Powered by Chat-GPT4 AI Assistant!

SSH stands for Secure shell and works on Port 22 . As penetration testers we are aware of the uses and power of SSH on remote access of systems . During Penetration testing SSH might come handy as a powerful tool .

This post will explain some of the port forwarding techniques that can be used during a penetration test .

Local Forwarding using SSH

Sometimes we come across scenarios where we need the services on the remote host accessible to the host via Local Network . Root is required .

ssh -L user@



Remote Forwarding using SSH 

Well this technique is complete opposite of the previous one . Remote forwarding on using SSH comes to rescue in those penetration testing scenarios where we need the services on a local machine / Local Network accessible to remote host via a remote listener . This might sound odd … why would I want my machine accessible on a remote host , but lets face it , we all need to expose a service that lets us download our penetration testing tools.

For the practical information here is an example :

The SSH server will be able to access TCP port 80 on SSH client by connecting to on the SSH Server .

ssh -R



SOCKS Proxy using SSH

Here we set up a SOCKS Proxy on that lets you pivot through the Remote Host

 ssh -D



X11 Forwarding using SSH 

If your SSH client is also an X-Server then you can launch X-clients (e.g. Firefox) inside your SSH session and display them on your X-Server.  This works well with from Linux X-Servers and from cygwin‘s X-server on Windows.

SSH -Y # less secure alternative – but faster


ForwardX11 yes
ForwardX11Trusted yes # less secure alternative – but faster

SSH Authorized Keys : 

SSH stands for Secure Shell … well to be secure , its always advisable to use Keys for encrypting the SSH communication . This helps to avoid unwanted hosts to take advantage of the penetration test and keep the penetration testing secure .

That being said , it is a good practice to add an authorized_keys file that will allow you to log in using an SSH key .

Authorized_keys File : This file is present in the User’s Home Directory on the SSH server .  This file basically holds the public keys of the users allowed to login into that user account of SSH Server .

For this the first step is to Generate PUBLIC KEY / PRIVATE KEY pairs .

sh-keygen -f mysshkey
cat mykey.pub # to copy this to authorized_keys

To connect to the Remote host using the authorized key :

ssh -i mykey user@

Some Cool SSH Configuration Tweeks

Finally here are some cool modifications you can do to your SSH Client system , this will make it easier to use other penetration testing tools that are using SSH .

Port 2222
User ptm
ForwardX11 yes
RemoteForward 80
LocalForward 1521

Ask Expert (GPT-4 Powered)
AI Chatbot Avatar
⚠️ Please wait for few seconds after submitting the query..