
Pivot into the internal network by deploying HTTP agents. Pivotnacci allows you to create a socks server which communicates with HTTP agents
. The architecture looks like the following:
This tool was inspired by the great reGeorg. However, it includes some improvements:
- Support for balanced servers
- Customizable polling interval, useful to reduce detection rates
- Auto drop connections closed by a server
- Modular and cleaner code
- Installation through pip
- Password-protected agents
Supported socks protocols
- Socks 4
- Socks 5
- No authentication
- User password
- GSSAPI
Installation
From python packages:
pip3 install pivotnacci
From repository:
git clone https://github.com/blackarrowsec/pivotnacci.git
cd pivotnacci/
pip3 install -r requirements.txt # to avoid installing on the OS
python3 setup.py install # to install on the OS
Usage
- Upload the required agent (php, jsp or aspx) to a webserver
- Start the socks server once the agent is deployed
- Configure proxychains or any other proxy client (the default listening port for pivotnacci socks server is 1080)
$ pivotnacci -h
usage: pivotnacci [-h] [-s addr] [-p port] [--verbose] [--ack-message message]
[--password password] [--user-agent user_agent]
[--header header] [--proxy [protocol://]host[:port]]
[--type type] [--polling-interval milliseconds]
[--request-tries number] [--retry-interval milliseconds]
url
Socks server for HTTP agents
positional arguments:
url The url of the agent
optional arguments:
-h, --help show this help message and exit
-s addr, --source addr
The default listening address (default: 127.0.0.1)
-p port, --port port The default listening port (default: 1080)
--verbose, -v
--ack-message message, -a message
Message returned by the agent web page (default:
Server Error 500 (Internal Error))
--password password Password to communicate with the agent (default: )
--user-agent user_agent, -A user_agent
The User-Agent header sent to the agent (default:
pivotnacci/0.0.1)
--header header, -H header
Send custom header. Specify in the form 'Name: Value'
(default: None)
--proxy [protocol://]host[:port], -x [protocol://]host[:port]
Set the HTTP proxy to use.(Environment variables
HTTP_PROXY and HTTPS_PROXY are also supported)
(default: None)
--type type, -t type To specify agent type in case is not automatically
detected. Options are ['php', 'jsp', 'aspx'] (default:
None)
--polling-interval milliseconds
Interval to poll the agents (for recv operations)
(default: 100)
--request-tries number
The number of retries for each request to an agent. To
use in case of balanced servers (default: 50)
--retry-interval milliseconds
Interval to retry a failure request (due a balanced
server) (default: 100)
Examples
Using an agent with a password s3cr3t
(AGENT_PASSWORD
the variable must be modified at the agent side as well):
pivotnacci https://domain.com/agent.php --password "s3cr3t"
Using a custom HTTP Host
header and a custom CustomAgent
User-Agent:
pivotnacci https://domain.com/agent.jsp -H 'Host: vhost.domain.com' -A 'CustomAgent'
Setting a different agent message 418 I'm a teapot
(ACK_MESSAGE
variable must be modified at the agent side as well):
pivotnacci https://domain.com/agent.aspx --ack-message "418 I'm a teapot"
Reduce detection rate (e.g. WAF) by setting the polling interval to 2
seconds:
pivotnacci https://domain.com/agent.php --polling-interval 2000
Author
Eloy Pérez (@Zer1t0) [ www.blackarrow.net - www.tarlogic.com ]
Author

- Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Latest Articles
Blog2022.12.13What are the Common Security Weaknesses of Cloud Based Networks?
Blog2022.10.12Vulnerability management with Wazuh open source XDR
Blog2022.08.29Deception Technologies: Improving Incident Detection and Response by Alex Vakulov
Blog2022.08.25Exploring the Heightened Importance of Cybersecurity in Mobile App Development by Jeff Kalwerisky