Pivot

Pivoting refers to the technique where an attacker, after compromising one system within a network, uses that system as a foothold to move laterally and access other systems that would otherwise be inaccessible. This is a fundamental tactic in advanced persistent threat (APT) attacks and penetration testing, allowing the attacker to expand their reach within the target environment.

Key aspects of pivoting:

• The attacker leverages the initial compromised system (often called a plant or foothold) to bypass security boundaries such as firewalls or network segmentation, which may prevent direct access to other machines.
• Pivoting is used to explore, map, and exploit additional systems in the network, often with the goal of escalating privileges, stealing data, or establishing persistent access.
• It is distinct from, but closely related to, lateral movement. While lateral movement involves moving within the same privilege level or escalating privileges, pivoting specifically refers to using the compromised system to launch attacks against new targets within the network.

Common types of pivoting:

• Proxy Pivoting: Routing traffic through the compromised system using a proxy payload, often limited to specific ports.
• VPN Pivoting: Creating an encrypted tunnel through the compromised machine, making it appear as though the attacker is inside the internal network.
• Port Forwarding: Using techniques like SSH tunneling to forward network traffic from the attacker’s machine through the compromised host to internal resources.

Example scenario:
If an attacker compromises a web server within a corporate network, they can use that server to scan for and attack other systems, such as databases or internal workstations, that are not directly accessible from outside the network.

Defensive measures against pivoting include:

• Strong network segmentation
• Monitoring and logging network activity
• Regularly patching vulnerabilities
• Restricting trust relationships between systems