A Red Teamer’s Guide to Pivoting

What is hacking and what is network engineering? We’re not sure where exactly to draw the lines, but [Artem]’s writeup of pivoting is distinctly written from the (paid) hacker’s perspective.

Once you’re inside a network, the question is what to do next. “Pivoting” is how you get from where you are currently to where you want to be, or even just find out what’s available. And that means using all of the networking tricks available. These aren’t just useful for breaking into other people’s networks, though. We’ve used half of these tools at one time or another just running things at home. The other half? Getting to know them would make a rainy-day project.

Is there anything that ssh and socat can’t do? Maybe not, but there are other tools (3proxy and Rpivot) that will let you do it easier. You know how clients behind a NAT firewall can reach out, but can’t be reached from outside? ssh -D will forward a port to the inside of the network. Need to get data out? There’s the old standby iodine to route arbitrary data over DNS queries, but [Artem] says dnscat2 works without root permissions. (And this code does the same on an ESP8266.)

Once you’ve set up proxies inside, the tremendously useful proxychains will let you tunnel whatever you’d like across them. Python’s pty shell makes things easier to use, and tsh will get you a small shell on the inside, complete with file-transfer capabilities.

Again, this writeup is geared toward the pen-testing professional, but you might find any one of these tools useful in your own home network. We used to stream MP3s from home to work with some (ab)use of netcat and ssh. We keep our home IoT devices inside our own network, and launching reverse-proxies lets us check up on things from far away without permanently leaving the doors open. One hacker’s encrypted tunnel is another man’s VPN. Once you know the tools, you’ll find plenty of uses for them. What’s your favorite?

Thanks [nootrope] for the indirect tip!

22 thoughts on “A Red Teamer’s Guide to Pivoting

    1. What aspect of this post screams unethical to you? I’ve had to use these tricks to access hosts on my home network on many occasions. Any penetration tester should be familiar with at least some of these techniques, and even though I’m not in that profession (yet), I’ve used many a tool and technique to verify the integrity of my home setup. Tools are tools.

    2. Calm down.

      Every security expert should read those things… thrice.

      I talk from experience. At $WORK, security is a rat’s nest of red tape, which only manages to make work more difficult, while leaving gaping holes everyone seems (so far, phew!) to ignore. Until someone “out there” doesn’t.

      I wish our security people spent more time reading articles like this one.

    3. Do we need to launch into the longass explanation for people with context processing failures? … *sigh*… okay…

      During exercises involving physical security, defense exercises, military maneuvers, the guys who are on your side, from your own country or mutual defense pact/treaty area, who are PRETENDING to be the aggressor for the purposes of simulation and training are called the Red Team. Those tasked with stopping them are the Blue Team. Since this is a refined form of role playing, you’re not allowed to actually shoot the Red Team, because they are your friends, and not actual enemies. Thus in cybersecurity, a Red Team of friendlies, may be tasked with probing your defenses, the better to educate you as Blue Team, about their weaknesses.

    1. Security through obscurity never works for long.
      How is explaining how the network works or possible attacks ‘black hat’?
      You can’t defend against what you don’t know exists and tools are ethically agnostic. Sure information cuts both ways but the user determines the direction, not the tool.

      1. True words. The knowledge from learning first aid was also presented in hand-to-hand combat courses with … a different perspective. Knowledge is like a gun, use it to save or to kill. Your choice. Each and every time.

    2. There’re perfectly ordinary tools with perfectly legitimate uses. Having read this, not only do I have some extra tools to try and diagnose networking difficulties I have at home, but I have a set of tests to try. If I find that any of them make it through where I don’t want them, I can now take steps to close those loopholes off, which I could not do if I was not informed of the tools that would demonstrate their existence.

      To take an analogy: Bullets are a real surprise if you didn’t know they’re possible, and you can’t know to buy a bulletproof vest unless you know how they work. Any serious security guard should definitely read up on the more advanced techniques used by burglars, as many have discovered far better techniques that the time-honored cricketbat-to-the-skull.

      PS. Not to mention, it’s an unspoken understanding that many people are more comfortable with certain things than others and to them the boundary may lie in a slightly different position. For example, many people would not outright break onto a locked down WiFi connection. They may be amenable, however, to DNS tunneling a small amount of data on a commercial open network without the annoying process giving up their email address to the “login” page. Especially so in the above example, with an ESP8266 sending back a small amount of logging data. Such a device may have tremendous difficulty faking a human with a browser, just to comply with the “enter your email here and press ok” page.

    3. I use these tools all the time to secure my company’s network. Its really the equivalent of jiggling the knob after locking the door to ensure that the lock did engage.

      I make any security related changes in our QA / Pre-prod environment (full replica of what is in prod, in fact the hardware is last year’s prod…). After making a change, I remote into one of my home systems and then throw everything I have at the environment I just changed. Periodically, I’ll probe the network manually to test out worst case scenario (External person that has managed to get their hands on both a detailed diagram of the network and an administrative account).

      As a security professional, the two rules that should be at the forefront of everyone’s minds should be:
      1) Always test as if your life depended on gaining access
      2) Always assume that the enemy knows everything about your network.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s