SSH Tunneling Scenarios
Scenario 3 - Dynamic with Local Forward
In this situation, we need to run a dynamic nmap scan from the Hop 2 box to enumerate the Victim machine.
Create a tunnel through Hop 1 that will point to Hop 2's port 22.
ssh root@Hop1 -L 2222:Hop2:22
Now, we need to send our dynamic forward (port 9050) through the local 2222, through Hop2 so we can pop out the other side.
ssh root@127.1 -p2222 -f -N -D 9050
Now we can use proxychains to send localhost:9050 traffic though 2222 and hit our victim machine
proxychains nmap -n -Pn -sT --top-ports 100 Victim
