NETWORK PIVOTING

# Network Pivoting: A Concise Guide ## What Is Pivoting? Pivoting (island hopping) is when an attacker uses a compromised machine as a stepping stone to reach deeper, protected systems on the same network. The first hacked machine becomes a "beachhead." --- ## Why It Works High-value targets (databases, domain controllers) sit on internal networks unreachable from the internet. But public-facing servers *can* reach them — so attackers go through those first. --- ## The Attack Flow 1. **Compromise a foothold** — exploit a public-facing server or phish an employee 2. **Recon internally** — scan the internal network from the trusted compromised host 3. **Build a tunnel** — route attacker traffic through the compromised machine 4. **Move laterally** — exploit internal targets, pivot again if needed --- ## Common Techniques | Technique | How It Works | |---|---| | **SSH Tunneling** | Local/remote/dynamic port forwarding through SSH | | **SOCKS Proxy** | Tools like Chisel or Proxychains turn the host into a proxy | | **Port Redirection** | `netsh` (Windows) or `iptables` (Linux) forward traffic inward | --- ## Quick Example - **Target:** HR database at `192.168.2.50` (private network) - **Entry point:** Web server at `10.0.0.20` with an RCE flaw - **Attack:** Hacker exploits web server → drops Chisel → creates reverse SOCKS proxy → now accesses the internal database *as if sitting inside the corporate network* --- ## Defense Strategies - **Network segmentation** — VLANs keep web servers away from databases - **Zero Trust / microsegmentation** — devices can't talk to each other unless explicitly allowed - **Monitor East-West traffic** — watch for unusual internal behavior (a web server port-scanning internally is a red flag)