What is pivoting in hacking and how is it used in pentesting?

In the world of hacking Ethics and penetration testing, you'll constantly hear about pivoting, lateral movement and internal networksIt's not a buzzword: it's one of the skills that most separates someone who only launches exploits from someone who truly understands how a corporate infrastructure works from the inside.

When an organization segments its network, deploys internal firewalls, and implements private networks, it's not enough to compromise the first machine you find. From that initial point onward, the key lies in... use that system as a springboard to reach servers and subnets that were invisible from the outside. That's exactly where pivoting comes into play.

What is pivoting in hacking and pentesting?

In simple terms, the Pivoting is the technique of using an already committed machine as a bridge to reach other networks, hosts, or services that were not directly accessible from the attacker's machine. This is a typical phase of post-exploitation within a penetration test or a Red Team operation.

Imagine a fortress: from the outside you only see the wall and the main building, but once you pass through the gate you discover internal corridors, courtyards and hidden rooms to which you didn't even know existed from the outside. That first team you commit is the gateway; pivoting is everything you do from there to traverse the rest of the "rooms" of the network.

In a real-world environment, the attacker or pentester compromises an exposed system (e.g., a server in the DMZ) and then configures tunnels, port forwarding, or reverse VPNs to route their traffic through that machine. From a network perspective, all subsequent attacks appear to originate from a "trusted" internal host, causing many security controls to overlook that activity.

The main objective of pivoting is expand the reach of the attack within the network, remaining as inconspicuous as possible while enumerating new machines, locating critical assets, and attempting to exploit additional vulnerabilities.

Relationship between pivoting, privilege escalation, and lateral movement

Within the cycle of an attack or a pentest, pivoting is not isolated: it is almost always combined with the escalation of privileges and lateral movementEach concept covers a different part of the process, but in practice they are linked together.

La privilege escalation It refers to going from a user with few permissions to one with high privileges (for example, from a standard user to root or administrator). It can be horizontal, when you access other accounts with the same level, or vertical, when you elevate permissions within the same system.

El lateral movement It describes the process of jumping from a compromised host to others within the same network or neighboring networks, reusing stolen credentials, exploiting internal vulnerabilities, or abusing protocols such as SMB on QUICRDP or WMI. It is the “expansion” of engagement within the environment.

Pivoting is the part of all this that focuses on the routing and traffic redirectionIn other words, the mechanics of how you route your connections through an intermediate node to reach other internal systems that you don't have a direct route to from your attacking team.

In a typical flow, an attacker can: 1) Compromise an exposed server2) perform privilege escalation to gain full control of the system, and 3) configure tunnels or port forwarding to use it as a pivot and explore other internal subnets.

Advantages and risks of pivoting in a corporate network

For those who audit security, pivoting is an essential tool because it allows simulate how a realistic attacker would act once it has gained an initial foothold. Without pivoting, many organizations would have a false sense of security by evaluating only directly exposed systems.

From a defensive point of view, the big problem is that Much of the pivoted traffic appears legitimate.Since it originates from an internal machine, many IDS/IPS and monitoring solutions focus on the perimeter rather than east-west traffic within the network, creating an opportunity for attackers. Complementing these with... ASR rules in Windows and other measures help to mitigate some of that risk.

Furthermore, by using techniques such as encrypted tunnels, reverse VPNs, or SOCKS proxies, the attacker can hide the true content of your communicationsThis makes analysis by security teams more difficult. Therefore, pivoting is considered one of the most critical phases in ransomware, espionage, or data exfiltration campaigns.

In return, these types of techniques also help Red Team teams and pentesters to to clearly demonstrate the impact of a gapIf a single user machine can reach the domain controller or the production database, the organization quickly understands the severity of the problem.

Types of pivoting: VPN, proxy, tunnels, and port forwarding

The underlying idea of ​​pivoting is the same, but it can be implemented in various ways, depending on the available tools and network constraints. The most common types are: VPN pivoting, proxy pivoting, and port forwarding.

The pivoting with VPNThe attacker creates a virtual network interface (tun/tap) between their machine and the compromised host. All traffic destined for one or more internal subnets travels encrypted through this interface, as if the attacker were connected via cable within the victim's network. Tools such as Ligolo-ng o sshuttle They exemplify this approach well.

El proxy pivoting It involves configuring a proxy service (usually SOCKS) on the compromised host, so that the attacker's applications send their traffic to that proxy, which then forwards it to internal destinations. It is very flexible because it allows scanning multiple ports and different machines simultaneously. Chisel, ssh -D, rpivot or a Metasploit module These are typical options here.

In turn, the port forwarding It establishes a direct channel between a local port on the attacker's machine and a specific port on an internal host, via the pivot machine. It is more limited than a general proxy, but it is usually sufficient. faster and more stable, perfect for accessing a specific service such as a web panel, RDP or a database port.

Within port forwarding, a distinction is usually made between local forwarding (the attacker exposes a local port that redirects to a remote port), remote (the pivot host listens and forwards to the attacker) and dynamic (A SOCKS proxy is set up that flexibly routes multiple connections to different internal destinations).

Practical pivoting scenarios: from a single jump to complex chains

In laboratories and training environments, it is common to set up simple topologies for Understanding the concept of pivoting step by stepA classic example would be a network with an attacking Kali machine and three servers Linux or Ubuntu interconnected in a chain.

The attacking machine only sees machine 1. This machine, in turn, has a second interface to the network where machine 2 is located, and machine 2 connects to machine 3 on another subnet. The objective of the exercise is to achieve connectivity with machine 3, which initially could not be reached from Kali.

In these types of scenarios, tools such as chisel and sockChisel allows the creation of a secure HTTP tunnel between the attacker and machine 1 (server mode on the attacker, client mode on the pivot), exposing a SOCKS proxy that is then used with proxychains to reach machine 2.

Socat comes into play for set up bidirectional channels This allows, for example, receiving reverse shells from internal machines that otherwise could not connect directly to the attacker's IP address. Machine 1 listens on a port and forwards incoming messages to the attacker's machine, where the attacker has a listener running netcat.

This pattern can be repeated at each hop: on machine 2, Chisel is configured to pivot to the network of machine 3, and Socat is used again to chain together new redirections. Although it may seem a bit confusing at first, with practice it becomes clear how each intermediate host acts as link in a communication chain.

In more complex Red Team environments, it is common to encounter multi-hop pivoting chains using tools such as Ligolo-ng, which creates tun/tap interfaces on each pivot device and specific routes like route add 10.10.10.0/24 dev ligolo1, allowing the attacker to move through various subnets (10.10.10.0/24, 20.20.20.0/24, 30.30.30.0/24, etc.) as if he were inside.

Pivoting with specialized tools: from SSH to Metasploit

To implement pivoting efficiently, the pentester has a good arsenal of tools focused on tunneling, proxies and port forwardingSome are designed for general use, and others integrate with complete exploitation frameworks.

A commonly used option is the SSH tunnelThe -D option sets up a local SOCKS proxy that routes traffic through the compromised SSH server, while -L or -R creates local or remote port forwarding. This is a simple and robust way to pivot when you have SSH access to an internal system.

Tools like sshuttle They function almost like a transparent SSH-based VPN: they allow you to define internal networks (for example, 10.10.10.0/24) and route traffic to them through the pivot host, often without requiring administrator privileges. This is convenient when you want an "inside the network" experience without much manual configuration.

Other projects like rpivot They allow you to set up a reverse SOCKS proxy: the server runs on the auditor's machine and the client is deployed on the compromised host, so the latter establishes the outbound connection. This is useful when outbound traffic rules allow little traffic but a connection to the internet can be initiated.

In environments where only a webshell is available, solutions such as Tunna or reGeorgwhich envelop traffic in HTTP requests through the compromised web server. The attacker executes a script on your computer that communicates with the web shell, and in turn exposes a local SOCKS proxy to direct traffic to internal resources.

There are also integrated post-exploitation tools, such as pwncat, which add port forwarding capabilities from an already established shell, facilitating the creation of tunnels to services such as MySQL (for example, by redirecting port 3306 to a local one).

Pivoting and Metasploit: route, autoroute and portfwd

Metasploit Framework remains one of the most widely used platforms in pentesting, and not only for exploiting vulnerabilities: it also comes very well prepared for pivot in a controlled manner once a Meterpreter session has been obtained.

The basis of everything is to first obtain a Meterpreter session on a machine with multiple interfaces or routes to other networks. For example, an Ubuntu host with IP address 10.0.0.0/24 and another IP address 11.0.0.0/24 can serve as a pivot node between the Kali machine and an internal web server at 11.0.0.10 that is not directly accessible.

Within Metasploit, the command road. It allows you to add routes to internal networks so that any module in the framework knows to send traffic through a specific session. For example, `route add 11.0.0.0 255.255.255.0 1` would indicate that all traffic to the 11.0.0.0/24 network should travel through Meterpreter session number 1.

To automate this process, there is a module post/multi/manage/autorouteThis tool analyzes the interfaces and routing table of the compromised host and automatically adds any networks it discovers. This eliminates the need to manually check ipconfig or route print within the session.

On the other hand, the command portfwd It implements port forwarding from a Meterpreter session. With a command like `portfwd add -l 9500 -p 22 -r 11.0.0.10`, the attacker can redirect everything sent to local port 9500 of their Kali machine to port 22 of the internal host 11.0.0.10, using the pivot machine as an intermediary.

The combination of route/autoroute and portfwd allows the use of both Metasploit modules pointing to local IPs (e.g., 127.0.0.1:9000) and external tools (browsers, nmap, RDP clients, etc.) that connect to local ports But, in reality, they are talking to deep services within the victim's network.

Enumeration of internal networks through a pivot

Once the pivot has been established, it's useless without a good plan for enumerate the internal network and discover objectivesThis phase can be addressed with several complementary strategies.

The first thing is usually to take advantage of the information already available on the compromised machine ( artifacts in Windows). Files like /etc/hosts on Linux or C:\Windows\System32\drivers\etc\hosts on Windows, as well as the ARP cache (arp -a command), can reveal IPs and hostnames of servers and devices that the system has communicated with.

It is also worth reviewing local DNS settingsFor example, using `/etc/resolv.conf` on Linux or `ipconfig /all` on Windows, you can identify misconfigured internal DNS servers that allow zone transfers. This can uncover subdomains and services that go unnoticed from the outside.

If the pre-installed tools are insufficient, they can be upgraded. static binaries of utilities like nmap or small bash scripts or Python that perform pings or basic scans. A simple loop that pings a range of IPs in the background can detect active machines quite quickly; it's also common to run permission utilities such as AccessChk to review local privileges.

When it is not possible to run network tools on the pivot itself, the only option left is to resort to scans through a proxy (For example, using proxychains from the attacker's machine against a SOCKS proxy on the pivot). This option is slower, especially for UDP ports, so it is recommended to limit it to specific ports or use it only when there is no other alternative.

An effective tactic involves combining a quick scan with nmap (or similar) on the compromised host to locate open ports, and then performing a second, deeper scan from the attacker's machine. only against those specific ports using the nmap NSE scripting engine and the configured proxy.

Key tools for pivoting in real-world environments

In addition to those already mentioned, it's a good idea to have a small mental catalog of tools that help in different pivoting situations, both for tunneling and for using proxies from the attacker's side, and understanding the attacks that manipulate WDAC that can hinder or protect post-exploitation.

On one hand there are the utilities that create or consume proxies, such as ProxyChains in Linux or extensions like FoxyProxy in browsers, which allow you to direct the traffic of certain applications through a SOCKS or HTTP server set up on a pivot host.

On the other hand, we find comprehensive solutions such as Metasploit with its socks4a modules, which allow you to set up an internal proxy from a Meterpreter session and use it from the auditor's machine, or like Chisel, which encapsulates TCP connections in HTTP tunnels protected with SSH and supports both local and remote reverse forwarding.

It is also common to pull post-exploitation platforms such as pwncatwhich facilitate managing multiple sessions, running commands for recognition, loading binaries and configuring port forwarding without having to jump between a thousand different terminals.

In webshell scenarios, projects like Tunna or reGeorg become almost indispensable, as they transform a simple .php, .jsp, or .aspx file uploaded to the server into a inward tunneling channel which the pentester can use to open a local proxy and investigate other internal hosts.

Ultimately, the choice of tool depends heavily on the exit restrictions, of the permissions obtained on the compromised host and of traffic type that you want to tunnel (HTTP, RDP, SMB, databasesetc.). It is common to combine several to adapt to network filters.

Lateral movement, credential theft, and attack chain

Pivoting is just one piece within a broader chain of attack which includes reconnaissance, credential theft, privilege escalation, lateral movement, and often data exfiltration or encryption (in the case of ransomware).

The process begins with a phase of recognition In this scenario, the attacker gathers information about the organization: domains, subdomains, technologies used, employees, suppliers, etc. OSINT techniques and external scans are used to identify the attack surface.

Once an entry point has been found (for example, a vulnerable application or a user tricked by phishing), the next usual step is to dump and credential theftThis can be done with keyloggers, tools like Mimikatz, Pass-the-Hash or Pass-the-Ticket attacks in Kerberos environments, or by exploiting poor password management habits. Countermeasures exist such as configure Credential Guard in Windowswhich makes it difficult to steal and use credentials in Windows environments.

With those credentials, the attacker moves laterally using protocols such as SMB, RDP, WMI or others, trying to reach machines with higher privileges or key servers, such as domain controllers, database servers or code repositories.

Throughout this journey, the use of pivoting allows overcoming internal network segmentationby jumping from VLAN to VLAN or through application servers to databases that should never be accessible from the internet. As more machines are compromised, the attacker expands their "mental map" of the network and prepares potential escape routes or reconnection paths through backdoors.

In the final phase, if the objective is ransomware or exfiltration, the attacker will use all that lateral access to maximize the damage or value of the stolen dataIn the case of espionage, it will seek to remain within the environment for longer, limiting its noise and moving stealthily so as not to trigger alerts.

Good practices, ethics and legal considerations

From an ethical hacking perspective, it is crucial to remember that Any pivoting and lateral movement test must be performed with express authorization. from the owner of the infrastructure. This is not an administrative detail, but a critical legal and ethical issue.

They document every action Professional penetration testers provide traceability: enumerated networks, obtained credentials, configured tunnels, accessed services, etc. This traceability allows the client to understand both the attack vectors and the real impact of the detected vulnerabilities, and often recommends measures such as restrict administrative privileges to reduce the surface area for lateral movement.

In addition, responsible use of the tools is recommended, avoiding generating excessive traffic that could affect the performance of services in production or cause outages. Often, clear time windows and reach limits are established before starting the campaign.

Equally important is maintaining a continuous and transparent communication with the clientWhat is being attempted, why, what has been achieved, and what risks are involved. The goal is not to "win" against the company, but to help it strengthen its defenses against real attackers who would act without scruples.

If you work with networks that include especially sensitive data (healthcare, banking, public administration, etc.), it is advisable to reinforce protection measures during the pentest and agree on how the evidence collected during the exercise will be stored, processed and deleted.

Mastering pivoting isn't just about memorizing SSH, Metasploit, or Chisel commands; it's about understanding how networks are designed, how defenders think, and how advanced attackers behaveWhen this global vision is internalized, tunneling and lateral movement techniques cease to be a hodgepodge of Tricks and become coherent tools within a well-planned offensive security strategy.