SSH dynamic port forwarding involves an attacker machine, a compromised server, and a private network. When the portforward is set up correctly, the attacker can use the compromised server as a pivot to reach hosts in the server’s private network.
The port forwarding requires an SSH connection to the compromised server. The SSH client will open a SOCKS proxy listener locally, which can be used by proxychains
to redirect network traffic.
graph TD
subgraph Local
local_sshclient[SSH Client]
local_socks[SOCKS Proxy]
nmap[Nmap]
end
subgraph Pivot
remote_ssh[SSH on 22]
end
subgraph Target
target_mysql[MySQL on 3306]
end
local_sshclient -- setup portfwd --> remote_ssh
local_sshclient -- creates --> local_socks
nmap -.-> |connects to| local_socks
local_socks -.-> local_sshclient
local_sshclient -.-> remote_ssh -.-> target_mysql
How-to
sudo ssh -N -D bind-addr:bind-port user@server
bind-addr
: can just be 127.0.0.1bind-port
: desired port for the SOCKS proxy
After the proxy is set up, edit proxychains config (/etc/proxychains.conf
):
Note that nmap SYN scan does not work over a proxy since the proxy does not forward raw packets, only the TCP payload. The handshake is initiated by the remote machine and nmap has no control over it.