During a penetration test, it is possible to come across networks that you know exist but just can’t reach directly. When that happens, testers need a way to pivot into these networks and keep the assessment moving.
In these situations, it is important to be able to pivot into these networks. SSH tunneling is one of the techniques that can be used to a route traffic through a compromised system to access these new networks.
What is SSH Tunneling?
At its core, SSH tunneling allows users to forward network traffic through an SSH connection.
This means that, instead of accessing a service directly, traffic is sent through an intermediary host. This is particularly useful for penetration testers, who often need to access other networks they are not connected to and have no route to.
SSH tunneling works by forwarding traffic from a local port on the attacker’s machine to a specified destination, making it seem as if the connection originates from the SSH server rather than the attacker’s own system.
This can be leveraged to access web applications, RDP sessions, and other internal services that are otherwise restricted.
How does SSH tunneling help pentesters access services in other networks?
Pen testers frequently encounter situations where their target organisation has internal services that are not exposed to the internet. If they manage to gain SSH access to an internal system, they can use SSH tunneling to pivot into the internal network and reach those services.
For example, if an internal web server is only accessible within the organisation’s network, but the tester has SSH access to a jump box with access to the network, SSH tunneling would allow them to route their traffic through the jump box and access the web server as if they were inside the internal network.
By using SSH tunneling, penetration testers can:
- Bypass firewall rules that restrict external access
- Access internal-only services without modifying firewall configurations
- Pivot from one compromised system to others inside the network
Now, let’s explore two key types of SSH tunneling: static port forwarding and dynamic port forwarding.
Our environment
What is static port forwarding – and how can we do it?
Static port forwarding allows an attacker to forward traffic from a local port on their machine to a specific destination inside the target network.
This is useful when the tester knows the exact internal service they want to reach.
For example, if a penetration tester has SSH access to a machine with the ability to access an internal web service running on port 80 at 50.50.50.101, they can set up a static SSH tunnel like this:
Breaking it down:
- -L specifies local port forwarding
- 90 is the port on the attacker’s machine that will forward traffic
- 50.50.50.101:80 is the destination inside the internal network
- User1@10.10.10.137 is the SSH server that acts as the intermediary
Now, the tester can access the internal web service by navigating to http://localhost:90 in their browser.
What is dynamic port forwarding – and how can we do it?
Dynamic port forwarding is more flexible than static forwarding because we can create a SOCKS proxy that can forward traffic to multiple internal services, rather than just one predefined destination.
Using dynamic port forwarding, a pentester can set up a proxy that allows them to route traffic from tools like their web browser or proxychains through the internal network.
This is especially useful when the tester does not know all the internal services available, but wants to explore them dynamically.
To start a dynamic SSH tunnel, a pentester can run:
Breaking it down:
- -D specifies dynamic port forwarding
- 1080 is the local port where the SOCKS proxy will listen
- User1@10.10.10.137 is the SSH server acting as the intermediary
Once this command is executed, any application that supports SOCKS proxies (such as a web browser or Nmap) can be configured to route traffic through the local port of 1080, allowing the tester to tunnel their traffic through 10.10.10.137 and access internal services as if they were inside the network.
Results without tunneling traffic through port 1080
Results with tunneling traffic through port 1080
This shows that it is now possible to access previously inaccessible services by using the proxychains command to tunnel our traffic through the intermediary device, which is providing a pivot into the new network.
As long as tools are compatible with proxychains, they can be used to access, scan, and attack any system or service within the 50.50.50.0/24 network range.
Conclusion
SSH tunneling is a powerful technique that allows penetration testers to access internal services securely and discreetly.
By using static port forwarding, they can reach specific internal systems, while dynamic port forwarding provides broader access via a SOCKS proxy. These techniques are invaluable for pivoting inside a network, bypassing firewalls, and maintaining stealth during assessments.
Want to discover more? Head to our YouTube channel for a North Green video tutorial – SSH Tunnelling Explained: Static & Dynamic Port Forwarding.