Pivoting to Access Networks in Penetration Testing
Penetration testing is the process of simulating a cyberattack against a computer system or network to identify and fix vulnerabilities. Pivoting in penetration testing is a technique in which the ethical hackers—also known as white-hat hackers—simulating the attack can move from one system to another.
Below, we’ll go over everything you need to know about pivoting in penetration testing, including how it works, the different types of pivoting in penetration testing, and how to become a penetration tester.
What Is Pivoting in Penetration Testing?
During a cyberattack, the attackers rarely gain entrance to the entire network at once. Instead, attackers often focus on gaining access to a network via a single weak point. This is typically done through techniques such as phishing, malware, or scanning for security holes. Once inside the network, the attackers attempt to conceal themselves while moving to other systems connected to this point of entry.
In penetration testing, pivoting is the act of using a compromised system to spread between different computer systems once inside the network, simulating the behavior of a real attacker. This compromised machine is sometimes referred to as the “instance,” “plant,” or “foothold.”
After obtaining a foothold, penetration testers scan the network for other subnets and machines, looking for the most valuable (and vulnerable) points of attack. For example, an administrator machine may grant the attacker additional privileges and unlock new possible operations. Gaining access to these connected systems is easier from the inside because penetration testers can use the compromised machine’s credentials and try to disguise their behavior as legitimate network traffic.
Pivoting is closely related to the concept of lateral movement in cybersecurity, and the terms are often used interchangeably. However, “pivoting” is most accurately used to refer to the act of moving from host to host, while “lateral movement” also includes the act of privilege escalation (gaining access to other users and accounts) on the same machine.
What Are the Different Types of Pivoting in Penetration Testing?
There are multiple ways for penetration testers to perform pivoting. Below are a few of the most common types of pivoting in penetration testing:
Port forwarding: The attacker creates a tunnel between two machines via open TCP/IP ports, forwarding packages and traffic from one to another. There are multiple forms of port forwarding:
- Local port forwarding: The compromised machine “listens” for data and instructions from the attacker’s machine, allowing the attacker to access internal services.
- Remote port forwarding: The attacker maps ports on their machine to local ports on the compromised machine, allowing them to reach internal services through an SSH connection.
- Dynamic port forwarding: The attacker creates a SOCKS proxy server for tunneling traffic, with the compromised machine acting as a middleman between the attacker’s machine and internal services.
VPN pivoting: The attacker starts a virtual private network (VPN) client on the compromised machine, accessing a remote VPN server. The attacker then sends data from the server to the client and can also access information (e.g., network traffic) from the compromised machine by sending data from the client to the server.
Proxy pivoting/SSH pivoting: The attacker establishes a local proxy server through SSH. Any connections to the designated port are then forwarded through the proxy to their final destination.
Routing tables: The attacker changes the routing table of the compromised machine to add a new route. This route will require any traffic sent to the destination to tunnel through the defined gateway, allowing the attacker to capture this data.
Regardless of which types of pivoting are used in penetration testing, the ultimate goal is to remain undetected for as long as possible while performing reconnaissance and accessing valuable files and information.
How Do Penetration Testers Pivot?
We’ve talked about the various types of pivoting in penetration testing at a conceptual level—but how do penetration testers pivot on a technical level? Below are just a few tools and techniques for how penetration testers pivot in a real-world scenario.
Meterpreter is a payload available through the Metasploit penetration testing software that gives the attacker an interactive, invisible shell for running commands and controlling the compromised machine.
Using Meterpreter, penetration testers can use the routing table pivoting method discussed above via the autoroute command. For example, the command:
meterpreter> run autoroute -p
prints the active routing table
meterpreter> run autoroute -s 10.1.1.0 -n 255.255.255.0
adds a route to 10.10.10.1/255.255.255.0.
proxychains is a tool for Unix systems that allows users to route any TCP connection through HTTP or a SOCKS proxy. As discussed above, this can be used for proxy pivoting.
To start using proxychains, penetration testers can simply edit the proxychains.conf configuration file, which contains a list of the proxy servers used on the local machine. By specifying the desired host and port number, attackers can add a new local proxy server to conceal their activities. Attackers can even chain multiple proxies together, which makes the task of evading detection (and being traced once detected) even more difficult.
The sshuttle tool describes itself as “where transparent proxy meets VPN meets ssh.” sshuttle takes a hybrid approach, combining elements of both VPNs and SSH port forwarding to create a tunnel for exchanging network packets.
Using sshuttle, penetration testers can establish a VPN connection between a local machine and any remote server with Python installed and that is available via SSH. For example, the command below redirects the network 192.168.30.0/24 to the local machine at the address 192.168.10.5:
sshuttle -r [email protected] 192.168.30.0/24
pwncat is a platform for attackers to exploit a compromised system after gaining entry, including tools for evading firewalls and IDS/IPS. The pwncat platform is based on the netcat Unix networking utility, which allows users to read and write information across a network connection.
pwncat includes features for both local and remote port forwarding. For example, the command below establishes local port forwarding by redirecting the remote port 3306 to the local port 5050:
pwncat -L 0.0.0.0:5050 example.org 3306
Becoming a Penetration Tester With C|PENT
Pivoting is an essential technique that all penetration testers should be familiar with. By successfully pivoting from one machine to the next, penetration testers can avoid or delay detection for as long as possible and extend the reach of their simulated attack.
If a career in penetration testing appeals to you, obtaining a penetration testing certification is an ideal way to get a foothold in the industry while honing your in-demand cybersecurity skills. EC-Council offers the Certified Penetration Testing Professional (C|PENT) program, with extensive real-world training to help students master the tools and techniques of penetration testing. Click here to learn more about the contents of the C|PENT curriculum and start down the path of becoming a leading penetration testing expert.
About the Author
David Tidmarsh is a programmer and writer. He’s worked as a software developer at MIT, has a B.A. in history from Yale, and is currently a graduate student in computer science at UT Austin.