SSH local port forwarding

SSH local port forwarding forwards port-specific traffic from a local computer through a pivot computer to a target computer.

The setup start with SSH Client (solid lines), and the practical use starts with smbclient (dotted lines).

graph LR
    subgraph Local 
        local_sshclient[SSH Client]
        local_listener[Listener]
        local_smbclient[smbclient]
    end
    subgraph Pivot
        pivot_web[Web on 80]
        pivot_ssh[SSH on 22]
    end
    subgraph Target
        target_smb[SMB on 445]
    end

    local_sshclient --> |start portfwd| pivot_ssh
    local_sshclient --> |creates| local_listener
    
    local_smbclient -.-> |connects to| local_listener
    local_listener -.-> local_sshclient -.-> pivot_ssh -.-> target_smb

Three hosts are in the above command:

lhost (Local): machine controlled by the attacker
host (Pivot): machine connected to the internet (e.g. a web server)
rhost (Target): machine connected only to host’s intranet (e.g. an employee’s computer)

SSH local port forwarding can be useful to create a stable pivot on host, allowing lhost to access rport even when rhost is behind a firewall.

Demo

Basic syntax is:

ssh [-N] -L [lhost:]lport:rhost:rport user@host

-N disables shell for this command.
Use 127.0.0.1 for rhost if the target service is on the same machine as the SSH server

Security Memo

Recent Notes

SMART

Bossa Nova

ZFS

post-rock

2024-09-27

SSH local port forwarding

Demo

Graph View

Backlinks