Local Port Forward
Access remote service through local port.Example — Access Internal Web
Example — Access Internal DB
Remote Port Forward
Expose local service to remote network.Example — Expose Attacker Web Server
Dynamic Port Forward (SOCKS Proxy)
Background Tunnels
| Flag | Description |
|---|---|
-f | Background after auth |
-N | No remote command |
-L | Local forward |
-R | Remote forward |
-D | Dynamic (SOCKS) |
SSH Config for Pivoting
ProxyJump (SSH Jump Host)
Reverse SSH Tunnel (From Target)
Target initiates connection back to attacker.Kill Tunnel
Quick Reference
| Task | Command |
|---|---|
| Local forward | ssh -L 8080:INTERNAL:80 user@pivot |
| Remote forward | ssh -R 8888:127.0.0.1:80 user@pivot |
| SOCKS proxy | ssh -D 1080 user@pivot |
| Jump host | ssh -J user@pivot user@internal |
| Background | ssh -f -N -D 1080 user@pivot |