Network pivoting: concept, examples, techniques, tools

Table of contents

1. What is pivoting

2. Pivoting example

3. Redirecting (forwarding) SSH ports

4. Pivoting with ncat

5. References (more pivoting methods)

6. Pivoting tools


What is pivoting

Often during a penetration test or security assessment, everything starts with an external network — with research and pentesting of machines and services available from the global network. Attempts are being made to find a security hole and, if it succeeds, then a penetration into the local network is performed in order to capture as many systems as possible.

Local network traffic is non-routable, that is, other computers that are physically connected to this network can access the resources of the local network, and the attacker cannot access them.

So, pivoting is a set of techniques that allow an attacker to gain access to local resources, in essence, making traffic routable that is normally non-routable. Pivoting helps an attacker to configure the working environment to use the tools in such a way as if he were in the organization’s local network.

That is, using pivoting is achieved:

1) Access to local resources

2) The ability to use tools to scan and search for vulnerabilities from your computer in a remote local network, as if they were installed right there. That is, hacker tools gain access to the local network, which under normal conditions is impossible for non-routable traffic.

Pivoting example

Imagine a situation that during a network security audit, a vulnerability was discovered that allows you to run commands on a remote system. Due to this vulnerability, the command

ip a

lists network interfaces:

In addition to the public address, you can see the addresses of the local network:

  • 192.168.0.50
  • 127.0.0.1
  • 127.0.0.102
  • and others 127.*.*.*

The list of listening ports received by the command:

ss -lntup

also found interesting local network artifacts:

  • 127.0.0.100:10025
  • 127.0.0.1:27017
  • 127.0.0.103:15982

  • 127.7.0.1:80
  • other 127.*.*.*:80
  • 127.0.0.100:8080
  • 127.0.0.100:80

  • 127.0.0.100:443

  • 127.7.0.1:443
  • 127.7.0.2:443
  • other 127.x.x.x:443

All IP addresses listed are non-routable – I cannot access them from my computer. And the administrator of that network knows that no one can access them, so the services that bind to ports of these addresses are considered local and they can be configured less securely than the services available from the global network. And for this reason, for the ‘attacker’ these services and computers on the local network are of particular interest.

To continue audit, I need to find other local hosts, scan for open ports, run scanners for found services and web applications. All this requires the involvement of the relevant tools. But let me remind you once again – under normal conditions, I cannot access a remote LAN by running the tools on my computer.

There are two options for action:

  1. Try to install the tools directly to the remote server and run them from it. This is too complicated – I have limited privileges (no root), some tools require a lot of dependencies, such activity can easily betray my presence
  2. Pivoting

I will choose pivoting using ncat. For this, I need to run ncat in proxy mode on the remote system. The ncat program may already be present on the system. If it is not there, then it is enough to upload a single binary file to the server (for example and details in the article “How to create a proxy on shared hosting”).

So, on a remote server, I run ncat in a HTTP proxy mode (--proxy-type http) configured to listen on port 3128 (-l 3128):

ncat -l 3128 --proxy-type http

Now, on my local computer, if not already installed, I install the ProxyChains-NG program. The essence of its work is that it transfers traffic through a proxy from those programs that do not support working with a proxy.

Before using ProxyChains-NG, I need to do the configuration. To do this, I open the /etc/proxychains.conf file:

sudo gedit /etc/proxychains.conf

I find a line there

socks4  127.0.0.1 9050

and comment on it:

#socks4     127.0.0.1 9050

Now I add a new line:

http SERVER_IP 3128

Where:

  • http – proxy type (ncat supports HTTP only)
  • SERVER_IP – here I entered the real IP address of the remote computer where ncat is running and whose local network I want to explore
  • 3128 – port, you need to specify the same one that you specified when you run ncat

If you get an error with some nmap commands

nmap: netutil.cc:1379: int collect_dnet_interfaces(const intf_entry*, void*): Assertion `rc == 0' failed.

Then in the /etc/proxychains.conf file, comment out the line:

proxy_dns

I want to start by scanning open ports of 192.168.0.50 – this is the local IP address. I run nmap like this:

proxychains4 nmap -sT -PN -sV --open -n 192.168.0.50

If something is not clear to you in this command, then see the article “Anonymous scanning through Tor with Nmap, sqlmap or WPScan” - it explains the use of the proxychains4 + nmap combination

Results:

Nmap scan report for 192.168.0.50
Host is up (0.55s latency).
Not shown: 990 closed ports
PORT     STATE SERVICE    VERSION
21/tcp   open  ftp        ProFTPD 1.3.5e
111/tcp  open  rpcbind    2-4 (RPC #100000)
873/tcp  open  rsync      (protocol version 30)
1022/tcp open  ssh        OpenSSH 5.3 (protocol 2.0)
1024/tcp open  ssh        OpenSSH 5.3 (protocol 1.99)
2049/tcp open  nfs        2-4 (RPC #100003)
3128/tcp open  http-proxy Ncat http proxy (Nmap 4.85BETA1 or later)
3306/tcp open  mysql      MySQL 5.5.62-38.14-log
4343/tcp open  ssl/http   Apache httpd
4443/tcp open  ssl/http   Apache httpd
Service Info: OS: Unix

The results are good – a couple of web server processes on ports 4343 and 4443. Some process at 111. A couple of ssh at 1022 and 1024. These can be either processes open to the global network (through port forwarding) or exclusively local resources for users in the network of the organization.

Find hosts on the local network:

proxychains4 nmap -sn 192.168.0.50/24 2>&1 | grep 'OK'

This command uses the -sn option – it skips port scans and only shows hosts that are online. Responses of two types will be returned: denied or OK:

If the OK response is received, then the host is online. But the problem is that if a denied response is received (the connection is rejected), then nmap also treats such a host as being online (although it filters our requests for this port). But in my case, these hosts are not online – apparently, the network (firewall) is configured when sending requests to non-existent hosts to respond denied. Therefore, at the end of the work, nmap will list all the hosts on the 192.168.0.50/24 subnet as if they exist.

Therefore, to obtain an adequate list, it is easier to filter the output of the proxychains4 command. It writes information to the standard error output (it looks same like the standard output, but grep cannot process it), so we redirect: 2>&1 (this redirects the standard error output to the standard output). As a result, we have the opportunity to search for information displayed by proxychains4 using grep.

The result is a valid list of hosts on the local network:

  • 192.168.0.1
  • 192.168.0.13
  • 192.168.0.97
  • 192.168.0.241
  • 192.168.0.247
  • 192.168.0.250
  • etc.

We not only know that these hosts are online on a local network – we can perform port scans and other audit and attacks on each of them.

With the help of ping (running on a remote computer), make sure that these addresses are really available:

This is only the very beginning of the fun, and in fact we already have: a list of interesting ports of the current host from which we run commands, a large list of addresses of computers on the local network, each of which also has ports. What else? And we also have LOOPBACK addresses, when accessing which network packets do not leave the computer at all. Under normal conditions, they are also inaccessible as local IPs, but with the help of pivoting we can also touch them.

If the program supports HTTP proxies, then proxychains are optional. Consider the example of cURL - after the -x option, you need to specify the IP and port of the proxy (through a colon) – that is, the IP of the computer through which we enter the local network. After the IP address to which the request is made, you can also specify the port of interest.

For example, from my computer I can make a request to port 15982 of the IP address 127.0.0.103 of the remote computer:

curl -v -x PROXY_IP:3128 127.0.0.103:15982

As a result, I received a very interesting answer:

It looks like you are trying to access MongoDB over HTTP on the native driver port.

That is, apparently it is MongoDB.

The command to collect a banner from this port using nmap:

proxychains4 nmap -n -sV --script=banner -p 15982 127.0.0.103

This command worked fine, but did not give new information:

By the way, if the last nmap command caused an error:

nmap: netutil.cc:1379: int collect_dnet_interfaces(const intf_entry*, void*): Assertion `rc == 0' failed.

Then in the /etc/proxychains.conf file, comment out the line:

proxy_dns

In cURL, you can not only make a request to different ports, you can switch between the HTTP/HTTPS protocols (just specify the protocol before the IP address, as shown in the following command). If the certificate is invalid (this is the norm in local networks), then you can add the -k option. You can send HTTP headers, for example, host names, etc. Since the web server is configured separately for the HTTP and HTTPS protocols, separately for each host plus the default settings, sometimes you can find incorrectly configured hosts or just unexpected results. For example, the command (the host name was specified as valid for this server):

curl -v -x PROXY_IP:3128 -H 'Host: DOMAIN.RU' https://127.0.0.100 -k

in my case, issued:

PHP version 5.3.28 is installed on the server, but at least WordPress 5.2.1 requires at least 5.6.20.

And so on. I hope I managed to convince you that pivoting is a very powerful thing, thanks to which you can wander through someone else's local network (otherwise simply inaccessible) as if on its own.

Working through a proxy, you can scan local web servers, for example, with the Nikto tool, as well as use other tools.

Redirecting (forwarding) SSH ports

Did you manage to find the credentials for the SSH service running on the host? Fine! Connect to the host as follows:

ssh username@host -D 1080

This will create a server socks on the attacker's side (ssh-client). Welcome to the intranet;)

Consider in more detail this concept, so as not to get confused. The -D option will create a proxy server NOT on the remote machine, but on the local one where this command is running.

Consider a specific case using the example of my experimental server, its IP address is 185.117.153.79, I chose 15555 as the listening port, then the command would be:

ssh root@185.117.153.79 -D 15555

Port 15555 will not be listened to on server 185.117.153.79. This port is bind on the local computer from which I made the connection. Currently, 2 types of proxies are supported: SOCKS4 and SOCKS5. So, if I want to connect, then I need to specify localhost as the IP address/hostname of the proxy, I also need to specify the port that comes after the -D option.

Suppose I want to get a web page from the host server 185.117.153.79. To do this, I run the following command:

curl --socks5 localhost:15555 localhost

It uses “localhost” twice – but these are completely different localhost!!!

--socks5 localhost:15555 is an option to connect to a proxy that was created using ssh. When a request arrives at this proxy, it is sent over the ssh tunnel to the remote host to which ssh has been connected. A curl request was made to this remote host on localhost:80 (the port 80 is implied by default). As a result, a request made using curl was sent to the local web server of the remote computer.

Thus, you can use proxy support programs to scan and exploit the local resources of the remote computer. For example, you can use sqlmap, WPScan and others.

Similarly, you can access not only the HTTP resources of a remote local network. You can use any program that supports work through a proxy.

Of course, you can use it as the most common proxy to hide your real IP.

It is also possible to redirect one specific port to a specific host. Suppose you need access to an SMB resource on the internal network on the host 192.168.1.1.

ssh username@host -L 445:192.168.1.1:445

Thus, port 445 will be opened on the attacker's computer. And programs, even without proxy support, will be able to work with remote local resources. In these programs, you need to specify localhost or IP address 127.0.0.1 as a host for connection. Remember that listening to privileged ports (numbers below 1024) on the local computer requires root privileges; but it is not necessary to choose the same port number as on the remote machine, that is, without the superuser's rights, you can do this:

ssh username@host -L 11445:192.168.1.1:445

As a result, the connections received on port 11445 of the attacking computer will be redirected to port 445 of the remote system (in its local network).

For example, web traffic:

ssh -L 10080:localhost:80 root@185.117.153.79

As a result of the work of this command, all requests that come on port 10080 of the attacker's computer will be sent to port 80 of the computer 185.117.153.79.

As a result, the command:

curl localhost:10080

Shows the contents of the localhost web page of 185.117.153.79.

Once again, the most important thing in this method: even applications without proxy support can access the local network resources of the remote computer.

Pivoting with ncat

The advantages of SSH are that to access local resources:

  1. No RCE or other vulnerability required.
  2. No need to download and install any programs and files on the remote system – SSH is present on most servers.

The disadvantages of SSH are that to access local resources:

  1. You need credentials for SSH (not necessarily the superuser – any)

Alternatively, you can use Ncat, which can do the same thing that we can achieve with SSH

The advantages of Ncat are that to access local resources:

  1. No user credentials needed

The disadvantages of SSH are that to access local resources:

  1. Requires RCE or other vulnerability allowing to execute commands on a remote system. Either SSH access is required.
  2. Not every server can have Ncat installed. In this case, you need to make a simple installation (does not require elevated privileges – just upload one executable file to the server)

The pivoting techniques with Ncat are already described on the miloserdov.org pages – there is no point in duplicating, so I recommend you read the article “How to use netcat (nc), ncat”, especially with sections:

See also the article “How to create a proxy on shared hosting”, since such a proxy can be used for pivoting purposes, if you specify the resources of the remote computer’s local network as the requested resources (an example has already been given above).

References (more pivoting methods)

Pivoting tools

Recommended for you:

Leave a Reply

Your email address will not be published. Required fields are marked *