SSH local port forwarding

SSH local port forwarding forwards port-specific traffic from a local computer through a pivot computer to a target computer.

The setup start with SSH Client (solid lines), and the practical use starts with smbclient (dotted lines).

graph LR
    subgraph Local 
        local_sshclient[SSH Client]
        local_listener[Listener]
        local_smbclient[smbclient]
    end
    subgraph Pivot
        pivot_web[Web on 80]
        pivot_ssh[SSH on 22]
    end
    subgraph Target
        target_smb[SMB on 445]
    end

    local_sshclient --> |start portfwd| pivot_ssh
    local_sshclient --> |creates| local_listener
    
    local_smbclient -.-> |connects to| local_listener
    local_listener -.-> local_sshclient -.-> pivot_ssh -.-> target_smb

Three hosts are in the above command:

lhost (Local): machine controlled by the attacker
host (Pivot): machine connected to the internet (e.g. a web server)
rhost (Target): machine connected only to host’s intranet (e.g. an employee’s computer)

SSH local port forwarding can be useful to create a stable pivot on host, allowing lhost to access rport even when rhost is behind a firewall.

Demo

Basic syntax is:

ssh [-N] -L [lhost:]lport:rhost:rport user@host

-N disables shell for this command.
Use 127.0.0.1 for rhost if the target service is on the same machine as the SSH server

📖 Notes

Recent Notes

heap exploitation

2024-06-05

2024-06-04

2024-06-03

2024-05-29

SSH local port forwarding

Demo

Graph View

Backlinks