# Pivoting {% embed url="" %} {% embed url="" %} {% embed url="" %} ### Discovering New Targets The trick here is to look for more IP addresses that are hidden. Look for ones that we didn't get from the initial ping sweep. #### Meterpreter session Look for more interfaces ``` ifconfig arp route ``` #### Shell Look at ALL the output. ``` ipconfig /all ipconfig /displaydns netstat -ano ``` #### Ping Sweep ``` use post/multi/gather/ping_sweep set the RHOSTS 101010/24 ``` #### ARP Scanner Meterpreter ``` run arp_scanner -r 10.10.10.0/24 ``` ### Routing ``` meterpreter > run autoroute -s 172.30.111.0/24 use autoroute module ``` ### Port Scan ``` Run tcp portscan change threads to 10, and change ports to smaller. ``` ### Proxying ``` search socks server use set port edit /etc/proxychains4.conf edit the last line to socks4 127.0.0.1 1080 or socks5 ``` Start by saying proxychain and then the command we can also use proxychains to start our web browser. ### Port Forwarding with Metasploit Lets say we want to access a web server on port 80 on the victim machine. ``` portfwd add -l 8080 -p 80 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://lyethar.gitbook.io/methodology/readme/privilege-escalation/pivoting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.