-f backgrounds the shell immediately so that we have our own terminal back.
-N tells SSH that it doesn't need to execute any commands
-L which creates a link to a Local port
Dynamic Port Forwarding
ssh -D 9050 user@10.10.0.10 -fN
-D which creates a dynamic proxy
Remote Port Forwarding
$ ssh -N -R 10.10.10.10:5901:127.0.0.1:5901 -i id_rsa pwned@10.10.10.11
┌──(pwned㉿kali)-[~/transfer/Lin-Tools]
└─$ netstat -tplun
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:5901 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5882/python2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 ::1:5901 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 0.0.0.0:54280 0.0.0.0:* -
┌──(pwned㉿kali)-[~/transfer/Lin-Tools]
└─$ nmap -p5901 127.0.0.1 -sC -sV
Starting Nmap 7.91 ( https://nmap.org ) at 2022-05-21 19:03 +07
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00048s latency).
PORT STATE SERVICE VERSION
5901/tcp open vnc VNC (protocol 3.3; Locked out)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.17 seconds
ProxyTunnel
When the server does not open port 22. But the application is using http proxy service, we can use tool proxytunnel to forward traffic to the remote server.
