IDENTIFY PIVOT TARGETS
Check interfaces on foothold
Multiple NICs = dual-homed — Gateway to internal network
ip a
ifconfig
ipconfig /all
Example Output
ip a
2: eth0: <BROADCAST> mtu 1500
inet 10.10.14.5/24
3: eth1: <BROADCAST> mtu 1500
inet 172.16.1.5/24
(DUAL-HOMED! 172.16.1.0/24 is internal network)
Check routing table
Known networks — Map internal subnets
ip route
route print
netstat -rn
Example Output
ip route
default via 10.10.14.1 dev eth0
10.10.14.0/24 dev eth0
172.16.1.0/24 dev eth1
(Can reach 172.16.1.0/24 internal network)
Check ARP cache
Recently contacted hosts — Active internal hosts
arp -a
ip neigh
Example Output
arp -a
? (172.16.1.1) at aa:bb:cc:dd:ee:ff [ether] on eth1
? (172.16.1.10) at aa:bb:cc:dd:ee:01 [ether] on eth1
? (172.16.1.20) at aa:bb:cc:dd:ee:02 [ether] on eth1
(3 hosts alive on internal network)
Ping sweep internal network
Find live hosts — Discover internal targets
for i in $(seq 1 254); do (ping -c 1 10.10.10.$i | grep 'bytes from' &); done
Example Output
for i in $(seq 1 254); do ping -c 1 172.16.1.$i; done
172.16.1.1: bytes from (gateway)
172.16.1.10: bytes from (host alive)
172.16.1.20: bytes from (host alive)
172.16.1.100: bytes from (host alive)
Port scan from pivot
Bash port scanner (no tools) — When you can't upload nmap
for port in 21 22 25 53 80 88 135 139 389 443 445 636 1433 3306 3389 5985 8080; do (echo > /dev/tcp/10.10.10.X/$port) 2>/dev/null && echo "$port open"; done
Example Output
for port in 22 80 445 3389; do
(echo > /dev/tcp/172.16.1.10/$port) 2>/dev/null && echo "$port open"
done
22 open
80 open
445 open
(Found 3 open ports on internal host)