SSH port forwarding

SSH Port Forwarding

During the process of lateral movement in a network, if the target machine is a Linux server, it is possible to perform network proxy operations using SSH, with dynamic forwarding being the most commonly used method.

There are three types of SSH port forwarding:

Local forwarding (-L parameter)
Remote forwarding (-R parameter)
Dynamic forwarding (-D parameter)
Attacker machine: The machine used by the attacker
Target machine: The machine that the attacker needs to access, which cannot be accessed directly

Local Forwarding

Local forwarding allows the local host port to be forwarded to the remote host port through the target host port.

Local forwarding is specified using the -L parameter, with the format: ssh -L [attacker machine IP]::: @

Consider the following scenario:

The attacker controls a Linux server (target machine) through the attacker machine and has obtained the account credentials. There is also a target machine located in an internal network that cannot be accessed directly by the attacker machine. The topology is as follows:

In this scenario, how can host1 access host3?

It can only be done through host2, which acts as an intermediary, transmitting encrypted data between host1 and host3.

Suppose host3 has a web service running on port 80, and host1 needs to access this web service. The following steps can be taken to achieve local port forwarding by establishing an SSH connection from host1 to host2:

Steps on host1

ssh -L 0.0.0.0:8888:10.10.10.129:80 [email protected]

The above command maps port 80 of the target machine to port 8888 of the attacker machine. Now, the attacker can access port 8888 locally to access port 80 of the target machine.

Remote Port Forwarding

In a scenario where host1 is not allowed to directly access host3, but host2 can access host3 and host1 can be accessed by host2, remote port forwarding is used.

Steps on host2

ssh -R 0.0.0.0:8888:10.10.10.129:80 [email protected]

The above command maps port 80 of the target machine (host3) to port 8888 of the target host (host2). Now, the attacker can access port 8888 locally to access port 80 of the target machine (host3).

Dynamic Port Forwarding

Dynamic forwarding is specified using the -D parameter.

Format: -D [local host:]local host port

Compared to the previous two methods, dynamic forwarding does not require specifying the remote host and port, and it uses the SOCKS protocol for data transmission.

Consider the following scenario:

Steps on the attacker machine (host1)

ssh -D 127.0.0.1:8888 [email protected]

The above command creates a SOCKS proxy, and all data packets sent through this SOCKS proxy will be forwarded through host2.

How to use it?

Use Firefox browser and set the SOCKS5 proxy to 127.0.0.1:8888. Then, the browser can access any IP within the network where host2 is located.
If it is a command-line application, use proxychains-ng. The following commands can be used as a reference:

brew install proxychains-ng

Edit the configuration file

vim /usr/local/etc/proxychains.conf # Add the configuration "socks5 127.0.0.1 8888" under the ProxyList section

Access the target network

proxychains-ng wget http://10.10.10.129 # Add proxychains-ng before the command line

Common parameters for building SSH tunnels:

-C: Enable compression for faster transmission
-f: Run in the background
-N: Establish a silent connection
-g: Allow remote hosts to connect to local ports for forwarding
-L: Local port forwarding
-R: Remote port forwarding
-D: Dynamic forwarding (SOCKS proxy)
-p: Specify the SSH connection port

Experimental Environment Setup

Environment Configuration#

Attacker machine

17.1.26.131

Target host

17.1.26.133
10.10.10.130

Target machine

10.10.10.129

Local Port Forwarding#

Execute the following command on the attacker machine (host1):

ssh -L 8888:10.10.10.129:80 [email protected]

Check the port status on the attacker machine (host1), and you can see that port 8888 is being listened to.

Open a browser on the local host and access port 8888 to check if the access is successful. Access http://127.0.0.1:8888/123.asp.

Remote Port Forwarding#

The environment is the same as before, and the command parameters are as follows. Enter the following command on the target host (host2):

ssh -R 8888:10.10.10.129:80 [email protected]

Go back to the local host and check if the port is open using netstat -tnlp. It will show that port 8888 is open.

At the same time, open a browser and access http://127.0.0.1:8888/123.asp to check if the access is successful.

Dynamic Port Forwarding#

The environment is the same as before, and the command parameters are as follows. Execute the following command on the attacker machine (host1) and enter the SSH login password: