SSH Tunnelling / Port Forwarding
Forward Connections
Creating a forward (or "local") SSH tunnel can be done from the attacking box when we have SSH access to the target.
Port Forwarding : -L switch, which creates a link to a Local port.
Port Forwarding : -L switch, which creates a link to a Local port.For example, if we had SSH access to 172.16.0.5 and there's a webserver running on 172.16.0.10, we could use this command to create a link to the server on 172.16.0.10:
ssh -L 8000:132.227.89.21:80 [email protected] -fN
-f backgrounds the shell
-N tells SSH that it doesn't need to execute any commands,only set up the fucking connectionYou can now access the website on 172.16.0.10 (through 172.16.0.5) by navigating to port 8000 on our own attacking machine with localhost:8000.
Good Practice use a high port, out of the way, for the local connection.
Creating a proxy : -D switch
Creating a proxy : -D switchFor example: -D 1337. This will open up port 1337 on the attacking box as a proxy to send data through into the protected network.
This is useful when combined with a tool such as proxychains. An example of this command would be:
ssh -D 1337 [email protected] -fNReverse Connections
Reverse connections are very possible with the SSH client (and indeed may be preferable if you have a shell on the compromised server, but not SSH access).
They are, however, riskier as you inherently must access your attacking machine from the target -- be it by using credentials, or preferably a key based system.
Before we can make a reverse connection safely, there are a few steps to take:
Last updated
Was this helpful?