TCP Pivoting

The pivot_tcp starts a listener on the current host on a given port and waits for a pivot badger for a reverse connection. It listens on with the provided port using the WinSock libraries. Make note that the host firewall should allow connections on this port, else a badger connecting to this port would get dropped. Once a listener has been started, you can execute a TCP badger via lateral movement techniques on a target host.

The below example shows a TCP listener started on the current host using the pivot_tcp command with a random listener name. This listener only runs on the badger and is NOT shown anywhere else in the Commander. TCP listeners which are created using the pivot_tcp command can be viewed on the same badger with list_pivot command. After creating a TCP Listener on a badger, we will then create a TCP Profile under C4 Profiler->Payload Profilers. We will use this profile to create a service using the psexec command on our Domain Controller.

Make note that our current host’s IP Address is We will add this to our payload profile. Once we create a service on the target host using PsExec, the badger’s service should connect back to this port and give us a pivot badger.

We configured our PsExec’s service name to look like XboxLiveService from C4 Profiler->PsExec Config before executing the psexec command. All TCP connections are always custom encrypted in nature.

To stop a listener for the TCP badger, use the stop_tcp command with the listener_name:port as argument.

NOTE: Make note that your pivot badgers need to have the same authentication keys as of your HTTPS listener so that they can authenticate properly after pivoting via the HTTPS Badger. If the auth key is not the same, then you won’t be able to authenticate.