Usually, while performing a penetration test or other security assessment form, it starts with an external network, accompanied by vigorous research and pen-testing of systems and services accessible from the global network. Efforts are made to detect a security loophole and, if this happens, a penetration into the local network is executed to capture several systems.
Local network traffic is non-routable, which means that other systems linked directly to this network can gain access to the local network’s resources while they are inaccessible to an attacker. This article will delve into how pen-testers access hidden networks using pivoting methods such as double pivoting.
What Is Pivoting?
Pivoting refers to the distinctive practice of using an instance, which is also called a ‘foothold’ or plant to make it possible for you to move around within the compromised network. This process involves accessing networks that you would normally not have access to by exploiting compromised computers.
By exploiting the first compromise, it permits and even helps compromise other systems that are otherwise inaccessible directly. Basically, what pivoting does is to make non-routable traffic routable. Through pivoting, an attacker can configure the working environment to implement the tools in a way that appears as if the attacker was operating from the organization’s local network.
This technique makes cybersecurity so much more difficult since an unsecured computer can offer an entry point to pivot from that destination to other sections of the network.
What Are the Different Types of Pivoting?
Pivoting can be grouped into two types – proxy pivoting and VPN pivoting.
This commonly explains the process of diverting traffic through a compromised target by applying a proxy payload on the machine and introducing attacks from the computer. This type of pivoting is limited to some TCP and UDP ports that are supported by the intermediary.
This allows the attacker to generate an encoded layer to tunnel into the weakened machine to traverse any network traffic using that target machine to run a vulnerability assessment on the internal network through the undermined machine. This sufficiently gives the perpetrator complete network access, which appears as though they were behind the firewall.
Pivoting for Penetration Testing
The aim of pivoting is to exploit Ubuntu and Windows servers and later implement them to access the target web server. It is critical to understand the expected results before authenticating that certain web penetration testing tools work as they should when going through a tunnel or relay.
If you’re conducting a penetration test, you will need to test the internal network. Remember to always request VPN access because VPNs are the best way to tunnel your traffic through their internal networks without constrictions.
How Do Attackers Pivot?
Malicious attackers are constantly on the lookout for any foothold they can exploit to penetrate a network. The most effective and economical technique of accessing a network in this age is through phishing. The attacker examines a target, generates an email malware, and afterward, sends it out with the hope of luring the victim into taking action, like clicking on the malware link included.
Since this is the end goal, let’s assume that the target victim clicks on the malware. The attacker has now effectively penetrated the victim’s network. At present, the attack will start to conduct some extra fact-finding. This will attempt to discover information such as what networks this machine can interact with, what other users can access on this machine, any shares on this system, and possibly the local DNS servers or domain managers’ location.
In most cases, the person they have compromised may not be their goal, which is why the entirety of this is done. Usually, their target is the system or other data points in the network, rather than the user themself. The moment the attackers have acquired all the information they need from the target user, they’ll attempt to blend in with the typical network traffic and try to gain access to these other systems.
How Do Attackers Blend In?
Attackers blend in through blended attacks. Blended attacks almost always try to use a blend of multiple attack vectors, malware resources, and exploit several hardware and software vulnerabilities known to the malicious attacker; all launched simultaneously to accomplish their end goal.
Let’s assume that a malicious attacker wants to introduce a Distributed Denial of Service (DDoS) attack on a specific organization and overwhelm them with a server rootkit during such an attack; the attacker will not utilize their own server for the objective.
One of the most widespread services employed in networks today is Remote Desktop Protocol (RDP). After the attackers have wiped off the password and usernames from the original victim’s system and discovered critical servers, they will implement the RDP to log into other servers while implementing the initial victim’s system their source.
This is one of the most fundamental types of pivoting. The perpetrator began by posting a phishing email from somewhere beyond the organization. Having acquired the access needed to the target’s system, the relevant information is gathered and later implemented to appear as though the attacker were a regular user on the network while moving towards the actual target.
Penetration Testers need devices that enable them to test this type of attack. It isn’t good enough to merely test the client-side vector or the web vector; it is also essential that you test outside to find out just how deep you can get into the networks to comprehend the right preventative solutions implemented.
Common Double Pivoting Methods
Pivot with SSH & ProxyChains
This leverages SSH with dynamic port forwarding to establish a socks proxy, with ProxyChains to aid tools that cannot implement socks proxies.
Pivot with Meterpreter and Socks Proxy
Some vectors don’t use SSH, but they leverage Meterpreter as proxy socks. Sadly, socks4 proxies can only support TCP protocols and some specific forms of traffic may not work. Therefore, complete Nmap and comparable tools may not be viable.
Pivot over a Ncat or Netcat Relay
On the off chance that Ncat or Netcat are installed on the target, which is typically disconnected while hardening on modern systems, or if you install it on your own on the target, it can be implemented to set-up a tunnel.
Installing Tools on the Target Machine
If you’re prepared to install tools on the target system, you could install different command-line tools or visual desktop servers, including VNC, and apply the pivot box as a “new” attacker system. When installing tools on such a device is allowed in the standards of engagement, this is the best approach.
The following are some preventive measures against pivoting
- Always verify content before allowing it to be served up
- Take the lead with a cybersecurity assessment
- Be on the lookout for phishing attacks
- Do not undermine the significance of data backups
- Provide the IT department with valuable tools
- Automatically trail all the links on your website and scan them for malicious code
- Understand the risks that come with BYOD
- Look beyond your employees
- Assess the human factor in your cybersecurity strategy
- Restrict access to critical information
- Try to minimize the amount of external party content on the website
EC-Council Certified Penetration Testing Professional (CPENT) Program
EC-Council’s Certified Penetration Tester (CPENT) program gives you the hands-on training you need to know how to execute an efficient penetration test in an enterprise network environment that must be evaded, attacked, defended, and exploited. Likewise, the CPENT Challenge Edition is an affordable learning resource that offers a refresher in subjects such as IoT, binary analysis, SCADA, and ICS. To get details on plans and pricing, enroll now.