LOCAL PORT FORWARDING

This allows access to a remote internal service (on the target network) from the attacker’s local machine, by routing traffic through the compromised host (pivot point).

//SYNTAX
ssh -L 8080:10.0.0.50:80 user@pivot-host

 * Attacker's machine: Runs the command
 * pivot-host: A compromised machine inside the target network (e.g., a jump box)
 * 10.0.0.50:80: Internal service you want to access (e.g., web server)
 * localhost:8080: Now reachable on your attacker machine → forwards to 10.0.0.50:80
#
root@oco:~$ ssh [email protected] -L 31173:127.0.0.1:5432
 [email protected]'s password: funnel123#!#
 
 * the ssh client (attackerMachine) will establish a secure connection 
   to the remote SSH server (targetMachine). the ssh client (attackerMachine)
   will listen for incoming connections on the local port (attackerMachine)
   on port 31173.
    - when a client connects to the local port, the ssh client (attackingMachine)
      will forward the connection to the remote server (targetMachine) on port
      5432. this allows the local client (attackingMachine) to access services
      on the remote server (targetMachine) as if they were running on the 
      local machine.
      
christine@funnel:~$ ss -tlpna
 State     Recv-Q  Send-Q  Local Address:Port   Peer Address:Port    Process
 LISTEN    0       4096    127.0.0.53%lo:53     0.0.0.0:*             
 LISTEN    0       128     0.0.0.0:22           0.0.0.0:*           
 LISTEN    0       4096    127.0.0.1:5432       0.0.0.0:*            
 LISTEN    0       4096    127.0.0.1:38617      0.0.0.0:*            
 ESTAB     0       0       10.129.22.40:22      10.10.14.215:46754  
 SYN-SENT  0       1       10.129.22.40:42680   8.8.8.8:53           
 LISTEN    0       32      *:21                 *:*                  
 LISTEN    0       128     [::]:22              [::]:*
PreviousPORT FORWARDINGNextREMOTE PORT FORWARDING

Last updated