Prerequisites
- SSH access with valid credentials to the target host.
- SSH server reachable from your attack machine.
Core Commands
Create an SSH tunnel from local port 1234 to MySQL (3306) on the remote target:
ssh -L 1234:localhost:3306 ubuntu@<IPaddressofTarget>
Verify the tunnel is listening:
netstat -antp | grep 1234
Scan the forwarded service as if it were local:
nmap -v -sV -p1234 localhost
Request multiple local forwards in one SSH command:
ssh -L 1234:localhost:3306 8080:localhost:80 ubuntu@<IPaddressofTarget>
Use this to pull internal services (web, RDP, DB) to your local machine on arbitrary ports.