In this video, learn what is meant by pivoting and what it provides to an attacker.
- [Instructor] It's fairly straightforward to test a single system in an overt penetration test. But when we have to run what is known as a red team exercise, an unannounced and covert penetration test of a business's complete infrastructure, run from a remote location on the internet, some of the targets will be on internal networks, and so not visible. The internal network may have a router which automatically routes packets through to internal networks.
And if so we can directly access them. If not, we need to be able to find a way to get through to those internal networks. If we don't have a router we can use, we may find that a host on the network has two interface cards: one on each network. This is called a dual-homed host. This could be a network device such as a router or firewall, or it may be a server. It's this second option that we'll look at.
If we can exploit the host we can see, then we can use the exploited host as a gateway through which to attack the target. The technique is the same when we have two servers on the network and can only access one. Perhaps we have some firewall rule or access control list which doesn't allow an external address to access the second server, our target. If we can exploit the host we can see, then we can use that as a point from which to attack the target.
The mechanism we use to set up a gateway which allows us to route packets from outside the network into the internal network is called a pivot. There are several techniques that can be used to pivot into networks, and we'll take a look at a couple of them.
- How tunneling works
- Running a local SSH tunnel
- Dynamic SSH tunneling
- Pivoting with Armitage and Metaspoit
- Exfiltrating using DET and DNS
- Covert exfiltration with Cachetalk
- Using PyExfil to exfiltrate over HTTPS