How To: Pivot Networking


Cyber Primer Online Learning
Payload Delivery

The course is part of this learning path

How To: Pivot Networking

Course Description

This module will look at how payloads are delivered, and some of the methods that are used to exfiltrate information. The simulation covers an example of how a simple pivot network exploit works. 

  • Payload Delivery Methods  
  • Exfiltration  
  • Pivot Networks 

Intended Audience  

Although perceived as an IT issue, cyber security is, in fact, a subject relevant to all business units. Cyber Primer is aimed at anyone with an interest in cyber security, whether they are looking to pursue a career as a penetration tester, or just want to get a feel for the world of cyber security.  


There are no prerequisites for this course, however, participants are expected to have a basic understanding of computers and the internet. 


We welcome all feedback and suggestions - please contact us at to let us know what you think.


In this video I will be showing you how to pivot between multiple devices, that is, gaining access to one device on a network, and then using our access to move between multiple devices. This is a bit more complicated than some of the previous simulations, so return to this when you feel comfortable using some of the other methods. I will begin by starting my MSFConsole handler and continue to open a simple web server on port 80. Open the Windows machine to download the previously created application exploit and then run it. Now let's check the web server and Materpreter. Great, I have a session. Here I'm checking out some basic Materpreter commands, getuid, get user I.D, sysinfo, system info, and pwd, print working directory. Now I'm going to migrate to a stable process, explorer.exe is the best choice for that. Now I'm checking out the IP config of the exploited machine. Here you can see the interface present on Windows 7. It indicates that it is connected to series network. I will use Windows 7 as a pivot to explore the other machine on 192.168.56 network. To determine the other host on the 192.168.56 network I'm going to use a Materpreter ARP scanner module. Type run arp_scanner-r \24. It shows that the IP is alive in the pivot network. Now it's our mission to exploit that machine. Things become difficult when we want to exploit a machine on a pivot network, we need a route to the machine. Here we're routing to the 192.168.56 network. Now we will make a route 192.168.56 network using the session that we have. To do that in the background, open the current Materpreter and enter the following command, route add 192.168. 56.0 255 .255.255.0. The one at the end of the route statement indicates that we are using session one for the route. Let's check the route with the route print command. Now I'm going to set up a TCP scanner to scan the host using the route of the session one that I have added. The command is use auxiliary/scanner /portscan/tcp. Let's show the options. Set rhost, remote host, to the secondary victim machine, and set threads to 10. Then, my favorite command, run. Scanning takes time as I'm working on a pivot network, so I'll interrupt with control-c. This is how we can scan the network. Now we need to determine the services enabled on each port, so that we can think of further exploitation. In this case I'll use the portfwd Materpreter command. I'll type portfwd add -l 9999 -l 139


- r 192.168 .56.5. This will bind the local port, 9999 to remote port 139 of the remote host Verification of local port forward is done by scanning the local port, 9999. For this I'll use Nmap, the port scanning application. It is pre-installed in Kali. I'm now entering Nmap -sV


- p 9999 in a new terminal window. This will scan the IP address using that port. Okay, so it's Samba smbd 3.X. There's a working exploit for Samba in Metasploit, with the name use exploit/multi/ samba/usermap_script. Configure Metasploit module as follows. I'll look at the reverse shell payload and configure carefully. Let's see if I find anything strange. The attacker Ip, my IP, is Kali, and I'm sending a reverse shell to Windows 7. So Windows 7 will have the reverse shell. When we're using a Materpreter session and working with portfwd utility, our Materpreter is programmed to route the reverse shell to the attacker as it knows portfwd is in use. It is the responsibility of the materpreter session to handle the route and victim's session and give it back to the attacker. And now, with everything ready, I can use another favorite command of mine, exploit, and I have a Linux shell that I can use to exploit multiple devices, and that is pivoting.

About the Author
Learning Paths

Originating from a systems administration/network architecture career, a solid part of his career building networks for educational institutes. With security being a mainstay his implementation he grew a strong passion for everything cyber orientated especially social engineering. The educational experience led to him mentoring young women in IT, helping them to begin a cyber career. He is a recipient of the Cisco global cyber security scholarship. A CCNA Cyber Ops holder and elected for the CCNP Cyber Ops program.