proxychains nmap -sT -Pn -n 172.16.5.35 nmap result: PORT STATE SERVICE 22/tcp filtered ssh 135/tcp filtered msrpc 445/tcp filtered microsoft-ds 3389/tcp filtered ms-wbt-server…