SSH Tunneling
This section demonstrate where to use ssh tunneling.
1. SSH Local Port Forwarding
Description
Once you have a compromised machine use this command ssh -L 0.0.0.0:[local_port]:[target_host]:[target_port] user@ssh_server to create a tunnel between compromised machine and internal user machine
ssh -L -N ssh -L 0.0.0.0:9090:10.10.15.2:22 user@192.168.1.5
🧭Scenario:
- You (Kali) want to access an internal user machine (10.10.15.2) which is not directly reachable.
- You have access to a compromised SSH client (192.168.1.5) in the DMZ.
- That SSH client can SSH into an internal SSH server (176.10.5.5), which can reach the internal user machine (10.10.15.2).
- You use local port forwarding from Kali through the compromised SSH client, via the internal SSH server, to reach the internal user.
Sequence diagram
2. SSH Dynamic Port Forwarding
Setup SSH port forwarding in the remote machine
ssh -N -D 0.0.0.0:1080 user@176.10.5.5
Create ProxyChain in kali
Proxy chains will help you to forward your commands through the configured port, So you just need to enter IP and the port you want to connect tunneling will be performed by ProxyChains
sudo echo "socks5 192.168.1.5 1080" >> /etc/proxychains4.conf
Use Proxychains
Prepend proxychains before commands to use your proxychain configuration.
proxychains ftp <IP>
Scenario
- Kali (192.168.1.1) has SSH access to a compromised host (192.168.1.5) in the DMZ.
- The compromised host can SSH into an internal SSH server (176.10.5.5).
- The internal SSH server has reachability to multiple internal user machines:10.10.5.1, 10.10.5.2, 10.10.5.3
- One or more internal machines have services (e.g., SMB on port 445).
- Kali sets up dynamic port forwarding (ssh -D 1080) through the compromised host → internal SSH server.
- Then uses proxychains to tunnel requests to internal IPs over the SOCKS proxy.
Sequence Diagram
3. SSH Remote Port Forwarding
| This create single socket per connection means only connected on specific port and IP .
Step1. Start ssh service in kali machine
sudo systemctl start ssh
OR
service ssh start
Step 2. Execute command on compromised machine
ssh -N -R 127.0.0.1:2345:172.10.1.5:5432 kali@192.168.45.44
IP and port where the tunnel is being created. 127.0.0.1:2345
IP and Port where the tunnel is connecting to 172.10.1.5:5432 .
You kali Machine's IP for SSH connection kali@192.168.45.44.
Step 3. Connect to remote machine
Now When you connect to port 2345 on your kali machine you are being tunneled to 5432 on DMZ machine.
Scenario
- Kali (192.168.1.1) has SSH access to a compromised host (192.168.1.5) in the DMZ.
- The firewall only allows inbound connections to port 4455 on the compromised host.
- The compromised host can SSH into an internal SSH server (176.10.5.5).
- The internal SSH server has reachability to a single internal host: 10.10.5.2 (SMB on port 445).
- Kali sets up Remote port forwarding using:
ssh -N -R 127.0.0.1:2345:10.10.5.2:445 kali@192.168.1.1(with SSH hopping to the internal SSH server) - Kali configures
proxychainswith SOCKS5 proxy at 127.0.0.1:1080. - Kali uses proxychains to access 10.10.5.2:445 (e.g., with smbclient).
sequence diagram
4. Dynamic Remote Port Forwarding
| Socks proxy is connected with SSH server in kali and traffic is forwarded from the SSH client.
| Can connect to more hosts and port through same connection , Means multiple sockets.
| OpenSSH client needs to be version 7.6 .
Step1. Start ssh service in kali machine
sudo systemctl start ssh
OR
service ssh start
Step 2. Execute below command on the compromized server
ssh -N -R 8888 kali@192.168.45.114
Step 3. Update your proxychains configuration
sudo echo "socks5 127.0.0.1 8888" >> /etc/proxychains4.conf
Step 4. Use kali machine to connect with other IP and ports.
proxychains nmap <IP_of_any_other_machine>