Master Local Port Forwarding: The Hacker’s Secret Weapon for Pivoting & Firewall Evasion + Video

Listen to this Post

Featured Image

Introduction:

Local port forwarding is a technique that enables an attacker or penetration tester to securely redirect traffic from a local machine to an internal service residing on a remote network via an encrypted SSH tunnel. This method is fundamental for bypassing firewall restrictions, accessing hidden web interfaces, and performing lateral movement during red team operations. By understanding how to establish these tunnels, security professionals can simulate real-world attacks and also harden their own infrastructure against such pivoting techniques.

Learning Objectives:

  • Understand how SSH local port forwarding works and distinguish it from remote and dynamic forwarding.
  • Execute local port forwarding commands on Linux, macOS, and Windows (using OpenSSH or Plink).
  • Apply port forwarding to access internal databases, web servers, and RDP services while evading network access controls.

You Should Know:

  1. SSH Local Port Forwarding – The Core Command

Local port forwarding allows you to forward a port on your local machine to a destination host and port through an SSH server (jump host). The syntax is:

`ssh -L [local_bind_address:]local_port:target_host:target_port user@ssh_server`

What this does: The SSH client listens on `local_port` of your machine. Any connection to that port is tunneled through the SSH server and then forwarded to target_host:target_port. This is useful when the SSH server can reach the target, but your local machine cannot directly.

Step‑by‑step guide to access an internal web server:

  1. Assume you have SSH access to a bastion host `192.168.1.10` with user attacker.
  2. The internal web server is `10.0.0.5:80` (only reachable from the bastion).

3. Run: `ssh -L 8080:10.0.0.5:80 [email protected]`

  1. Open your browser on local machine and visit `http://localhost:8080` – you will see the internal web app.

Linux/macOS command example:

ssh -L 8080:10.0.0.5:80 -N -f [email protected]

– `-N` – Do not execute remote commands (just forward ports)
– `-f` – Fork to background

Windows (OpenSSH client):

ssh -L 8080:10.0.0.5:80 [email protected]

Windows (Plink – PuTTY command line):

plink.exe -ssh -L 8080:10.0.0.5:80 [email protected]

2. Pivoting into Restricted Networks via Database Forwarding

Attackers often compromise a low‑privilege machine that has access to internal databases. Local port forwarding can expose an internal MySQL or PostgreSQL instance to local attack tools like `nmap` or sqlmap.

Step‑by‑step to forward a MySQL port (3306):

  1. After gaining SSH access to a compromised host `10.10.10.5` (dual‑homed), locate an internal database server 172.16.20.30:3306.

2. Run: `ssh -L 3307:172.16.20.30:3306 [email protected] -N`

  1. Now connect your local MySQL client to localhost:3307:
    mysql -h 127.0.0.1 -P 3307 -u internal_user -p
    

    This allows you to enumerate databases, dump credentials, or perform privilege escalation from your attacking machine without touching the internal network directly.

3. Bypassing Firewall Restrictions with Non‑Standard Ports

Many corporate firewalls allow outbound SSH (port 22) but block access to internal web admin panels on port 8080 or 8443. By tunneling HTTP traffic over SSH, you evade deep packet inspection that only checks the outer protocol.

Step‑by‑step to access a blocked admin panel:

  1. The admin panel `https://internal.company.com:8443` is blocked by an egress firewall.
  2. You have SSH access to an external jump server `jump.company.com` that can reach the admin panel.

    3. Forward it locally: ssh -L 8443:internal.company.com:8443 [email protected]

  3. Set your browser to treat `localhost:8443` as a secure site (ignore certificate errors if self‑signed). Now the admin panel appears on your machine.

For Windows admins, you can also create a persistent tunnel using `autossh` (Linux) or scheduled tasks with plink. Example `autossh` command with monitoring:

autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -L 8443:internal.company.com:8443 [email protected]

4. Post‑Exploitation – Forwarding RDP for Lateral Movement

After compromising a Windows host inside the target network, you can forward its RDP service (port 3389) to your attacking machine. This allows you to remotely control the machine using a GUI without needing direct network access.

Step‑by‑step RDP forwarding:

  1. Assume you have an SSH shell on a compromised Windows target `192.168.1.50` (you previously dropped an SSH agent like `freesshd` or used `ssh` from WSL).
  2. From your local terminal: `ssh -L 33890:192.168.1.50:3389 [email protected]`
    3. Use any RDP client to connect to localhost:33890. You will see the Windows login screen.
  3. If you captured NTLM hashes or clear‑text credentials, you can now log in interactively.

Alternative using `socat` (if SSH is not available):

On the compromised machine, run: `socat TCP-LISTEN:13389,fork TCP:127.0.0.1:3389` then forward with SSH. But the cleanest method remains SSH local port forwarding.

5. Chaining Multiple Forwardings for Deep Pivoting

In complex network segmentation, you may need to hop through two or more SSH servers. This is called nested or chained port forwarding.

Step‑by‑step two‑hop tunnel:

  • Host A (attacker) → SSH to Host B (first pivot) → Host B can SSH to Host C (second pivot) which has access to target service 10.0.0.99:22.
  • Command on Host A: `ssh -L 2222:localhost:2222 userB@HostB`
    – On Host B, you must forward again. Use `ssh -L 2222:10.0.0.99:22 userC@HostC`
    – This creates a tunnel chain: A:2222 → B:2222 → C:22 → target.

Easier method using `ProxyJump` (OpenSSH 7.3+):

`ssh -L 8888:10.0.0.99:80 -J userB@HostB userC@HostC`

This directly forwards local port 8888 to the final target’s port 80 via two hops.

  1. Hardening Against Local Port Forwarding for Blue Teams

Network defenders can detect and prevent malicious port forwarding by enforcing strict outbound SSH controls and monitoring for unusual traffic patterns.

Detection commands on Linux jump host (audit SSH connections):

 Show current forwarded ports
ss -tlnp | grep ssh

Monitor SSH client forwarding requests in logs
grep "local forward" /var/log/auth.log

Mitigation steps:

  • On the SSH server, set `AllowTcpForwarding no` in `/etc/ssh/sshd_config` to disable all forwarding. For per‑user control, use `Match User` blocks.
  • Use `PermitOpen` to whitelist specific destination hosts/ports. Example: `PermitOpen 10.0.0.5:80 172.16.20.30:3306`
    – Deploy network IDS rules that detect SSH tunneled traffic (e.g., unusual byte patterns, mismatched protocol banners).

Windows registry hardening (if using OpenSSH Server on Windows):
– Set `AllowTcpForwarding` to `false` in C:\ProgramData\ssh\sshd_config.
– Restart service: `Restart-Service sshd`

What Undercode Say:

  • Local port forwarding is a double‑edged sword: essential for legitimate remote access but a primary tool for attackers during post‑exploitation and pivoting. Mastery of `ssh -L` is non‑negotiable for red and blue teams alike.
  • The biggest blind spot for defenders is assuming that outbound SSH is safe. Attackers routinely convert allowed SSH into a full tunnel that bypasses firewalls, exfiltrates data, and accesses internal apps. Regular audits of `AllowTcpForwarding` and monitoring for long‑lived SSH connections with `-N -f` flags can reveal malicious activity.

Prediction:

As zero‑trust architectures and micro‑segmentation become standard, attackers will increasingly rely on SSH local port forwarding to pivot across service meshes and side‑car proxies. We will see a rise in AI‑assisted tunneling tools that automatically discover forwarding paths and evade anomaly detection by mimicking legitimate administrative SSH sessions. Defenders will shift toward SSH‑specific intrusion detection using eBPF hooks and behavioral analysis, making simple port forwarding less stealthy but still a reliable fallback technique for years to come.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Rachna Vermaa – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky