== Tunneling == To tunnel, use `ssh -L :: user@remote` When an application is listening only on localhost on the remote machine we have to specify localhost for the field: `ssh -L :127.0.0.1: user@remote` this allows acessing even localhost restricted ports on the remote system via localhost on our local machine == Reverse tunneling == To allow the remote computer to connect to our local computer on a specific port, we use `-R` instead of `-L` `ssh -R :localhost: user@remote` This allows the remote computer to connect back to us on a specific port. For example, to allow a remote computer to connect back to our local computer which is running postgresql on port 5432, we can issue the following command to achive this `ssh -R 5432:localhost:5342 user@remote` now when the remote machine connects to its own 'localhost' then it will tunnel the connection back to us. == Usefull params == `-f` - go to background, usefull for setting up tunnels `-N` - do not execute a remote command. usefull for just forwarding ports `-L` - tunneling, see above == Agent forwarding == (from stackoverflow) Create ~/.ssh/config Fill it with (host address is the address of the host you want to allow creds to be forwarded to): Host [host address] ForwardAgent yes If you haven't already run ssh-agent, run it: ssh-agent Take the output from that command and paste it into the terminal. This will set the environment variables that need to be set for agent forwarding to work. Optionally, you can replace this and step 3 with: eval "$(ssh-agent)" Add the key you want forwarded to the ssh agent: ssh-add [path to key if there is one]/[key_name].pem Log into the remote host: ssh -A [user]@[hostname] From here, if you log into another host that accepts that key, it will just work: ssh [user]@[hostname] == Interesting vulns == Library loading on local machine with ssh -A and ssh-add -s ../evil_lib.so https://www.exploit-db.com/exploits/40963 .