Master the Art of Pivoting Techniques

In the world of Windows system penetration testing, the ultimate goal is to gain control over all systems once you’ve infiltrated one. The final phase of testing zeroes in on compromising the DC (Domain Controller) server, the central hub that manages the entire system in an Active Directory Domain environment. To seize the DC machine, penetration testers typically exploit a machine connected to the Active Directory Domain and use it as a pivot to access the DC machine. These methods are part of the post-exploitation phase, which includes:

Privilege Escalation (Elevating Rights and Permissions)
Credential Dumping (Acquiring Credentials)
Lateral Movement/Pivoting (Lateral Movement)
Persistence (Establishing Persistence)

Privilege Escalation and Credential Dumping

Attackers initially perform privilege escalation by exploiting vulnerabilities in a compromised machine to gain higher-level access. Once elevated privileges are secured, they discover other machines on the network and perform credential dumping to acquire credentials for accessing other machines in the Domain environment.

Lateral Movement and Pivoting

After obtaining credentials, attackers use lateral movement techniques to access machines in different VLANs. If the target machines are on a network inaccessible to the attacker’s machine but accessible to the compromised machine, the attacker uses the compromised system to establish a connection to the other network and gain access to the machines on that network. This process is known as pivoting.

Persistence

Finally, after compromising the Domain Controller machine, attackers create a backdoor to maintain persistence in the system, ensuring their access is reflected in the penetration test report. This process is called persistence.

Practical Application of Pivoting

This guide explains how to perform pivoting from a machine with high privileges in a Domain environment to access a DC machine on a different network. Before pivoting, credential dumping is performed to obtain the credentials of a Domain Admin account to access the DC machine. The following steps are carried out without relying on the Metasploit Framework.

Laboratory Environment

In the laboratory environment, an attacker machine with the IP address 192.168.106.131 has accessed the LAB001 machine using the Administrator account password via the SMB (445) port. LAB001 uses a second network interface to communicate with the DC machine on the 192.168.35.0/24 network. However, the attacker machine cannot directly communicate with the DC machine. Therefore, LAB001 will be used as a pivot machine to access the DC machine.

Acquiring Credentials

The LAB001 machine has been compromised. Using the PSEXEC tool developed by Sysinternals to manage other machines via SMB, access to the LAB001 machine has been achieved. A PowerShell session is obtained on LAB001 to dump credentials.

To acquire credentials, the LSASS system is targeted. LSASS manages authentication, password changes, and token creation on Windows systems. The lsass.exe process, which runs continuously from system boot to shutdown, stores hash values of logged-in user passwords. Therefore, credentials of logged-in accounts can be obtained from the lsass.exe memory.

Before dumping credentials from lsass.exe, information about logged-in users is obtained using the command:

query user /server:$SERVER

The “net user” command is then executed, revealing that the sysadmin account is a Domain account.

To dump credentials from LSASS memory, the Mimikatz tool can be used. However, Windows Defender may detect and remove Mimikatz. Alternatively, a memory dump of the lsass.exe process can be taken using the “procdump” tool from Sysinternals. The memory dump file can be transferred to the attacker machine and analyzed using Mimikatz to obtain credentials.

The following command is used to dump the lsass.exe process memory:

procdump64.exe -accepteula -ma lsass.exe c:lsass.dmp

The memory dump is saved as “lsass.dmp” in the “C:” directory. The dump file is transferred to the attacker machine and analyzed using Mimikatz with the commands:

sekurlsa::minidump <Dump_Path>
sekurlsa::logonpasswords

The credentials of the “sysadmin” account are obtained, and the next step is to access the DC machine using these credentials. However, pivoting is required to establish a connection between the attacker machine and the DC machine.

Pivoting

Having Domain Admin credentials simplifies accessing the DC machine. However, a connection must be established between the attacker machine and the DC machine via the LAB001 machine. This is achieved using Port Forwarding, which redirects a port on one machine to a port on another machine.

Since access to the DC machine is required via the SMB (445) port, the DC machine’s 445 port is forwarded to a port on the LAB001 machine. The attacker machine can then access the forwarded port since the LAB001 machine’s firewall is disabled.

The “netsh” tool is used for Port Forwarding. The following command forwards the DC machine’s 445 port to the LAB001 machine’s 4455 port:

netsh interface portproxy add v4tov4 listenport=4455 connectaddress=192.168.35.10 connectport=445

With this setup, the attacker machine can now access the DC machine through the LAB001 machine, completing the pivoting process.

Master the Art of Pivoting Techniques

Privilege Escalation and Credential Dumping

Lateral Movement and Pivoting

Persistence

Practical Application of Pivoting

Laboratory Environment

Acquiring Credentials

Pivoting

Zero Trust RPAM: Revolutionizing Secure Remote Access for the Modern Workforce

Secure Patrol Strategies

Boost Your Business Success with Standards-Based Risk Management

Exploiting Misconfigured Services for Privilege Escalation in Windows Systems

Major Cybersecurity Breaches: Key Lessons from Mr. Cooper, FDLE & More

Boost Your Security: The Urgent Need for StateRAMP in State Agencies

The Essential Role of Security Guards in Business Organizations

Keyholding Services: Your Ultimate Security Solution

Unleash Nmap’s Power: Advanced Scanning Techniques & Scripting Secrets

Hacking Your Smart Building – 5 IoT Vulnerabilities Your Security Patrol Must Know

The Pros and Cons of GPS Tracking for Security Guards: A Comprehensive Guide

How Real-Time Security Guard Tracking Software Works

QR Codes: The Sneaky Threat to Your Password Security

Top Indicators Your Security Guard System Needs an Upgrade

Why Manned Security Guarding is Essential for Christmas Events

Boosting Security Operations: Top 3 Advantages of Security Officer Tour Software

Must-Have Firestick Apps in 2025: Free & Paid Gems

Boost Your Database Security: Crush SQL Injections with Stored Procedures!

5 Essential Spots to Install AED Devices in Your Business and Why Location is Key

Lampion Trojan Exposed: A New Threat to Portuguese Users

Strengthening Your Team: The Ultimate Guide to Building a Human Firewall

Data Breach Prevention Strategies

Privilege Escalation and Credential Dumping

Lateral Movement and Pivoting

Persistence

Practical Application of Pivoting

Laboratory Environment

Acquiring Credentials

Pivoting

Similar Posts