SSH Tips

Ssh with cert file

ssh -i <cert> <user>:<target>


Local port forwarding

ssh -L 5901:localhost:5901 -N -f -l <user> <target IP>

-L 5901:localhost:5901 : Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. Here you are using port 5901 on the localhost to be forward to on the 5901 port.

-N : Do not execute a remote command i.e. just forward ports.

-f : Requests ssh to go to background just before command execution. Requests ssh to go to background just before command execution. Once password supplied it will go to background and you can use prompt for type commands on local system.

-l user : the user to log in as on the remote machine.

Another example. To forward local ports, to a remote system;

$ ssh -L

This is local port forwarding. Forwarding our local port -L 9000 to, . Now open your browser and go to http://localhost:9000.

You might have noticed that every time we create a tunnel you also SSH into the server and get a shell. This isn’t usually necessary, as you’re just trying to create a tunnel. To avoid this we can run SSH with the -nNT flags, such as the following, which will cause SSH to not allocate a tty and only do the port forwarding.

$ ssh -nNT -L

Connecting to a box behind a firewall

If you need to access a port on a box which can only be accessed from localhost and not remotely.

$ ssh -L 9000:localhost:5900

The localhost:5900, specifies to forward connections from your local port 9000 to localhost:5900 on the box. Connect on your attack system using

$ vnc <options> -h localhost -p 5900

The 9000:localhost:5900, means localhost from the box's perspective, not localhost on your attack system. This means forward my local port 9000 to port 5900 on the box, because when you’re on the box, localhost means the box itself.

Remote port forwarding

This type of port forwarding works in reverse. Say you need to give someone VNC access to your client machine and you want to do so over an encrypted tunnel; with SSH remote port forwarding this is possible.

Before you do this, however, you need to add an option to the /etc/ssh/sshd_config file. Open that file in your editor of choice and add the following line at the bottom:

GatewayPorts yes

Restart the SSH daemon with the command:

sudo systemctl restart sshd

To make this connection happen, you would need to have ssh access to the third-party's machine. Let's assume that machine is at IP address To give them an encrypted tunnel for VNC access, you would issue the command:

ssh -R 5900:localhost:5900 USERNAME@

Where USERNAME is a username you have access to on their machine. You must then authenticate with the USERNAME password on the remote machine. For the duration of the SSH session, the third party would have an encrypted VNC tunnel to your machine, via localhost at port 5900.

And that's the basics to using local and remote port forwarding with SSH. We're only scratching the surface as to what port forwarding can do, but this gives you an idea. Port forwarding is an incredibly handy feature that can get you out of some tricky situations. Remember to give the ssh manpage a read (man ssh) to find out more of what SSH can do for you.