Lateral Movement · Term

What is port forwarding?

Port forwarding relays a single network port from one place to another through a compromised host, so an attacker can reach an internal service that is otherwise unreachable. Here is what it is and the three directions.

Lateral Movement · TermAll services
TL;DR

Port forwarding relays traffic for a single port from one machine to another, commonly through a compromised pivot host so an attacker can reach an internal service they cannot connect to directly. There are three directions: local (open a port on your side that maps to an internal service), remote (open a port on the pivot that maps back to you), and dynamic (a SOCKS proxy for any destination). It is the basic building block of network pivoting.

By John Dill, Red Team Lead, SecureLayer7Updated

What port forwarding is

Port forwarding takes traffic arriving on one host:port and relays it to another host:port. In an attack, the relay runs through the compromised pivot, so a service deep in the internal network becomes reachable from the attacker’s machine.

There are three classic directions:

  • Local forward: open a port on the attacker that tunnels to an internal host:port via the pivot.
  • Remote forward: open a port on the pivot (or another host) that tunnels back to the attacker’s service.
  • Dynamic forward: open a SOCKS proxy so any tool can reach any internal destination, not just one port.

How it works and payload

SSH is the most common way to set up each direction (see SSH tunneling):

  • Local: ssh -L 8080:10.10.0.20:80 user@PIVOT then browse localhost:8080 to reach the internal web server.
  • Remote: ssh -R 9001:127.0.0.1:9001 user@PIVOT to expose your service on the pivot.
  • Dynamic (SOCKS): ssh -D 1080 user@PIVOT then point tools through the proxy.

Dedicated tools like chisel and ligolo-ng do the same without SSH. Documented techniques shown for defenders.

How to defend

  • Segment the internal network so a single pivot cannot reach sensitive services in the first place.
  • Restrict egress so a compromised host cannot tunnel out to the attacker.
  • Monitor for long-lived connections and tunneling patterns, especially from servers that should not initiate them.
  • Limit SSH and tooling available on servers that face the internet.
  • Detect SOCKS proxy and forwarded-port behaviour on the network.

References

  1. [1]MITRE ATT&CK: Lateral Movement (TA0008)(MITRE)
  2. [2]NIST SP 800-115 Technical Guide to Security Testing(NIST)
  3. [3]Linux man-pages: ssh(1)(man7.org)
Related terms

Common questions

Lateral movement, asked often

Want your network tested for these paths?

Scope an engagement

Find the lateral-movement paths before an attacker does.

We run internal and network penetration tests that follow the real route from one compromised host across your network, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.