SSH local port forwarding forwards port-specific traffic from a local computer through a pivot computer to a target computer.

The setup start with SSH Client (solid lines), and the practical use starts with smbclient (dotted lines).

graph LR
    subgraph Local 
        local_sshclient[SSH Client]
        local_listener[Listener]
        local_smbclient[smbclient]
    end
    subgraph Pivot
        pivot_web[Web on 80]
        pivot_ssh[SSH on 22]
    end
    subgraph Target
        target_smb[SMB on 445]
    end

    local_sshclient --> |start portfwd| pivot_ssh
    local_sshclient --> |creates| local_listener
    
    local_smbclient -.-> |connects to| local_listener
    local_listener -.-> local_sshclient -.-> pivot_ssh -.-> target_smb

Three hosts are in the above command:

  • lhost (Local): machine controlled by the attacker
  • host (Pivot): machine connected to the internet (e.g. a web server)
  • rhost (Target): machine connected only to host’s intranet (e.g. an employee’s computer)

SSH local port forwarding can be useful to create a stable pivot on host, allowing lhost to access rport even when rhost is behind a firewall.

Demo

Basic syntax is:

ssh [-N] -L [lhost:]lport:rhost:rport user@host
  • -N disables shell for this command.
  • Use 127.0.0.1 for rhost if the target service is on the same machine as the SSH server