Pivoting
Pivoting allows you to attack machines or networks that would otherwise be unreachable. Pivoting to somewhat extent depends upon Port Forwarding. If not then the compromised machine might be having the permissions through a firewall / access what others cannot. I dont think pivoting depends on port forwarding necessarily tho it might be a component. Pivoting is just using a computer or device that has been compromised to attack and compromise other devices in the network.
Thus, Pivoting is a term for pentester, whereas in networking we call it proxy. So we can say that pivoting is happening due to port forwarding and routing is just packets being routed to its destination.
We use Pivoting when there are two different networks, Whereas we use routing when its a single network mostly. In simple terms, if machines are in the same network we can use routing Otherwise we can use pivoting to pivot via port forwarding.
When we are using route command, you can say that we are using routing to pivot
There's some pivoting that involves proxychains. You do specific routes over the proxy.
There are two main methods encompassed in this area of pentesting:
Tunnelling/Proxying: Creating a proxy type connection through a compromised machine in order to route all desired traffic into the targeted network. This could potentially also be tunnelled inside another protocol (e.g. SSH tunnelling), which can be useful for evading a basic Intrusion Detection System (IDS) or firewall
Port Forwarding: Creating a connection between a local port and a single port on a target, via a compromised host
A proxy is good if we want to redirect lots of different kinds of traffic into our target network -- for example, with an nmap scan, or to access multiple ports on multiple different machines.
Port Forwarding tends to be faster and more reliable, but only allows us to access a single port (or a small range) on a target device.
Tools for Pivoting are:
Meterpreter, auto route along with proxychains
Sshuttle (best) for *nix / Linux targets
If Port 22 if closed, then
Socat can be used
Also IPtables can be used to port forward, if you want to stick with route tables on a different network
Tools for Routing are:
IP tables if the new set of machines are in a different network
IP tables is the way to port forward
Route command / Static Routing
Enumeration
There are five possible ways to enumerate a network through a compromised host:
Using material found on the machine. The hosts file or ARP cache, for example
Using pre-installed tools
Using statically compiled tools
Using scripting techniques
Using local tools through a proxy
Before anything else though, it's sensible to check to see if there are any pieces of useful information stored on the target. arp -a can be used to Windows or Linux to check the ARP cache of the machine -- this will show you any IP addresses of hosts that the target has interacted with recently. Equally, static mappings may be found in /etc/hosts on Linux, or C:\Windows\System32\drivers\etc\hosts on Windows. /etc/resolv.conf on Linux may also identify any local DNS servers, which may be misconfigured to allow something like a DNS zone transfer attack (which is outwith the scope of this content, but worth looking into). On Windows the easiest way to check the DNS servers for an interface is with ipconfig /all. Linux has an equivalent command as an alternative to reading the resolv.conf file: nmcli dev show.
Using route
Syntax : route
routeroute add -net <network_address> gw <gatewayaddr> <interfacename>
Using ip
Syntax : ip route
ip routePrints the routing table for the host you are on
ip route add [new network] via [gateway]
Pivoting is the exclusive method of using an instance also known by ‘foothold’ to be able to “move” from place to place inside the compromised network. It uses the first compromised system foothold to allow us to compromise other devices and servers that are otherwise inaccessible directly.
Pivoting - We can use Sshuttle to create a Tunnel. * If we know SSH creds and port is open.
Port Forwarding - if we discover some Ports open on localhost, via
netstat -tulpn. We can use the Port Forwarding method via SSHTunneling - Finally, if SSH port is not open or we don't have the credentials. We can use Socat / Chisel to pivot across the network
SSH Port Forwarding
We can port forward or you can say ssh tunnel a port and forward it on your localhost
So the 8000 port running on machine 10.10.10.212 will be forwarded to run on your localhost at localhost:8000
The -fN combined switch does two things: -f backgrounds the shell immediately so that we have our own terminal back. -N tells SSH that it doesn't need to execute any commands -- only set up the connection.
Using plink.exe
Plink.exe is a Windows command line version of the PuTTY SSH client. Now that Windows comes with its own inbuilt SSH client, plink is less useful for modern servers; however, it is still a very useful tool, so we will cover it here.
if we have access to 172.16.0.5 and would like to forward a connection to 172.16.0.10:80 back to port 8000 our own attacking machine (172.16.0.20), we could use this command:
References:
Last updated
Was this helpful?
