Penetration testing, more commonly known as pen testing, is a security procedure of emulating a cyberattack on a network or a computer to pinpoint and remove vulnerabilities and loopholes. Pivoting in pen testing refers to a method that involves ethical hackers carrying out the mock attack moving around the network systems.
Pivoting is often done through port forwarding where one computer’s port acts as a tunnel to enter other systems. There are several VPNs that support port forwarding and we suggest using a VPN app to use port forwarding securely.
In this article, we will discuss how to use pivoting to access networks in pen testing.
Attackers seldom acquire access to the whole network in one go during a cyberattack. Rather, they frequently concentrate on getting a network’s access through a single vulnerable spot. This is often accomplished using means including malware, phishing, or security vulnerability scanning. When they enter the network or a computer, the hackers aim to remain hidden while going for other systems linked to this access point.
The technique of pivoting in penetration testing is the use of a compromised machine to spread across other computers once within the system, imitating the actions of a genuine attacker. This attacked machine is also known as an “instance,” “foothold”, or “plant.”
Penetration testers explore the network to find further subnets and computers after gaining a footing, seeking the most effective (and susceptible) targets of attack. An administrator system, for instance, may provide the attacker with higher rights and enable new conceivable actions. Pen testers can utilize the compromised computer’s credentials to mask their activity as genuine network traffic, making it simpler to get access to these linked systems from within.
In cybersecurity, pivoting is strongly associated with the idea of sliding, and the phrases are sometimes used indiscriminately. However, “pivoting” refers to the process of shifting between different hosts, whereas “lateral movement” entails a backdoor (accessing additional accounts and users) on the same computer.
Pivoting and Its Different Versions
Pen testers can execute pivoting in a number of ways. The following are some most common styles of pivoting used in pen testing:
The cyber attacker establishes a connection between two computers using open IP/TCP ports and forwards packages and data traffic among machines.
Pivoting via VPN
On the compromised system, the attacker launches a VPN provider that connects to a remote server. The hacker can then send data to the provider or access data packets from the affected system by transmitting data from the provider to the remote server.
Pivoting via SSH/Proxy
The attacker uses SSH to set up a local proxy. Any queries to the specified port are subsequently redirected to their ultimate destination via the proxy.
To install a fresh route, the attacker modifies the compromised computer’s routing database. Any communication to the target will be directed to the tunnel via the configured port, enabling the hacker to intercept this data.
Whatever method of pivoting is utilized in pen testing, the end purpose is to stay unnoticed for longer, while doing surveillance and obtaining vital information and files.
How Pivoting is Done by Penetration Testers?
On a theoretical level, we’ve discussed the many sorts of pivoting in pen testing, but how can penetration testers just pivot on a technological level? The tools and approaches listed below are a few examples of techniques used by pen testers to pivot in real-life situations.
Meterpreter is defined as a Metasploit pen testing payload that provides the attacker with an operational, hidden terminal from which to perform commands and manage the compromised system.
With Meterpreter, pen testers can utilize the pivoting method of the routing table discussed above using the autoroute command. Here’s an example:
Pen testers can utilize the autoroute prompt in Meterpreter to leverage the traffic database pivoting mechanism outlined above. For instance, consider the command:
meterpreter> run autoroute -p
The operational routing table is printed.
meterpreter> run autoroute -s 10.1.1.0 -n 255.255.255.0 creates a route for 10.10.10.1/255.255.255.0.
adds a route to 10.10.10.1/255.255.255.0.
ProxyChains is the Unix application that enables users to filter any TCP network connection via SOCKS or HTTP proxy. As previously stated, this may be utilized for proxy shifting.
Pen testers can begin utilizing ProxyChains by editing the proxychains.conf file type, which holds a listing of the proxies used on the local workstation. Attackers can install a new remote proxy server to mask their actions by entering the appropriate domain and port number. Hackers can even link many proxies simultaneously, making evasion (and being identified once found) much more challenging.
The sshuttle bills itself as “where the transparent proxy meets VPN meets ssh.” It employs a hybrid method, using components of both SSH port mapping to build a data tunnel for transmitting network traffic.
Penetration testers may use sshuttle, and build a VPN network connection from a local network machine to a remote server that has Python configured and is accessible over SSH. For instance, the following command forwards the system network 192.168.30.0/24 to the local network computer at 192.168.10.5:
sshuttle -r email@example.com 192.168.30.0/24
pwncat is a system for hackers to use after getting access to an affected system, featuring tools for circumventing IDS/IPS and firewalls. The pwncat port is built on a Unix networking program netcat, which enables clients to write and read any type of data on a network.
pwncat support both local and distant port forwarding. In this case, the command given below set local port forwarding by routing the distant port 3306 to a local port 5050:
pwncat -L 0.0.0.0:5050 example.org 3306