Network Pivoting and Lateral Movement
AI-Generated Content
Network Pivoting and Lateral Movement
Successfully breaching an initial target is only the first step in a penetration test or red team engagement. The real challenge—and value—lies in navigating the internal network to access its most critical assets, which are often hidden behind multiple layers of segmentation. This process of using a compromised host as a launchpad to attack other, otherwise inaccessible systems is known as network pivoting and lateral movement. Mastering these techniques allows you to simulate a determined adversary, uncovering the true depth of an organization's security posture by exploring isolated network segments and escalating access from the inside.
Understanding the Pivot: The Compromised Host as a Bridge
At its core, a pivot is a strategic hop. You compromise a host (the pivot point) that has network connectivity to two distinct segments: the one you're on (e.g., the internet or a DMZ) and one you want to reach (e.g., a protected internal subnet). The pivot host becomes your relay, forwarding your attack traffic into the restricted network and returning responses to you.
This is essential because many corporate networks employ a "hard outer shell, soft inner core" model. A firewall may block all direct inbound connections to an internal database server from the internet. However, a compromised public-facing web server inside the firewall will have unrestricted access to that database. By pivoting through the web server, you bypass the perimeter defenses entirely. The pivot host's existing trust relationships and access permissions become your own.
Foundational Pivoting Techniques: SSH and Port Forwarding
The most universal pivoting methods leverage standard administrative protocols like SSH (Secure Shell), which have built-in port forwarding capabilities. These are often available on Linux-based targets and provide a stable, encrypted channel.
Local Port Forwarding creates a tunnel that listens on a port on your attacker machine. Any connection you make to that local port is forwarded through the SSH connection to a specified destination port on the pivot's network. For example, if you cannot directly reach an internal web server at 172.16.1.100:80, but your compromised pivot host can, you would establish a tunnel:
ssh -L 8080:172.16.1.100:80 user@pivot_host_ipNow, browsing to http://localhost:8080 on your machine will show you the internal website. The command reads: "Open port 8080 locally (-L) and forward anything sent there to 172.16.1.100:80 via the SSH connection to the pivot host."
Remote Port Forwarding does the opposite. It instructs the SSH server on the pivot host to listen on a port and forward connections back to a destination from your attacker machine. This is useful when the pivot host can initiate a connection to you, but you cannot directly connect to it (e.g., behind NAT). A common use is to expose a tool running on your local machine, like a Metasploit payload handler, to the internal network:
ssh -R 9999:localhost:4444 user@pivot_host_ipThis tells the pivot host: "Open port 9999 on your interface (-R) and forward traffic back to port 4444 on my (the attacker's) machine." An internal victim connecting to pivot_host:9999 would then hit your handler on port 4444.
Dynamic SOCKS Proxy via SSH is a more flexible approach. Instead of forwarding specific ports, it creates a SOCKS proxy server on your local machine. You can then configure your tools (web browser, vulnerability scanner, etc.) to use this proxy. All their traffic will be sent through the encrypted SSH tunnel and emerge onto the network from the pivot host.
ssh -D 1080 user@pivot_host_ipAfter running this, configure your application to use a SOCKS5 proxy at 127.0.0.1:1080. When you scan or browse to an internal IP like 172.16.1.50, the request routes through the pivot, allowing you to interact with any TCP-based service the pivot can reach.
Advanced Pivoting with Dedicated Tools
While SSH is powerful, it requires SSH access and may be logged. Dedicated pivoting tools like Chisel and Ligolo are designed for stealth, performance, and complex scenarios. They use a client-server model, where a small agent (server) is executed on the pivot host, and you connect with a client from your attacker machine.
Chisel is a fast TCP/UDP tunnel, packaged as a single Go binary. It excels at creating multi-hop routing through a chain of compromised hosts. You can set up a Chisel server on your first pivot, connect to it, then deploy another Chisel server from that session onto a second pivot deeper in the network, daisy-chaining your access. It supports both SOCKS5 proxies and reverse port forwarding, often with lower overhead than SSH.
Ligolo takes a different, more intuitive approach. It creates a virtual network interface on your attacker machine. Once you start the Ligolo agent on a pivot host and connect, you can simply ping or nmap scan internal IP ranges directly from your terminal as if you were physically on that network segment. Ligolo automatically routes all this traffic through the encrypted tunnel, making network exploration feel native and seamless.
Integrating Pivots with Exploitation Frameworks
For a holistic engagement, you must route the traffic from your exploitation tools through your pivot points. In the Metasploit Framework, this is managed using the route command. First, you establish a session (like a Meterpreter shell) on your pivot host. Then, you add a route for the target subnet through that session:
meterpreter > run autoroute -s 172.16.1.0/24Or from the MSF console:
msf6 > route add 172.16.1.0 255.255.255.0 [SESSION_ID]After adding the route, any module you launch (like an auxiliary scanner or an exploit) will have its traffic automatically tunneled through the pivot session to the target internal network. This allows you to use Metasploit's full suite of post-exploitation and lateral movement modules against otherwise hidden systems.
Mapping the Path and Accessing Internal Services
Pivoting is not just about reaching a single target; it's about discovery. Once you have a SOCKS proxy or a tool like Ligolo active, you can begin mapping network paths. Use traditional tools like nmap, but configure them to use your proxy (proxychains nmap -sT 172.16.1.0/24) or run them directly over the virtual interface. This reveals live hosts, open ports, and services on internal segments.
Discovering an internal Active Directory domain controller, a database server with default credentials, or a development Jenkins server with weak access controls are common outcomes. You then exploit these services from your pivot's position. For instance, you might use a tool like Responder or Impacket's ntlmrelayx over the pivot to intercept and relay authentication hashes within the internal network, a devastating attack that is only possible from a pivoted position.
Common Pitfalls and Defensive Countermeasures
Even experienced testers encounter pitfalls. A frequent mistake is forgetting to configure tools to use the proxy. Running an nmap scan from your machine without proxychains will scan your local network, not the target's internal range. Always verify your routing by scanning a known internal host first.
Another error is using overly aggressive scans through a slow or unstable pivot, which can crash the pivot host or generate excessive network noise. Use slower timing templates (-T2 or -T1 in nmap) and targeted scans. Also, remember that some tools or protocols (like raw packet crafting in nmap's -sS SYN scan) do not work over standard SOCKS proxies; you must use TCP connect scans (-sT) instead.
From a defensive perspective, understanding these techniques is key to detection and prevention. Monitor for unusual outbound connections from servers, especially SSH or unknown binaries (like Chisel) connecting to external IPs. Implement strict egress filtering to limit which internal hosts can initiate connections to the internet. Use network segmentation effectively—not just at the perimeter—so that a compromised web server cannot directly access the finance or industrial control system VLANs. Robust endpoint detection and response (EDR) solutions can also flag and block the execution of unauthorized tunneling agents.
Summary
- Network pivoting is the art of using a compromised host as a relay to attack otherwise inaccessible network segments, bypassing perimeter security controls.
- Foundational techniques include SSH tunneling (local/remote port forwarding) and dynamic SOCKS proxies, which route your tools' traffic through an encrypted channel.
- Advanced tools like Chisel and Ligolo offer stealth, efficiency, and intuitive interfaces for complex multi-hop routing and native-feeling network exploration.
- Frameworks like Metasploit integrate pivots via the
routecommand, allowing you to direct exploit and scanner modules through established sessions. - Successful lateral movement requires thorough internal network mapping from the pivot point to identify high-value targets like domain controllers, databases, and administrative systems.
- Defenders must focus on internal segmentation, egress filtering, and endpoint monitoring to detect tunneling activity and limit the blast radius of a single compromise.