Pivoting Attack

How to do Pivoting Attack


Hello guys in this tutorial you will learn how a attacker use victim as a Pivot to hack deeper into the network. In this scenario you will see that the Attacker does not have direct access to Server 2. So here you will see how the attacker first breaks into server 1 and then uses server 1 as a staging point to break the server 2.  Now let me give a Sample scenario what i mean…

Pivoting Attack :


So lets say the attacker wants to break a network which has a DMG in which there is a server  1 which he can access and then behind the 2nd Firewall we have Server 2 which the attacker actually wants to access, this may be E-mail server or something or the others. Now the only ways the attacker to access the server 2 is first he first to break into the server 1 and then use as a staging point to break into server 2. This process is actually called as Pivoting and the Server 1 use as a Pivot into the rest of the network.

Now Let me show you Demonstration that how Pivoting works with Metasploit.

Untitled-2 copy.jpg


Here is the Scenario which is use to break in. Here above Scenario the attacker has a addressable ip with which he can access Server 1 which is at . Server 1 has multi home and has another IP which is connected to server 2 at Here the whole idea of the attacker is to first break in server 1 and create a Pivot and to allow the attacker to channelized all his attack traffic to Server 2 and then finally breaking into Server 2.

Now now look at our Network which is I created on my VM ware.

Untitled-3 copy.jpg

Untitled-4 copy.jpg


This is Server 1 which is multi homed and has 2 Interfaces. And then on other side this is Server 2 which has only 1 Interface and has the ip

Step 1:-  So now what we are going to do is First break into server 1 which has the addressable ip to the attacker using netapi exploit.

So here we first open msfconsole and then set remote host IP means the server 1 IP and exploit it.

Use exploit/windows/smb/ms08_067_netapi



Untitled-5 copy.jpg

Step 2:- Now we successfully find the meterpreter session of server 1 . Now we run a ifconfig command to understand more about the local Interfaces. How ever there seem to be an additional interface having Ip all 10’s


Untitled-6 copy.jpg

Step 3 :- Now the we want to do is first you check even any host is running on sub net. To do that we will run a meterpreter script arp_scanner

run arp_scanner  -r

Untitled-7 copy.jpg

Now it immediately tells that the ip on that sub net. So in next step we do a port scan .

Step 4 :-  How ever the problem really is the attacker computer we can’t reach that network. So now what we are going to do is we create a Pivot and to do that we use a route command in metasploit. So what will the rout command to do to tell metasploit to rout all traffic to the network vie the meterpreter session 1 which we have currently with server 1.

route add 1  (1 is a meterpreter session id)

Untitled-8 copy.jpg

And now using session command to check the which session we have on server 1.

Sessions  –l

Step 5 :- so now what we have to do we first to do a port scan on a remote machine and then set Rhost so in this case it will which is the final victim and the port we are interested in 1-200. Now then run the auxiliary module using run command.

Use auxiliary/scanner/portscan/tcp


Set PORTS 1-200


Untitled-9 copy.jpg

After running auxiliary module all of this traffic is going through the pivot point. Now find a couple of ports open.

Step 6:- Now we use the netapi exploit  on the remote machine  via the pivot point.

So basically what we do we use a server 1 as a intermediate to break into server 2. Now search netapi module using search command.

Serach netapi

Use exploit/windows/smb/ms08_067_netapi


Set PAYLOAD windows/meterpreter/bind_tcp


Untitled-10 copy.jpg

Untitled-11 copy.jpg

So now we are exploiting via the pivot running on and there we go we find meterprete session open and if we run the ifconfig command we note that we have broken into the network . And this clearly said this can happened via the pivot running on


Note :- Here I am using netapi exploit to exploit the servers which is windows xp. Netapi only works with windows xp it can’t able to exploit windows 7 and 8. And here we also turn off the Firewall of the windows.

Leave a Reply

Your email address will not be published. Required fields are marked *