pentration testing

4 Ways to Double Pivot When Penetration Testing

Usually, while performing a penetration test or other security assessment form, it starts with an external network, accompanied by vigorous research and pen-testing of systems and services accessible from the global network. Efforts are made to detect a security loophole and, if this happens, a penetration into the local network is executed to capture several systems.

Local network traffic is non-routable, which means that other systems linked directly to this network can gain access to the local network’s resources while they are inaccessible to an attacker. This article will delve into how pen-testers access hidden networks using pivoting methods such as double pivoting.

What Is Pivoting?

Pivoting refers to the distinctive practice of using an instance, which is also called a ‘foothold’ or plant to make it possible for you to move around within the compromised network. This process involves accessing networks that you would normally not have access to by exploiting compromised computers.

By exploiting the first compromise, it permits and even helps compromise other systems that are otherwise inaccessible directly. Basically, what pivoting does is to make non-routable traffic routable. Through pivoting, an attacker can configure the working environment to implement the tools in a way that appears as if the attacker was operating from the organization’s local network.

This technique makes cybersecurity so much more difficult since an unsecured computer can offer an entry point to pivot from that destination to other sections of the network.

What Are the Different Types of Pivoting?

Pivoting can be grouped into two types – proxy pivoting and VPN pivoting.

Proxy Pivoting

This commonly explains the process of diverting traffic through a compromised target by applying a proxy payload on the machine and introducing attacks from the computer. This type of pivoting is limited to some TCP and UDP ports that are supported by the intermediary.

VPN Pivoting

This allows the attacker to generate an encoded layer to tunnel into the weakened machine to traverse any network traffic using that target machine to run a vulnerability assessment on the internal network through the undermined machine. This sufficiently gives the perpetrator complete network access, which appears as though they were behind the firewall.

Pivoting for Penetration Testing

The aim of pivoting is to exploit Ubuntu and Windows servers and later implement them to access the target web server. It is critical to understand the expected results before authenticating that certain web penetration testing tools work as they should when going through a tunnel or relay.

If you’re conducting a penetration test, you will need to test the internal network. Remember to always request VPN access because VPNs are the best way to tunnel your traffic through their internal networks without constrictions.

How Do Attackers Pivot?

Malicious attackers are constantly on the lookout for any foothold they can exploit to penetrate a network. The most effective and economical technique of accessing a network in this age is through phishing. The attacker examines a target, generates an email malware, and afterward, sends it out with the hope of luring the victim into taking action, like clicking on the malware link included.

Since this is the end goal, let’s assume that the target victim clicks on the malware. The attacker has now effectively penetrated the victim’s network. At present, the attack will start to conduct some extra fact-finding. This will attempt to discover information such as what networks this machine can interact with, what other users can access on this machine, any shares on this system, and possibly the local DNS servers or domain managers’ location.

In most cases, the person they have compromised may not be their goal, which is why the entirety of this is done. Usually, their target is the system or other data points in the network, rather than the user themself. The moment the attackers have acquired all the information they need from the target user, they’ll attempt to blend in with the typical network traffic and try to gain access to these other systems.

How Do Attackers Blend In?

Attackers blend in through blended attacks. Blended attacks almost always try to use a blend of multiple attack vectors, malware resources, and exploit several hardware and software vulnerabilities known to the malicious attacker; all launched simultaneously to accomplish their end goal.

Let’s assume that a malicious attacker wants to introduce a Distributed Denial of Service (DDoS) attack on a specific organization and overwhelm them with a server rootkit during such an attack; the attacker will not utilize their own server for the objective.

One of the most widespread services employed in networks today is Remote Desktop Protocol (RDP). After the attackers have wiped off the password and usernames from the original victim’s system and discovered critical servers, they will implement the RDP to log into other servers while implementing the initial victim’s system their source.

This is one of the most fundamental types of pivoting. The perpetrator began by posting a phishing email from somewhere beyond the organization. Having acquired the access needed to the target’s system, the relevant information is gathered and later implemented to appear as though the attacker were a regular user on the network while moving towards the actual target.

Penetration Testers need devices that enable them to test this type of attack. It isn’t good enough to merely test the client-side vector or the web vector; it is also essential that you test outside to find out just how deep you can get into the networks to comprehend the right preventative solutions implemented.

Common Double Pivoting Methods

Pivot with SSH & ProxyChains

This leverages SSH with dynamic port forwarding to establish a socks proxy, with ProxyChains to aid tools that cannot implement socks proxies.

Pivot with Meterpreter and Socks Proxy

Some vectors don’t use SSH, but they leverage Meterpreter as proxy socks. Sadly, socks4 proxies can only support TCP protocols and some specific forms of traffic may not work. Therefore, complete Nmap and comparable tools may not be viable.

Pivot over a Ncat or Netcat Relay

On the off chance that Ncat or Netcat are installed on the target, which is typically disconnected while hardening on modern systems, or if you install it on your own on the target, it can be implemented to set-up a tunnel.

Installing Tools on the Target Machine 

If you’re prepared to install tools on the target system, you could install different command-line tools or visual desktop servers, including VNC, and apply the pivot box as a “new” attacker system. When installing tools on such a device is allowed in the standards of engagement, this is the best approach.

Mitigation Techniques

The following are some preventive measures against pivoting

  • Always verify content before allowing it to be served up
  • Take the lead with a cybersecurity assessment
  • Be on the lookout for phishing attacks
  • Do not undermine the significance of data backups
  • Provide the IT department with valuable tools
  • Automatically trail all the links on your website and scan them for malicious code
  • Understand the risks that come with BYOD
  • Look beyond your employees
  • Assess the human factor in your cybersecurity strategy
  • Restrict access to critical information
  • Try to minimize the amount of external party content on the website

EC-Council Certified Penetration Testing Professional (CPENT) Program

EC-Council’s Certified Penetration Tester (CPENT) program gives you the hands-on training you need to know how to execute an efficient penetration test in an enterprise network environment that must be evaded, attacked, defended, and exploited. Likewise, the CPENT Challenge Edition is an affordable learning resource that offers a refresher in subjects such as IoT, binary analysis, SCADA, and ICS. To get details on plans and pricing, enroll now.


What is port forwarding?
In system networking, port forwarding is the application of NAT (network address translation), which redirects a communication request from one IP and port number arrangement to the other while the packets are moving through a network gateway such as a firewall or router.Port forwarding is one of the fundamental methods for pivoting. This method is basically implemented to make services on a host located on a secure or masqueraded (internal) network access to hosts on the parallel side of the gateway (external network), through reallocating the port number and the destination IP address of the communication to an internal host.
What is routing?
Routing is the method of choosing a route for traffic either in a network or across multiple networks. Routing is achieved through several types of networks, such as circuit-switched networks (this includes computer networks and the public switched telephone network).Routing is executed with devices called routers. These routers, route network packages to their individual destinations by employing the routing table. While this can be achieved with network devices like routers, it can also be done with any computer system that has the OS installed on it.
get certified from ec-council
Write for Us