# SSH Local Port Forwarding ## Local SSH Forwarding to Remote Service Denoted by the '-L' flag, local forwarding can be accomplished as follows: Forwarding into a service running locally on the remote machine. In this instance, a service is running on victim machine 129.168.1.92, on port 8000, and is not accessible externally. First, we must issue the local forward: ``` ssh user@192.168.1.92 -L 127.0.0.1:5555:127.0.0.1:8000 ``` This command is issued on the Kali (attack) machine. It instructs the Kali machine to take any traffic received locally (127.0.0.1) on port 5555, and send it to 129.168.1.92 - where it will then be sent to 127.0.0.1:8000 on the victim machine. Once the local forward has been issued, we may open a new terminal window and connect to the service running on the victim machine. Although this service is running only locally on the victim, and is not visible or accessible from the outside, we can reach it by issuing a command on kali like this one: ```bash nc 127.0.0.1 2222 ``` By initiating a connection to 127.0.0.1:2222 on the attack machine, the connection is forwarded to 192.168.1.92, and then routed to port 8000 on the localhost of the victim. ![Local forward to internal service on target (remote) machine](/files/-MNTzay_y7M9nOuIQGu8) ## Local Forward to Remote Machine (hop) In this instance, we have access to machine one (192.168.1.92) from our Kali machine. We want to reach machine two (172.150.10.138), however this machine is only available from within the same network as machine one. It cannot be reached by our attack machine directly; only from machine one. In a case like this, we can set up a local SSH forward to reach machine two through machine one. On our attack machine, we issue: ```bash ssh user@192.168.1.92 -L 127.0.0.1:4567:172.150.10.138:22 ``` Here, we have directed our Kali machine to take any traffic received locally at 127.0.0.1:4567 and send it to 192.168.1.92, where it will be forwarded to 172.150.10.138:22. {% hint style="info" %} Note: The only change between this and the command to access an internal service on a remote device is that the last set of information changed. In this case, 127.0.0.1:8000 has been changed so that traffic will be sent to 172.150.10.138:22. {% endhint %} We can access machine two, by issuing this command on our Kali machine.: ```bash ssh user@127.0.0.1 -p 4567 ``` ![Local port forward used to access another machine](/files/-MNTzmABZmY-1ultUBRn) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://arfarmsec.gitbook.io/cheat-sheets/windows-privilege-escalation/ssh-port-forwarding.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.