SSH Tunneling Scenarios

Scenario 3 - Dynamic with Local Forward

In this situation, we need to run a dynamic nmap scan from the Hop 2 box to enumerate the Victim machine.

Create a tunnel through Hop 1 that will point to Hop 2's port 22.

ssh root@Hop1 -L 2222:Hop2:22

DynamicLocal1

Now, we need to send our dynamic forward (port 9050) through the local 2222, through Hop2 so we can pop out the other side.

ssh root@127.1 -p2222 -f -N -D 9050

DynamicLocal2

Now we can use proxychains to send localhost:9050 traffic though 2222 and hit our victim machine

proxychains nmap -n -Pn -sT --top-ports 100 Victim

DynamicLocal3