Pivoting is when we use one compromised machine to exploit other hosts or networks

Pivoting Examples

• An example would be a client-side “drive-by browser” attack

  • Once the attacker owns this machine inside the firewall, they can launch all further attacks from this compromised machine

  • When we pivot, we're taking advantage of the security and trust relationships between systems in an organization

• Let's say that, as an attacker, I've compromised the machine between the two firewalls above

• In this case, I'd have complete control of the compromised machine through Meterpreter

• I want to take advantage of that compromised machine and the trust that it is allowing to other systems in the organization

• Any future exploits as an attacker can be almost funnelled through the compromised machine

• We can launch an exploit from the compromised machine to the target machine on the right-hand side of the diagram

  • We may not be able to launch it directly from the attacker to the target machine because of the firewall rules that are in place, but we may be able to communicate from the compromised machine to the target machine

• This is very common in organizations where a single workstation is compromised

  • The attacker will pivot from that initial machine to get access to more useful resources on the network, such as software repositories, employee databases, or credit card data

  • They'll funnel it through that compromised workstation and gain access to whatever resources that workstation can get to

  • It's like using the compromised system as a proxy for further attacks