Zero Day Archives
  • What is Zero Day Archives?
  • Contributors
  • Wireless Security
    • Intro to WiFi Pentesting
      • WEP Networks
      • WPS
      • WPA-PSK Networks
      • WPA & WPA2 PSK
      • WPA2 & WPA3 Enterprise Networks
      • WPA2 & WPA3-APLess
  • Reverse Engineering
    • Reverse Engineering
      • Introduction to Software Reverse Engineering
        • Introduction to Capture the Flag (CTF) Competitions
        • What are PE & Elf Binaries
        • Assembly Language for Beginner Reverse Engineers
        • Memory Registers for x86-64 (64-bit) and x86 (32-bit)
        • Reversing Tools: Command-Line Utilities for Binary Analysis
        • Reversing ELF Binaries: Techniques and Tools
      • Disassembly & Debugging
        • GDB for Reverse Engineering
        • RADARE2 for Reverse Engineering
        • GHIDRA for Reverse Engineering
        • IDA Pro for Reverse Engineering
      • Binary Exploitation
        • Buffer Overflows
          • What are Buffer Overflows and Stack Protections?
          • Commonly Exploited C Functions and Their Secure Alternatives
          • Basic Buffer Overflow in x86-64 Using GDB
        • Cryptography
          • Understanding Ciphers and Identifying Common Patterns
          • Teaching XOR Operations in Binary Exploitation
        • Return Oriented Programming (ROP)
          • Practical Guide to Exploring and Identifying Return-Oriented Programming (ROP)
        • Cracking and Patching Binaries
          • Tactics, Tools, and Procedures for Cracking and Patching Binaries
        • Ret2Win Challenges
  • Malware Analysis
    • Malware Analysis
      • Static Analysis
  • Transporting Files to/from Victims
    • Transferring Files to/from High Value Targets
      • Linux
      • Windows
      • CrackMapExec (NetExec)
  • Penetration Testing against GIT Remote Repositories
    • Targeting GIT Repositories
      • Attacking GIT
  • Network Pivoting, Port Forwarding, and Tunneling
    • Pivoting
      • Ligolo-ng
        • Basic Pivoting
        • Setup Reverse Shells through Pivot
        • Transferring Files through Pivot
      • Pivoting: Using Remote Desktop
      • ProxyChains
      • Metasploit
    • SSH Tunneling
      • SSH Local Port Forwarding
      • SSH Dynamic Port Forwarding
      • Sshuttle over SSH
    • Port Fowarding
      • Chisel Port Forwarding
      • NetSH for Port Forwarding
      • Plink for Port Forwarding
      • SoCat
      • Metasploit: Port Forwarding
  • Anti-Virus Evasion
    • Anti-Virus Evasion
      • Evasion with Metasploit
      • Evasion wtih Shellter
      • Evasion with Virus Total
  • Public Exploit Research
    • Online Exploit Research & Methods
  • Password Attacks
    • Password Attacks
      • Identifying Hashes
        • Hash Identifier Tools
      • John The Ripper
        • Cracking Passwords with John
        • Convert to Hashes with John
        • NTLM vs NTLMv2 Hashes + CrackMapExec
      • Hashcat
        • Cracking Passwords with Hashcat
      • Hydra
        • Hydra for Network Services
        • Hydra for Web Services
      • Mutating Wordlists for John & Hashcat
        • Mutating Wordlists
  • Digital Forensics & Incident Response (DFIR)
    • Digital Forensics
  • Data Science
    • Data Science/AI
  • Software Defined Radio (SDR)
    • Software Defined Radio
  • Embedded Systems Programming
    • Field Programmable Gate Arrays (FPGAs)
  • Other Resources
    • Resources for Hackers
Powered by GitBook
On this page
  • Understanding SSH Local Port Forwarding
  • How It Works
  • Command Syntax
  • Example Use Case
  • Verifying the Tunnel
  • Closing the Tunnel
  1. Network Pivoting, Port Forwarding, and Tunneling
  2. SSH Tunneling

SSH Local Port Forwarding

Understanding SSH Local Port Forwarding

SSH local port forwarding allows you to create a secure tunnel between your local machine and a remote system, forwarding traffic from a local port to a destination through the SSH connection. This is useful when you need to access services on a remote network that are not directly reachable.

How It Works

  1. An SSH connection is established between the client and the server.

  2. The client opens a local listening port.

  3. Traffic sent to this local port is securely forwarded through the SSH tunnel to a specified destination.

Command Syntax

To create an SSH local port forward, use the following command:

ssh -N -L [LOCAL_IP:LOCAL_PORT]:[TARGET_IP:TARGET_PORT] [USER]@[SSH_SERVER]

Explanation:

  • -N: Prevents SSH from executing remote commands, keeping the tunnel open.

  • -L: Specifies local port forwarding.

  • [LOCAL_IP:LOCAL_PORT]: The IP and port where traffic will be received on the client machine.

  • [TARGET_IP:TARGET_PORT]: The destination where traffic will be forwarded.

  • [USER]@[SSH_SERVER]: Credentials and address of the SSH server facilitating the tunnel.

Example Use Case

Imagine you need to access an internal service running on port 445 of a remote machine, but it is only accessible from within the network. You can forward this port to your local machine like this:

ssh -N -L 0.0.0.0:4242:172.16.50.10:445 user@ssh-server

Breakdown:

  • 0.0.0.0:4242: The port 4242 on your local machine will now listen for incoming connections.

  • 172.16.50.10:445: The traffic is forwarded to port 445 on the internal network host.

  • user@ssh-server: SSH credentials and server address used to establish the tunnel.

Once this command is executed, any connection made to localhost:4242 on your machine is securely forwarded to 172.16.50.10:445 via the SSH tunnel.

Verifying the Tunnel

After setting up the SSH tunnel, you can check if the port is listening using:

ss -ntplu | grep 4242

This should show the local port as open and listening.

You can then interact with the forwarded service as if it were running locally.

Closing the Tunnel

To close the SSH tunnel, simply terminate the SSH session by pressing Ctrl+C or running:

kill $(pgrep -f "ssh -N -L")

PreviousSSH TunnelingNextSSH Dynamic Port Forwarding

Last updated 18 days ago