Pivoting is a process similar to lateral movement. In lateral movement, you jump from one host to the next in search of vulnerabilities to exploit. When you pivot, you compromise one host (the pivot) that enables you to spread out to other hosts that would otherwise be inaccessible. This is necessary when you want to move to a different network segment than the one you're currently on. For example, if you are able to open a shell on a host you've compromised, you can enter commands in that shell to see other network subnets that the host might be connected to. From here, you can use the pivot host to spread out to these other subnets.

Note: Despite the distinction, lateral movement and pivoting are often used interchangeably.

There are several techniques that can enable pivoting.

Pivoting Technique

Description

Port forwarding

You use a host as a pivot and are able to access one of its open TCP/IP ports. You then forward traffic from this port to a port of a host on a different subnet using various methods. One common method is to forward port 3389 (RDP) to a Windows target for remote desktop access.

VPN pivoting

You run an exploit payload on a compromised host that starts a VPN client on its network interface. Meanwhile, you run a VPN server outside the network, and relay frames of data from that server to the client. The data frames are dumped onto the client and can now interface with the wider private network. Any traffic that the client (pivot host) sees can then be relayed back to your VPN server. VPN pivoting is commonly used to perform additional reconnaissance of a target network.

SSH pivoting

You connect to the compromised pivot through SSH using the -D flag. This flag sets up a local proxy server on your attack machine, as well as enables port forwarding. Connections to this proxy on the port specified are forwarded to the ultimate target through the pivot. SSH pivoting is often used to chain proxy servers together in order to continue pivoting from host to host.

Modifying routing tables

After opening a shell on the pivot host, you can also add a new route to the pivot host's routing table. This new route includes a destination subnet and a gateway. You define the gateway as your own exploit session, so that any traffic sent to the subnet must tunnel through your session. Adjusting routing tables in this manner is often used as a way to reach different subnets.