Bonjour Ami/Amie !!
In this blog, I will be discussing a few pivoting techniques which are
- Pivoting using SSH
- Pivoting using Metasploit
What is pivoting?
Pivoting is the art of using access obtained over one machine to exploit another machine deeper in the network. It is one of the most essential aspects of network penetration testing.
The public-facing server in the above picture has 2 interfaces one facing the public network and the other the internal network. If an attacker wishes to gain access to the internal network, and he has compromised the public-facing server then he has to route his network traffic through the server to reach the internal network. In simpler terms, the server must be used as a proxy for reaching the internal network and this process is called pivoting.
Pivoting using SSH
Pivoting using an SSH tunnel can be done only when we have SSH access to the target.
For demonstration, I am using the wreath network from Tryhackme!
In this case, we compromised a server and we found 2 other machines in the internal network, and 1 has an HTTP server listening. Our task is to now access that website from the attacker’s machine using the compromised server and the credentials to SSH into it.
This shows the machine in the internal network which has an HTTP server listening but cannot be accessed
Now to pivot into an internal network we can use
- L — used to create local forwarding
- 8000 — port on attacker’s machine to bind
- 10.200.48.150 — target IP in the internal network
- id_rsa — private key
- -f — background the shell
- -N — indicates no command to be executed
Pivoting using Metasploit
Once we have a meterpreter shell on the server we can pivot using it as
These are just 2 of many pivoting techniques and for further reading and hands-on experience do check out the Wreath network from Tryhackme which can be accessed by just getting a 7 day streak .