Vulnarex | Elite Cybersecurity Learning Platform

#Bypassing the Wall: The Power of Port Forwarding#link

SSH is more than a shell. Because it creates a secure, encrypted TCP pipe, you can 'stuff' other network traffic inside it. This is called tunneling. It is used by admins to access internal services and by attackers to pivot deeper into a network.

Local Port Forwarding (`-L`)

Local forwarding allows you to map a port on your *local* machine to a port on a *remote* server. For example, if a database is running on a remote server's port 5432 but is blocked by a firewall, you can tunnel it to your local port 8888. To your local app, the database looks like it's running on your own machine.

info

💡 Think of it as: 'Bring a remote service to my local machine'.

Tunneling a remote MySQL database locally

root@vulnarex:~#ssh -L 8888:localhost:3306 user@remote-server

In this command, SSH creates a listener on your local port 8888. Any traffic sent there is encrypted, sent to the remote server, and then forwarded to the remote server's own port 3306.

Remote Port Forwarding (`-R`)

Remote forwarding is the opposite. It allows a remote server to access a port on your *local* machine. This is incredibly useful for showing a local development site to a client or exposing a local service to the internet without opening your firewall.

STRICT SECURE AUDIT RULE

⚠️ This is a high-risk action. You are effectively opening a hole in your local firewall and allowing anyone on the remote server to access your local machine.

Exposing a local web server to a remote host

root@vulnarex:~#ssh -R 8080:localhost:80 user@remote-server

Type	Flag	Direction	Common Use Case
Local	-L	Remote $ ightarrow$ Local	Accessing internal DBs/Web-UIs
Remote	-R	Local $ ightarrow$ Remote	Exposing local dev to the web
Dynamic	-D	SOCKS Proxy	Bypassing corporate firewalls

Dynamic Port Forwarding (`-D`): The SOCKS Proxy

Unlike Local/Remote forwarding which target a specific port, Dynamic forwarding turns your SSH client into a SOCKS proxy. You can configure your browser to use this proxy, and all your web traffic will be routed through the SSH server. This allows you to browse the web *as if you were sitting at the remote server*.

bash

# Start a dynamic SOCKS proxy on port 9050
ssh -D 9050 user@remote-server

▪Use `-N` flag to prevent opening a shell
▪Use `-f` to run the tunnel in the background
▪Configure browser 'Proxy Settings' $ ightarrow$ SOCKS v5 $ ightarrow$ localhost:9050
▪Avoid tunneling sensitive traffic through untrusted servers

STRICT SECURE AUDIT RULE

Many corporate IDS (Intrusion Detection Systems) look for 'SSH Tunneling' patterns, as it's a primary method for bypassing firewalls and exfiltrating data.

quiz BLOCK (★ 50 XP)

You want to access a web server that is only reachable from a remote 'jump host' you have access to. Which SSH flag should you use to make that web server available on your own laptop?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

The Pivot Attack