SSH Port forwarding

May 24, 2021   
network 
Also available in:  🇫🇷 


Introduction

During pentesting, in Capture The Flag, or simply for system administration, we may need to access ports on remote machines or remote networks.

In order to do this, we use a technique called "port forwarding" allowing access to previously unreachable ports. This technique can notably be useful to access services which run locally on the server (services listenning on 127.0.0.1 for example) in a secure manner without opening ports outside the machine. In this article, we'll take a look at port forwarding with SSH.

Port forwarding with SSH

To fully understand the direction in which SSH redirects are made, wee need to look at the point of view of the client from which you are connecting in SSH. So we have :

We will see in the following sections examples of different types of redirects, based on this test network:

In this network, the machine 192.168.1.1 and its SSH port 22 of the CORP network are publicly accessible on the domain name remote.corp.com.

Local port forwarding

Local port forwarding allows a client machine to access an open port on the SSH connection server, or a port on a machine that the SSH server can contact on the network. To perform local port forwarding, the syntax of the SSH command is as follows:

ssh -L [bind_address:]my_local_port:destination_ip:remoteserver_local_port user@remoteserver

Here are the details of the options of this command:

Let's see a practical example of local port forwarding in our test network:

Example 1

In this example we are going to redirect the local port 8000 of the machine 192.168.1.1 to the port 1234 of our machine via SSH. The command is therefore the following:

ssh -L 1234:127.0.0.1:8000 user@remote.corp.com

Remote port forwarding

Remote port forwarding allows a client machine of an SSH connection to redirect one of its ports to a port on the server, or to redirect a port of a network machine from the SSH server to a port local to the server. This can be useful for accessing services that run on machines in the server's network in a secure manner without opening ports to the outside the network.

To perform a remote port forwarding, the syntax of the SSH command is as follows:

ssh -R [bind_address:]my_local_port:remote_ip:remoteserver_local_port user@remoteserver

Here are the details of the options of this command:

Let's see a practical example of remote port forwarding in our test network:

Example 2

In this example we are going to redirect the remote port 8000 of the machine 192.168.1.2 to the local port 1234 of the server192.168.1.2 via SSH.

ssh -R 1234:192.168.1.2:8080 user@192.168.1.1

Exemple 3

Here is another example allowing to redirect the port 8000 of the machine192.168.1.2 to the port 1234 of the server of the SSH connection:

ssh -R 192.168.1.1:1234:192.168.1.2:8000 user@192.168.1.1

Dynamic port forwarding

Thanks to the ssh command it is also possible to perform dynamic port forwardings. To do this, during an SSH connection configured to perform this type of redirects, a port is opened on the client machine of the SSH connection to host a SOCKS proxy. Then we can use this proxy to connect to ports on the remote machine.

To initiate dynamic port forwarding, use the ssh command with the-D argument followed by the local port that will host the SOCKS proxy on your client machine:

ssh -D local_port user@remoteserver

Example 3

The following command is used to connect in SSH to the remote machine remote.corp.com (192.168.1.1) then to launch a SOCKS proxy on your local machine on port 8080:

ssh -D 8080 user@remote.corp.com

Then we can use this proxy in various tools to access the remote internal network of CORP.

References