Comment on page


SSH Local Port Forwarding

Forwarding one port on the client system to exactly one port accessible from the SSH pivot server. It's still confusing no matter how many times I read it.
# Below sets up local port 8123 forwarded thru victim to reach port 80 on target.local
ssh -L 8123:target.local:80 pwner@victim
curl localhost:8123
attacker:8123 -> ->
# Below creates a tunnel with the established private key. Creates tunnel on https://localhost:4443
sudo ssh -i ~/.ssh/id_rsa -X -Y -C -g -L 4443: [email protected]
# Below forwards a port on the victim localhost to be accessible (i.e. MySQL for localhost only)
ssh -L 3306:localhost:3306 pwnt@victim
mysql -u root -p

SSH Dynamic Port Forwarding

SOCKS Proxy used to forward several ports. Can use proxychains to help non-proxy aware programs to reach the intended destination. Do not try to port scan through a SOCKS proxy, it is VERY SLOW!!
ssh -D 9123 pwnt@victim

SSH Remote Port Forwarding

A port on the pivot system is forwarded to a local port, not commonly used.
ssh -R :8123:localhost:80
ssh -R

Meterpreter/MSF Forwarding

Can use built in mechanisms in meterpreter/msf to port forward or route easily
# Cmd below will create a local port on to reach target:80
meterpreter > portfwd add -l 4321 -r target -p 80


We can use socat to forward to new machines easily
# Below command listens locally on 8080, forwards connections to
socat -v tcp4-listen:8080,reuseaddr,fork TCP4:


Iptables can be used to forward connections if we have root level access
# Must enable IP forwarding
sudo sysctl net.ipv4.ip_forward=1
# or do the following...
sudo echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
# Now we can redirect...
iptables -t nat -A PREROUTING -p tcp -dport 1234 -j DNAT --to-destination

Windows Portproxy

This is a lesser-known function of netsh where we can redirect ports on a windows box
# Listen on 8123 and forward connections to
netsh interface portproxy add v4tov4 listenport=8123 connectport=80 connectaddress=
# To view existing portproxy commands:
netsh interface portproxy show all


We can use ngrok to forward our own local connections to exploited machines