Zero Day Archives
  • What is Zero Day Archives?
  • Contributors
  • Wireless Security
    • Intro to WiFi Pentesting
      • WEP Networks
      • WPS
      • WPA-PSK Networks
      • WPA & WPA2 PSK
      • WPA2 & WPA3 Enterprise Networks
      • WPA2 & WPA3-APLess
  • Reverse Engineering
    • Reverse Engineering
      • Introduction to Software Reverse Engineering
        • Introduction to Capture the Flag (CTF) Competitions
        • What are PE & Elf Binaries
        • Assembly Language for Beginner Reverse Engineers
        • Memory Registers for x86-64 (64-bit) and x86 (32-bit)
        • Reversing Tools: Command-Line Utilities for Binary Analysis
        • Reversing ELF Binaries: Techniques and Tools
      • Disassembly & Debugging
        • GDB for Reverse Engineering
        • RADARE2 for Reverse Engineering
        • GHIDRA for Reverse Engineering
        • IDA Pro for Reverse Engineering
      • Binary Exploitation
        • Buffer Overflows
          • What are Buffer Overflows and Stack Protections?
          • Commonly Exploited C Functions and Their Secure Alternatives
          • Basic Buffer Overflow in x86-64 Using GDB
        • Cryptography
          • Understanding Ciphers and Identifying Common Patterns
          • Teaching XOR Operations in Binary Exploitation
        • Return Oriented Programming (ROP)
          • Practical Guide to Exploring and Identifying Return-Oriented Programming (ROP)
        • Cracking and Patching Binaries
          • Tactics, Tools, and Procedures for Cracking and Patching Binaries
        • Ret2Win Challenges
  • Malware Analysis
    • Malware Analysis
      • Static Analysis
  • Transporting Files to/from Victims
    • Transferring Files to/from High Value Targets
      • Linux
      • Windows
      • CrackMapExec (NetExec)
  • Penetration Testing against GIT Remote Repositories
    • Targeting GIT Repositories
      • Attacking GIT
  • Network Pivoting, Port Forwarding, and Tunneling
    • Pivoting
      • Ligolo-ng
        • Basic Pivoting
        • Setup Reverse Shells through Pivot
        • Transferring Files through Pivot
      • Pivoting: Using Remote Desktop
      • ProxyChains
      • Metasploit
    • SSH Tunneling
      • SSH Local Port Forwarding
      • SSH Dynamic Port Forwarding
      • Sshuttle over SSH
    • Port Fowarding
      • Chisel Port Forwarding
      • NetSH for Port Forwarding
      • Plink for Port Forwarding
      • SoCat
      • Metasploit: Port Forwarding
  • Anti-Virus Evasion
    • Anti-Virus Evasion
      • Evasion with Metasploit
      • Evasion wtih Shellter
      • Evasion with Virus Total
  • Public Exploit Research
    • Online Exploit Research & Methods
  • Password Attacks
    • Password Attacks
      • Identifying Hashes
        • Hash Identifier Tools
      • John The Ripper
        • Cracking Passwords with John
        • Convert to Hashes with John
        • NTLM vs NTLMv2 Hashes + CrackMapExec
      • Hashcat
        • Cracking Passwords with Hashcat
      • Hydra
        • Hydra for Network Services
        • Hydra for Web Services
      • Mutating Wordlists for John & Hashcat
        • Mutating Wordlists
  • Digital Forensics & Incident Response (DFIR)
    • Digital Forensics
  • Data Science
    • Data Science/AI
  • Software Defined Radio (SDR)
    • Software Defined Radio
  • Embedded Systems Programming
    • Field Programmable Gate Arrays (FPGAs)
  • Other Resources
    • Resources for Hackers
Powered by GitBook
On this page
  • Overview
  • How It Works
  • Setting Up Dynamic Port Forwarding
  • Using the SOCKS Proxy
  • Verifying the Connection
  • Closing the Tunnel
  1. Network Pivoting, Port Forwarding, and Tunneling
  2. SSH Tunneling

SSH Dynamic Port Forwarding

Overview

SSH Dynamic Port Forwarding (SOCKS Proxy) allows an attacker or administrator to route traffic dynamically through an SSH tunnel. Unlike local or remote port forwarding, which forwards traffic to a fixed destination, dynamic forwarding enables a SOCKS proxy that can route traffic to multiple destinations.

This is useful for scenarios such as:

  • Bypassing firewalls or network restrictions

  • Gaining access to internal networks from a compromised system

  • Tunneling tools through an SSH connection to maintain stealth

How It Works

When SSH dynamic port forwarding is enabled, SSH creates a SOCKS proxy server on the client machine. Any application that supports SOCKS5 (e.g., web browsers, proxychains) can be configured to use this proxy to forward traffic through the SSH tunnel.

Setting Up Dynamic Port Forwarding

To establish an SSH SOCKS proxy, run:

ssh -D [local_port] -N -f user@remote_host

Explanation:

  • -D [local_port] → Specifies the local port to act as a SOCKS proxy (e.g., 1080)

  • -N → Prevents executing commands on the remote host (used for tunneling only)

  • -f → Runs SSH in the background after authentication

Example:

ssh -D 1080 -N -f user@remote_host

This will create a SOCKS proxy at 127.0.0.1:1080, which can be used to forward traffic dynamically.

Using the SOCKS Proxy

Once the SSH tunnel is active, configure applications to use the SOCKS proxy:

1. Using ProxyChains

Modify /etc/proxychains.conf or ~/.proxychains/proxychains.conf to include:

socks5 127.0.0.1 1080

Then, run:

proxychains nmap -sT -Pn 10.10.10.1

This routes nmap scans through the SOCKS proxy.

2. Using Firefox

  • Go to Settings > Network Settings

  • Select Manual Proxy Configuration

  • Set SOCKS Host to 127.0.0.1, port 1080

  • Check SOCKS v5

  • Enable Proxy DNS when using SOCKS v5

3. Using Curl

Run:

curl --socks5 127.0.0.1:1080 http://target-site.com

Verifying the Connection

To check if your traffic is routing through the SSH tunnel, visit:

curl --socks5 127.0.0.1:1080 https://ipinfo.io/ip

This should return the IP of the remote SSH server instead of your local machine.

Closing the Tunnel

To terminate the SSH SOCKS proxy:

pkill -f "ssh -D"

Or manually find the process and kill it:

ps aux | grep ssh
kill [PID]
PreviousSSH Local Port ForwardingNextSshuttle over SSH

Last updated 2 months ago