Networking 101

Definitions

• Lateral Movement: Moving between systems, services, and applications within the same network after initial access.

  Spread wide within a network.

• Pivoting: Using a compromised host, aka pivot host, to access other networks or segments it can reach, effectively bypassing network segmentation.

  Delve deeper into previously unreachable areas.

• Tunneling: A subset of pivoting. Encapsulates one type of network traffic within another protocol (like SSH or HTTPS) to obfuscate or bypass restrictions.

  Hiding traffic from detection or bypassing segmentation.

Pivoting Methods

1. We compromise an exposed web server ( HostA)

2. The target database server (HostB) is only accessible from inside that network (via HostA)

3. We can reach HostB, by using HostA as a pivot host, with the following methods:

   1. SSH tunnel (if HostA has SSH)

   2. Port forwarding via tools like socat, chisel, ssh -L, etc.

   3. HTTP tunneling (if only HTTP outbound is allowed)

   4. DNS tunneling (if only DNS traffic can escape a restrictive network)

Can you SSH to pivot host? 
→ Yes: Use SSH Tunneling
→ No:

Can you use raw TCP/UDP via pivot?
→ Yes: Use Port Forwarding (socat/chisel)
→ No:

Is outbound HTTP/HTTPS allowed?
→ Yes: Use HTTP Tunneling (reGeorg/tunna)
→ No:

Is outbound DNS allowed?
→ Yes: Use DNS Tunneling (iodine/dnscat2)
→ No:

→ Might need to escalate privileges / find alternate path / physical access / VPN pivot

IP Addressing & Network Interfaces

Every networked device has an IP address assigned to a NIC (Network Interface Card). A system can have multiple NICs, each with its own IP — physical or virtual. Common NIC identifiers are:

• eth0, eth1 → physical/virtual Ethernet

• tun0 → VPN tunnel interface

• lo → local loopback interface (127.0.0.1)

CLI commands to check interfaces: ifconfig (Linux/macOS) or ip a/ipconfig (Windows).

Routing Basics

Devices use routing tables to decide where to send traffic based on destination IP addresses. Traffic for unknown destinations is sent to the default gateway. When pivoting, it is useful to check the compromised host’s routing table for reachable networks we can pivot into.

CLI commands to check the routing table: netstat -rn / ip route.

Ports, Services & Firewalls

Ports are logical endpoints linked to services listening for connections (e.g., SSH on port 22, HTTP on port 80). Open ports reveal potential services you can interact with or exploit.

Firewalls control traffic between network segments, filtering based on: source/destination IP, ports, protocol types, and/or deep packet inspection.

Most enterprise networks are segmented (not flat) to limit lateral movement. Port forwarding, tunneling, and redirection help attackers bypass these boundaries.

Summary Table

Concept	Purpose	Key Idea
Lateral Movement	Spread access within a network	Move sideways to other internal hosts
Pivoting	Access other networks via a pivot host	Move deeper into segmented networks
Tunneling	Obfuscate traffic via secure channels	Hide or reroute traffic to avoid detection
Routing	Direct traffic based on destination IP	Use routing tables to map reachable paths
Ports & Services	Identify access points to services	Open ports reveal interactable apps
Firewalls	Control and restrict network traffic	Boundaries attackers need to bypass