Pivoting and Network Tunnelling for OSCP
In the realm of penetration testing, especially for certifications like OSCP, mastering post-exploitation techniques is crucial. Pivoting and network tunnelling are advanced techniques that allow you to move beyond your initial compromised host and access other systems within the target network. This module will explore these concepts, their importance, and common methods used.
What is Pivoting?
Pivoting, in cybersecurity, refers to the technique of using a compromised host as a stepping stone to access other systems on a network that are not directly reachable from the attacker's initial position. Think of it as using a compromised machine as a bridge to cross into new network segments or reach otherwise inaccessible targets.
Why is Pivoting Important for OSCP?
The OSCP exam is designed to simulate real-world penetration testing scenarios. In many enterprise environments, networks are segmented for security reasons. You will almost certainly encounter situations where your initial foothold is on a machine that cannot directly reach other vulnerable systems. Successfully pivoting is often a prerequisite for achieving the 'root' or 'user' flags on multiple machines, which is essential for passing the exam.
Mastering pivoting is not just about technical skill; it's about strategic thinking and understanding network topology.
Network Tunnelling: The Foundation of Pivoting
Network tunnelling is the underlying technology that enables pivoting. It involves encapsulating network traffic from one protocol within another protocol. This allows traffic to traverse networks that might otherwise block it or to create secure, private connections over public networks.
SSH Port Forwarding
SSH offers powerful port forwarding capabilities that are fundamental to pivoting. There are three main types:
- Local Port Forwarding: Forwards a local port to a remote host and port through the SSH server.
- Remote Port Forwarding: Forwards a port on the remote SSH server to a local host and port.
- Dynamic Port Forwarding (SOCKS Proxy): Creates a SOCKS proxy on your local machine that tunnels traffic through the SSH server to various destinations on the remote network.
Dynamic port forwarding (SOCKS proxy) is particularly useful for pivoting. When you establish a dynamic tunnel using ssh -D <local_port> <user>@<ssh_server>, your local machine gains a SOCKS proxy. You can then configure tools like proxychains or your browser to use this proxy. Any traffic sent through this proxy will originate from the SSH server's IP address, allowing you to access internal network resources as if you were on that network.
Text-based content
Library pages focus on text content
Meterpreter Pivoting
If you have a Meterpreter session on a compromised host, it offers built-in commands for pivoting. The portfwd command allows you to forward ports from the compromised host to other internal machines. This is a highly effective way to expose services running on internal systems to your attacker machine without needing to set up manual SSH tunnels.
Other Pivoting Tools
Beyond SSH and Meterpreter, several other tools are commonly used for pivoting:
chisel: A fast, cross-platform TCP/UDP tunnel, written in Go. It's excellent for creating tunnels between machines with different operating systems.socat: A versatile command-line utility that establishes bidirectional data transfers between two data channels. It can be used to create complex tunnelling scenarios.netcat(nc): While basic,netcatcan be used for simple port forwarding and tunnelling in certain situations.
To use a compromised host as a stepping stone to access other systems on a network that are not directly reachable from the attacker's initial position.
Dynamic port forwarding (ssh -D).
Practical Considerations for OSCP
When preparing for the OSCP, focus on understanding the underlying principles of each pivoting method. Practice setting up tunnels with SSH, experimenting with proxychains, and utilizing Meterpreter's portfwd command. Be aware of network segmentation, firewall rules, and the services running on internal machines. A solid understanding of network protocols (TCP/IP, UDP) and common ports is also essential.
The OSCP exam often requires you to chain multiple pivots to reach your final target. Plan your approach carefully!
Learning Resources
The official page for the OSCP certification, outlining the exam structure and required skills, including post-exploitation.
While not OSCP specific, this certification covers foundational penetration testing concepts, including pivoting and network enumeration.
A comprehensive guide to understanding and utilizing SSH port forwarding, crucial for manual pivoting techniques.
A practical guide on how to use proxychains to leverage SOCKS proxies created via SSH for pivoting and anonymization.
The official GitHub repository for Chisel, a powerful tool for creating tunnels, often used in post-exploitation scenarios.
A tutorial explaining how to use Meterpreter's built-in port forwarding capabilities for pivoting within a compromised network.
An overview of network tunnelling concepts, explaining how data is encapsulated and transmitted across different networks.
An article discussing various pivoting techniques and their application in penetration testing engagements.
A video demonstration and explanation of network pivoting techniques, often useful for visual learners.
A guide to using socat, a versatile tool for creating bidirectional data transfers and complex network tunnels.