Pivoting for Pentesters/Red Teamers

Hi everyone. In this article, ı want to explain what is pivoting and telling some keywords about it.

Firstly, we should know post exploitation phase or something like this 🙂

What is Post-Exploitation?

We could exploit an RCE vulnerability and got shell successfully. Later that, we can do:

  1. Finding extra information about targets like users, customers, images, etc.
  2. Finding passwords, hashes, credentials, etc.
  3. Persistence
  4. Using pivot point owned machine to compromise other network devices, etc.
  5. The list may be extended according to the circumstances.

What is Pivoting?

We hacked a system into the company. Everything done for us. Sure? I don’t think so. In penetration tests or red teaming operations, we must know where can we jump with this machine. Cuz, the attackers may do 🙂 If the company’s network segmentation is terrible, this one system will be several systems, this cause means lots of damage for your company. Briefly, pivoting means hack other machines using owned machines.

Network topology isn’t correct; but I think, I can explain what ı want to say with this network. Every owned machine will be a pivot point for us. But there are some special notes. We compromised several machines in the ACME Network, one of in the DMZ, one of in the IT Network. If our DMZ side does not connect to the DEV network and IT Network, we can not jump to other sides (I didn’t show every network device, something will be imagination). If we will compromise a machine in the IT Network, (we can connect to DEV Network) we can jump to DEV Network easily than the DMZ side. Where am I, where this machine is? These are important for us.:)

(When we use more than one pivot point we called multi pivoting.)

In the continuation, I want to share a slide with you, for tools. But before that, We will talk about the “gss-proxy”. When testing an active directory environment, internal systems may use “Kerberos” like authentication mechanisms. I don’t tell in details that of course in this article. Simply, we can say “we can use Kerberos tickets with “gss-proxy” while pivoting.” Let give me a chance with the picture to tell you.

We could use A’s page with “gss-proxy” while using A’s PC for socks proxy.

You can find Pivoting slide:

Thanks for your time and your interest.

Berk KIRAS – Cyber Security Consultant

2 thoughts on “Pivoting for Pentesters/Red Teamers

  1. graliontorile says:

    I would like to thnkx for the efforts you have put in writing this blog. I am hoping the same high-grade blog post from you in the upcoming as well. In fact your creative writing abilities has inspired me to get my own blog now. Really the blogging is spreading its wings quickly. Your write up is a good example of it.

  2. zorivareworilon says:

    I appreciate, cause I found exactly what I was looking for. You’ve ended my 4 day long hunt! God Bless you man. Have a great day. Bye

Comments are closed.