Networking 101

Definitions

  • Lateral Movement: Moving between systems, services, and applications within the same network after initial access.

    Spread wide within a network.

  • Pivoting: Using a compromised host, aka pivot host, to access other networks or segments it can reach, effectively bypassing network segmentation.

    Delve deeper into previously unreachable areas.

  • Tunneling: A subset of pivoting. Encapsulates one type of network traffic within another protocol (like SSH or HTTPS) to obfuscate or bypass restrictions.

    Hiding traffic from detection or bypassing segmentation.

Pivoting Methods

  1. We compromise an exposed web server ( HostA)

  2. The target database server (HostB) is only accessible from inside that network (via HostA)

  3. We can reach HostB, by using HostA as a pivot host, with the following methods:

    1. SSH tunnel (if HostA has SSH)

    2. Port forwarding via tools like socat, chisel, ssh -L, etc.

    3. HTTP tunneling (if only HTTP outbound is allowed)

    4. DNS tunneling (if only DNS traffic can escape a restrictive network)

Can you SSH to pivot host? 
→ Yes: Use SSH Tunneling
→ No:

Can you use raw TCP/UDP via pivot?
→ Yes: Use Port Forwarding (socat/chisel)
→ No:

Is outbound HTTP/HTTPS allowed?
→ Yes: Use HTTP Tunneling (reGeorg/tunna)
→ No:

Is outbound DNS allowed?
→ Yes: Use DNS Tunneling (iodine/dnscat2)
→ No:

→ Might need to escalate privileges / find alternate path / physical access / VPN pivot

IP Addressing & Network Interfaces

Every networked device has an IP address assigned to a NIC (Network Interface Card). A system can have multiple NICs, each with its own IP — physical or virtual. Common NIC identifiers are:

  • eth0, eth1 → physical/virtual Ethernet

  • tun0 → VPN tunnel interface

  • lo → local loopback interface (127.0.0.1)

CLI commands to check interfaces: ifconfig (Linux/macOS) or ip a/ipconfig (Windows).

Routing Basics

Devices use routing tables to decide where to send traffic based on destination IP addresses. Traffic for unknown destinations is sent to the default gateway. When pivoting, it is useful to check the compromised host’s routing table for reachable networks we can pivot into.

CLI commands to check the routing table: netstat -rn / ip route.

Ports, Services & Firewalls

Ports are logical endpoints linked to services listening for connections (e.g., SSH on port 22, HTTP on port 80). Open ports reveal potential services you can interact with or exploit.

Firewalls control traffic between network segments, filtering based on: source/destination IP, ports, protocol types, and/or deep packet inspection.

Most enterprise networks are segmented (not flat) to limit lateral movement. Port forwarding, tunneling, and redirection help attackers bypass these boundaries.

Summary Table

Concept
Purpose
Key Idea

Lateral Movement

Spread access within a network

Move sideways to other internal hosts

Pivoting

Access other networks via a pivot host

Move deeper into segmented networks

Tunneling

Obfuscate traffic via secure channels

Hide or reroute traffic to avoid detection

Routing

Direct traffic based on destination IP

Use routing tables to map reachable paths

Ports & Services

Identify access points to services

Open ports reveal interactable apps

Firewalls

Control and restrict network traffic

Boundaries attackers need to bypass

PreviousDNS TunnelingNextPivoting Tools

Last updated

Was this helpful?