I have had to use SSH to pivot through a network enough times that I think it would be useful to keep a quick cheat sheet here for reference. Maybe one day I will write a more thorough explanation/post but for now, here is a cheat sheet with a couple of examples for some port forwarding stuff. I will add more later.

Notes on IP's/machines in this example:

*These IPs are just used for examples*

Jumpbox (10.10.10.10)

Foothold Machine used to gain initial access to the network and pivot from

Target  (172.0.0.1)

A machine on the internal network that can't be reached from my host and is not exposed to the internet but can be reached from the foothold

Below is a rough diagram to visualize the examples. The red dotted line represents a network boundary.

Basic SSH Connection Using a Key

Key File:

~/.ssh/bob_key.priv

SSH connection command:

ssh -i ~/.ssh/bob_key.priv bob@10.10.10.10

Same command but using a config file instead:

Config File: ~/.ssh/config

Command with Config

ssh Jmp

Local Port Forwards

Forward all traffic to my host on port 445 to target server on port 445, using a connection from the jump box (remember to refer to the diagram this may sound a bit confusing):

ssh -L 445:172.0.0.1:445 -i ~/.ssh/bob_key.priv bob@10.10.10.10

Using our SSH config

ssh -L 445:172.0.0.1:445 Jmp

Practical Example of Local Port Forward.

Jump Proxy

Basic command:

ssh -J ~/.ssh/bob_key.priv bob@10.10.10.10 user@172.0.0.1

Command leveraging our SSH config:

ssh -J Jmp user@172.0.0.1

Even Better - Using Set Jump Proxy in Config:

On my host:
Config File: ~/.ssh/config

Command:

ssh Target

Dynamic Port Forward

On my host - basic command:

ssh -D 7000 -i ~/.ssh/bob_key.priv

Using our SSH config:

ssh -D 7000 Jmp

If you want to use your browser through the proxy(Firefox):

Set the proxy in your firefox preferences:

If it does not work check this configuration and if it is false turn it to true:

In the search bar: about:config -> search -> network.proxy.allow.hijacking.localhost