SSH local port forwarding forwards port-specific traffic from a local computer through a pivot computer to a target computer.
The setup start with SSH Client (solid lines), and the practical use starts with smbclient (dotted lines).
graph LR
subgraph Local
local_sshclient[SSH Client]
local_listener[Listener]
local_smbclient[smbclient]
end
subgraph Pivot
pivot_web[Web on 80]
pivot_ssh[SSH on 22]
end
subgraph Target
target_smb[SMB on 445]
end
local_sshclient --> |start portfwd| pivot_ssh
local_sshclient --> |creates| local_listener
local_smbclient -.-> |connects to| local_listener
local_listener -.-> local_sshclient -.-> pivot_ssh -.-> target_smb
Three hosts are in the above command:
lhost
(Local): machine controlled by the attackerhost
(Pivot): machine connected to the internet (e.g. a web server)rhost
(Target): machine connected only tohost
’s intranet (e.g. an employee’s computer)
SSH local port forwarding can be useful to create a stable pivot on host
, allowing lhost
to access rport
even when rhost
is behind a firewall.
Demo
Basic syntax is:
-N
disables shell for this command.- Use 127.0.0.1 for rhost if the target service is on the same machine as the SSH server