You can engage in pivoting by using familiar tools like Metasploit. For example, assume that you use your Kali Linux attack machine to gain a Meterpreter session onto a Windows host in the same subnet ( You open a shell and run ipconfig on the Windows host, and see that it has a second network interface that is connected to a gateway in a different subnet ( You want to reach hosts in this subnet, but you can't do that directly from your attack machine. To get to the other subnet, you can use the compromised host as a pivot.

In Metasploit, running the post/multi/manage/autoroute module searches the pivot for any additional subnets and then adds those subnets to Metasploit's routing table. Using the previous example, it would add to the routing table. You can now use various Metasploit modules with this new subnet. For example, you could conduct a ping sweep with the new subnet as the target in order to identify specific hosts on this subnet. Then, you might target a specific host and attempt to access it using a service like SSH, Telnet, etc.

Another tool you can use to pivot to a new subnet is called ProxyChains. After opening a Meterpreter session with the pivot host, you can add the target subnet to the routing table, like so: route add 1 where 1 is the ID of the Meterpreter session. Then, run the Metasploit module auxiliary/server/socks4a to start a proxy server that uses Metasploit's routing table. Next, edit /etc/proxychains.conf to include the following line: socks4 1080. This instructs ProxyChains to use the proxy on localhost. Lastly, you can run ProxyChains to pass in pretty much any command. The following example conducts an Nmap scan of a host on the target subnet:

proxychains nmap -sT -Pn -p21,22,23,25,80,443

Also check out routing in Linux:

4.8.�Routing Tables