Lateral Movement · Term

What is SSH tunneling?

SSH tunneling uses an SSH connection to carry other traffic, letting an attacker (or admin) reach internal services through a pivot. The -L, -R and -D flags are the core of network pivoting. Here is what each does.

Lateral Movement · TermAll services
TL;DR

SSH tunneling uses an SSH connection as a carrier for other network traffic, so a service that is only reachable from the SSH server becomes reachable from elsewhere. The three flags are `-L` (local forward), `-R` (remote forward), and `-D` (dynamic, a SOCKS proxy). It is the most common manual pivoting method: an attacker who has SSH to a compromised host tunnels through it to reach the internal network. It is also legitimate administration, so detection looks for the pattern, not the protocol.

By John Dill, Red Team Lead, SecureLayer7Updated

What SSH tunneling is

An SSH session can do more than give a shell, it can forward arbitrary TCP traffic inside the encrypted connection. That turns an SSH-reachable machine into a pivot for reaching whatever it can reach.

The three forwarding modes:

  • `-L` local forward: a port on your machine maps to a host:port reachable from the SSH server.
  • `-R` remote forward: a port on the SSH server maps back to a service on your side.
  • `-D` dynamic forward: opens a SOCKS proxy locally so any tool can reach anything the SSH server can.

How it works and payload

With SSH access to a pivot, the attacker sets up the forward they need:

  • Local (reach an internal web app): ssh -L 8080:10.10.0.20:80 user@PIVOT then open http://localhost:8080.
  • Remote (expose your handler on the pivot): ssh -R 4444:127.0.0.1:4444 user@PIVOT.
  • Dynamic (SOCKS for the whole subnet): ssh -D 1080 user@PIVOT then run tools through the proxy (with proxychains).

Documented techniques shown for defenders.

How to defend

  • Restrict SSH on internet-facing and sensitive hosts (who can connect, from where).
  • Disable forwarding where not needed (AllowTcpForwarding no, PermitTunnel no in sshd_config).
  • Segment and restrict egress so a tunnel cannot reach much or call out.
  • Monitor for long-lived SSH sessions with forwarding and for SOCKS proxy patterns.
  • Limit tooling on servers so an attacker has fewer ways to tunnel.

References

  1. [1]MITRE ATT&CK: Lateral Movement (TA0008)(MITRE)
  2. [2]NIST SP 800-115 Technical Guide to Security Testing(NIST)
  3. [3]Linux man-pages: ssh(1)(man7.org)
Related terms

Common questions

Lateral movement, asked often

Want your network tested for these paths?

Scope an engagement

Find the lateral-movement paths before an attacker does.

We run internal and network penetration tests that follow the real route from one compromised host across your network, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.