# SSH tunneling basics

#### SSH local port forward (executed from Kali to the remote host)

{% code overflow="wrap" %}

```
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -N -L <bind_address, usually 0.0.0.0>:<portport that is going to show up on kali>:<linux host ip>:<linux host port> username@<linux host ip>
```

{% endcode %}

#### SSH remote port forward (executed from remote host back to Kali)

{% code overflow="wrap" %}

```
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -N -R <bind_address, usually localhost>:<port that is going to show up on kali>:127.0.0.1:<port on the host you're forwarding> kali@<kali ip>
```

{% endcode %}

#### SSH dynamic port forwarding (executed from Kali to other hosts via a linux host)

{% code overflow="wrap" %}

```
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -N -D <address to bind to on the internal side>:<port to bind to on the internal side> username@<linux host acting as the proxy>

# example:

ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -N -D 127.0.0.1:8080 username@10.10.10.10

# edit proxychains.conf to reflect the above choices

vim /etc/proxychains.conf

...
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 	127.0.0.1 8080 

# prepend commands with 'proxychains', an example where 10.0.0.0/8 is the external subnet and 192.168.0.0/24 is the internal subnet:

proxychains ping 192.168.0.1

# tip: proxychains -q suppresses annoying debug output
```

{% endcode %}

#### Generating keys for remote port forwarding

```
ssh-keygen -f <wherever you want the key written to>

cat id_rsa.pub > ~/.ssh/authorized_keys
```