SSH dynamic port forwarding involves an attacker machine, a compromised server, and a private network. When the portforward is set up correctly, the attacker can use the compromised server as a pivot to reach hosts in the server’s private network.

The port forwarding requires an SSH connection to the compromised server. The SSH client will open a SOCKS proxy listener locally, which can be used by proxychains to redirect network traffic.

graph TD
    subgraph Local
        local_sshclient[SSH Client]
        local_socks[SOCKS Proxy]
        nmap[Nmap]
    end
    
    subgraph Pivot
        remote_ssh[SSH on 22]
    end

    subgraph Target
        target_mysql[MySQL on 3306]
    end

    local_sshclient -- setup portfwd --> remote_ssh
    local_sshclient -- creates --> local_socks
    nmap -.-> |connects to| local_socks 
    local_socks -.-> local_sshclient
    local_sshclient -.-> remote_ssh -.-> target_mysql

How-to

sudo ssh -N -D bind-addr:bind-port user@server
  • bind-addr: can just be 127.0.0.1
  • bind-port: desired port for the SOCKS proxy

After the proxy is set up, edit proxychains config (/etc/proxychains.conf):

[ProxyList]
socks4 bind-addr bind-port

Note that nmap SYN scan does not work over a proxy since the proxy does not forward raw packets, only the TCP payload. The handshake is initiated by the remote machine and nmap has no control over it.