Skip to content

Pivoting

It involves using a compromised target (Victim 1) to attack other systems on the compromised host's private internal network (Victim 2) that are otherwise inaccessible to the attacker.

Routing

Once the initial target was compromised, a new route can be added to access the private network.

# Manually add a route. Example: route add 192.168.100.0/24 2
route add TARGET_IP/NETMASK SESSION_ID

# Delete route
route del TARGET_IP/NETMASK SESSION_ID

# Display active routing table
route print

# Automatically add a route to the second network (run from Meterpreter)
run autoroute -s IP/SUBNET_RANGE

# Display active routing table
run autoroute -p

You can also use the Metasploit module post/multi/manage/autoroute from the msfconsole prompt.

Scanning

Use the module portscan to scan the second network:

use auxiliary/scanner/portscan/tcp
set RHOSTS VICTIM_2_IP
set PORTS 1-100
run

Metasploit Port Forwarding

From Meterpreter, set up port forwarding to perform a service version enumeration. Once a port is added, service enumeration can be performed either from Metasploit or from a normal shell.

# Add a new port forwarding (run from Meterpreter)
portfwd add -l LOCAL_PORT -p VICTIM_2_PORT -r VICTIM_2_IP # IMPORTANT: add the IP of VICTIM_2
# Example: portfwd add -l 8080 -p 80 -r 192.168.100.10

# List port forwards
portfwd list

# Flush/delete all port forwards
portfwd flush

# Scan for version on the target 2 port 80
# Note: Since it is forwarded locally, we scan 127.0.0.1
db_nmap -sS -sV -P LOCAL_PORT 127.0.0.1

When exploiting a vulnerable service through a pivot, a reverse shell might not be able to route back to your attacking machine. A bind shell is usually needed: set PAYLOAD windows/meterpreter/bind_tcp.

auxiliary/server/socks_proxy

Use the SOCKS proxy server to access the pivot system from your attacker machine using the proxychains tool.

# Read socks proxy configuration to ensure the port matches your MSF module
cat /etc/proxychains4.conf

# In msfconsole:
use auxiliary/server/socks_proxy
set SRVPORT PROXYCHAINS_PORT
set VERSION PROXYCHAINS_VERSION

# Run nmap using proxychains from your standard terminal
# IMPORTANT: Use TCP Connect (-sT) and disable ping (-Pn). SOCKS proxies cannot route ICMP traffic (ping) or raw packets (which Nmap uses for default -sS SYN scans).
proxychains nmap -sT -Pn TARGET2_IP

SSH Port Forwarding

SSH Local Port Forwarding

# Access a port on Victim 2 through Victim 1
# -L: For local port forwarding. Followed by: local_port:remote_address:remote_port
ssh -L LOCAL_PORT:VICTIM2_IP:VICTIM2_PORT user@VICTIM1_IP

Internal Network Enumeration via SSH Tunneling and Proxychains

  1. Setup Dynamic Port Forwarding using SSH: ssh -i id_rsa -D 1337 user@TARGET_IP

  2. Set up proxychains for the Dynamic Port Forwarding. Ensure you have commented out socks4 127.0.0.1 9050 in your proxychains configuration and add socks5 127.0.0.1 1337 to the end of configuration file (/etc/proxychains.conf). The file name may vary depending on the distro you are using.

  3. Run a port scan to enumerate internal ports on the server using proxychains: proxychains nmap -sT 127.0.0.1.

  4. After finding the port of the webserver, perform Local Port Forwarding to that port using SSH with the -L flag: ssh -i id_rsa -L 80:127.0.0.1:<REMOTE_PORT> user@VICTIM1_IP.

Ping Sweep

Useful resource: CLI ninja: Ping Sweep

for i in {1..254} ;do (ping -c 1 192.168.1.$i | grep "bytes from" &) ;done