SSH Local Port Forwarding
Local port forwarding binds a local port and forwards traffic through SSH to a destination on the remote network.
Syntax
ssh -L <local_port>:<destination>:<destination_port> user@pivot_host
| Parameter | Description |
|---|---|
local_port | Port on your attack host to listen on |
destination | Target host from the pivot’s perspective (often localhost) |
destination_port | Port of the service you want to access |
Step-by-Step Instructions
Step 1: Identify the Target Service
Scan the pivot host to find services you want to access:
nmap -sT -p22,3306 10.129.202.64
Example output showing MySQL on port 3306 (closed externally but accessible locally):
PORT STATE SERVICE
22/tcp open ssh
3306/tcp closed mysql
Step 2: Create the SSH Tunnel
Forward the remote service to a local port:
ssh -L 1234:localhost:3306 ubuntu@10.129.202.64
This binds local port 1234 and forwards traffic to MySQL (3306) on the remote host.
Step 3: Verify the Tunnel is Active
Option A: Using netstat
netstat -antp | grep 1234
Expected output:
tcp 0 0 127.0.0.1:1234 0.0.0.0:* LISTEN 4034/ssh
Option B: Using nmap
nmap -sV -p1234 localhost
Should identify the forwarded service (e.g., MySQL 8.0.28).
Step 4: Access the Service Locally
Connect to the service through your local port:
# MySQL example
mysql -h 127.0.0.1 -P 1234 -u root -p
# Or run exploits against localhost:1234
Forwarding Multiple Ports
Chain multiple -L arguments to forward several services at once:
ssh -L 1234:localhost:3306 -L 8080:localhost:80 ubuntu@10.129.202.64
This forwards:
- Remote MySQL (3306) → Local port 1234
- Remote HTTP (80) → Local port 8080
Example: Accessing Internal MySQL
Attack Host Pivot Host (Ubuntu)
10.10.15.5 10.129.202.64
│ │
│ SSH tunnel (-L 1234:localhost:3306)
│◄─────────────────────────────────┤
│ │
localhost:1234 ◄──────────────► localhost:3306 (MySQL)
Commands:
# 1. Create tunnel
ssh -L 1234:localhost:3306 ubuntu@10.129.202.64
# 2. In another terminal, connect to MySQL
mysql -h 127.0.0.1 -P 1234 -u root -p
When to Use
- Access services bound to localhost on remote host
- Run local exploits against remote services
- Bypass firewall rules blocking direct access
- Debug/inspect traffic on specific ports
- Service enumeration with local tools