Pivoting is a technique used to route traffic through a compromised host on a penetration test.
When conducting an external penetration test you may need to route traffic through a compromised machine in order to compromise internal targets.
Pivoting, allows you to leverage pen test tools on your attacking machine while routing traffic through other hosts on the subnet, and potentially allowing access to other subnets.
Dynamically allows all port forwards to the subnets availble on the target.
Dynamic Proxychain Warning
Dynamic Proxychain SSH port forwarding does not work with nmap and metasploits meterpreter shells won't spawn.
If you attempt to spawn a shell via Meterpreter, you’ll get an error similar to the following:
Using Proxychain port forwards
When using a Proxychain port forward, all commands need to be prefixed with the proxychain command, this instructs the application traffic to route through the proxy.
Connecting to RDP via Proxychains Dynamic Port Forwarding
root:~#proxychains rdesktop TARGET-IP
</p>
Configure Metasploit to use a SSH Pivot
The following is an example of how to configure Metersploit to use a SSH portward. In this example port 9999 is forwarded to the target and the attacking machine has an IP address of 192.168.2.100:
Don’t use 127.0.0.1 with Metasploit
Update: You can now use 127.0.0.2
Other 127.0.0.0 addresses can also be used (127.0.0.3,127.0.0.4 etc), but not 127.0.0.1
The example above uses 0.0.0.0 Not 127.0.0.1, never use 127.0.0.1 with Metasploit or you’ll get the following error after you attempt to do anything post exploit:
Meterpreter Pivoting Cheatsheet
Assuming you’ve compromised the target machine and have a meterpreter shell, you can pivot through it by setting up a meterpreter port forward.
Command
Description
portfwd add –l 3389 –p 3389 –r target-host
Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
portfwd delete –l 3389 –p 3389 –r target-host
Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
portfwd flush
Meterpreter delete all port forwards
portfwd list
Meterpreter list active port forwards
run autoroute -s 192.168.15.0/24
Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0
run autoroute -p
Meterpreter list all active routes
route
Meterpreter view available networks the compromised host can access
route add 192.168.14.0 255.255.255.0 3
Meterpreter add route for 192.168.14.0/24 via Session 3.
route delete 192.168.14.0 255.255.255.0 3
Meterpreter delete route for 192.168.14.0/24 via Session 3.
route flush
Meterpreter delete all routes
Meterpreter Port Forwards are flakey
Meterpreter port forwards can be a bit flakey, also the meterpreter session needs to be remain open.
In order to connect to the compromised machine you would run:
Connect to RDP via Meterpreter Port Forward
root:~#rdesktop 127.0.0.1
</p>
Pivoting Example Diagrams
Pivoting can be a bit hard to understand on paper, so here are some diagrams for clarification with the associated commands.
Starting Point
You’ll need to have access to a compromised machine on the target network, depending on the compromised machines configuration you may or may not need root.
You could then connect to Target 2’s RDP server using:
Connecting to RDP via SSH Port Forwarding
root:~#rdesktop 127.0.0.1
</p>
SSH and Meterpreter Pivoting
This example uses SSH pivoting and Meterpreter port forwarding to access machines on subnet 2.
Example commands
The above commands would be leveraged to reach Target 2, from Target 2 to Target 3, meterpreter would be used. Follow the meterpreter portwarding example above for a MS08-067 example.