SSH Dynamic Port Forwarding with SOCKS
Dynamic port forwarding creates a SOCKS proxy, allowing you to route traffic to an entire network through a pivot host.
Syntax
ssh -D <local_port> user@pivot_host
| Parameter | Description |
|---|---|
local_port | Port on your attack host for the SOCKS proxy |
Step-by-Step Instructions
Step 1: Identify the Pivot Host
First, confirm the pivot host has access to the internal network:
# SSH into the pivot host
ssh ubuntu@10.129.202.64
# Check network interfaces
ifconfig
Look for multiple NICs (e.g., one facing you, one facing internal network):
ens192: inet 10.129.202.64 β Your connection
ens224: inet 172.16.5.129 β Internal network (172.16.5.0/23)
Step 2: Start the SOCKS Proxy
On your attack host, create the dynamic tunnel:
ssh -D 9050 ubuntu@10.129.202.64
This starts a SOCKS listener on localhost:9050.
Step 3: Configure Proxychains
Edit the proxychains configuration:
sudo nano /etc/proxychains.conf
Ensure the last line matches your SOCKS port:
socks4 127.0.0.1 9050
Step 4: Scan the Internal Network
Use proxychains to route nmap through the tunnel:
# Host discovery (slow but useful for mapping)
proxychains nmap -v -sn 172.16.5.1-200
# Full port scan on specific target
proxychains nmap -v -Pn -sT 172.16.5.19
Example output:
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.19:445-<><>-OK
Discovered open port 445/tcp on 172.16.5.19
Discovered open port 3389/tcp on 172.16.5.19
Step 5: Access Internal Services
Use any tool through proxychains:
# RDP to internal Windows host
proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123
# Run Metasploit through the proxy
proxychains msfconsole
# Web requests
proxychains curl http://172.16.5.19
Network Diagram
Attack Host Pivot Host Internal Network
10.10.15.5 10.129.202.64 172.16.5.0/23
β 172.16.5.129 β
β β β
β SOCKS Proxy (9050) β β
βββββββββββββββββββββββββββββββββ€ β
β β β
proxychains βββββΊ SSH tunnel βββββββΊβββββββββββββββββββββββββββββββ€
β β
Can reach: Windows DC: 172.16.5.19
172.16.5.1-254 Web Server: 172.16.5.50
SOCKS Protocol Versions
| Version | Authentication | UDP Support |
|---|---|---|
| SOCKS4 | No | No |
| SOCKS5 | Yes | Yes |
Important Limitations
Full TCP Connect Scans Only
Proxychains cannot handle partial packets. Use -sT (full connect) not -sS (SYN scan):
# Correct
proxychains nmap -sT -Pn 172.16.5.19
# Wrong - will give incorrect results
proxychains nmap -sS 172.16.5.19
Windows Host Scanning
Windows Defender blocks ICMP by default. Always use -Pn to skip host discovery:
proxychains nmap -v -Pn -sT 172.16.5.19
Performance
Full TCP scans over proxychains are slow. Focus on:
- Individual hosts
- Small IP ranges
- Known-alive targets
Example Workflows
Scanning and Enumerating RDP
# Step 1: Start SOCKS proxy
ssh -D 9050 ubuntu@10.129.202.64
# Step 2: Scan for RDP
proxychains nmap -v -Pn -sT -p3389 172.16.5.19
# Step 3: Use Metasploit to enumerate
proxychains msfconsole
msf6 > use auxiliary/scanner/rdp/rdp_scanner
msf6 > set rhosts 172.16.5.19
msf6 > run
[*] 172.16.5.19:3389 - Detected RDP on 172.16.5.19:3389 (name:DC01) (domain:DC01) (os_version:10.0.17763)
# Step 4: Connect via RDP
proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123
SMB Enumeration
proxychains smbclient -L //172.16.5.19 -U 'domain\user'
proxychains crackmapexec smb 172.16.5.19 -u user -p password
When to Use
- Scanning networks not directly reachable
- Accessing multiple services on internal network
- Pivoting through NATβd networks
- Hiding source IP (target sees pivot host IP)
- Running multiple tools against internal targets