Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

SSH Local Port Forwarding

Local port forwarding binds a local port and forwards traffic through SSH to a destination on the remote network.

Syntax

ssh -L <local_port>:<destination>:<destination_port> user@pivot_host
ParameterDescription
local_portPort on your attack host to listen on
destinationTarget host from the pivot’s perspective (often localhost)
destination_portPort of the service you want to access

Step-by-Step Instructions

Step 1: Identify the Target Service

Scan the pivot host to find services you want to access:

nmap -sT -p22,3306 10.129.202.64

Example output showing MySQL on port 3306 (closed externally but accessible locally):

PORT     STATE  SERVICE
22/tcp   open   ssh
3306/tcp closed mysql

Step 2: Create the SSH Tunnel

Forward the remote service to a local port:

ssh -L 1234:localhost:3306 ubuntu@10.129.202.64

This binds local port 1234 and forwards traffic to MySQL (3306) on the remote host.

Step 3: Verify the Tunnel is Active

Option A: Using netstat

netstat -antp | grep 1234

Expected output:

tcp   0   0 127.0.0.1:1234   0.0.0.0:*   LISTEN   4034/ssh

Option B: Using nmap

nmap -sV -p1234 localhost

Should identify the forwarded service (e.g., MySQL 8.0.28).

Step 4: Access the Service Locally

Connect to the service through your local port:

# MySQL example
mysql -h 127.0.0.1 -P 1234 -u root -p

# Or run exploits against localhost:1234

Forwarding Multiple Ports

Chain multiple -L arguments to forward several services at once:

ssh -L 1234:localhost:3306 -L 8080:localhost:80 ubuntu@10.129.202.64

This forwards:

  • Remote MySQL (3306) → Local port 1234
  • Remote HTTP (80) → Local port 8080

Example: Accessing Internal MySQL

Attack Host                      Pivot Host (Ubuntu)
10.10.15.5                       10.129.202.64
    │                                  │
    │ SSH tunnel (-L 1234:localhost:3306)
    │◄─────────────────────────────────┤
    │                                  │
localhost:1234  ◄──────────────►  localhost:3306 (MySQL)

Commands:

# 1. Create tunnel
ssh -L 1234:localhost:3306 ubuntu@10.129.202.64

# 2. In another terminal, connect to MySQL
mysql -h 127.0.0.1 -P 1234 -u root -p

When to Use

  • Access services bound to localhost on remote host
  • Run local exploits against remote services
  • Bypass firewall rules blocking direct access
  • Debug/inspect traffic on specific ports
  • Service enumeration with local tools