Remote shell via SSH for remote pentesting


SSH is a powerful remote access tool. It has an often overlooked feature -R : (from the man pages) Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side..


In essence this means that you can have a remote host A connecting to a host B that is controlled by you. Then from that host B you can connect trough host A to all the networks and services that host A has access to.

This is ideal for remote pentesting.

Imagine a situation where you can not go on site because it is to time-consuming or expensive (fe. if you’re doing freelance jobs). You create your customer a downloadable VM with a preconfigured SSH client config (SSH keys, …). On that VM you set a job that ‘x’ minutes after booting the VM has to SSH to one of your hosts. Merely monitoring the incoming SSH logs on your host is enough to know when the customer has started the VM. Once the connection is up you can use your VM host to scan, explore and investigate the network of your customer.

Remote SSH

+---------------+    +--------------------+     +-----------+
| VM (customer) | .. | corporate firewall | ..  | EC2 (you) |
+---------------+    +--------------------+     +-----------+
The virtual machine that you ship to your customer. You will use this machine to ‘explore’ the network of your customer.
A host that you control (fe. an instance in the EC2 cloud).

On the VM you have to issue this command (or have it run from cron) :

ssh -i <path_to_identityfile> -R 9922:localhost:22 myuser@EC2

Replace myuser, EC2 and fill in the path to your key files according to your setup. When the connection succeeds use your host (EC2) to SSH and connect back to the VM.

ssh -i <path_to_identityfile> localhost -p 9922

You are not restricted to SSH only connections. You can use a netcat listener and then forward traffic to the netcat. Alternatively you can forward your traffic to any local service desired (smb, http).


Based on ideas when attending SANS SEC560 from Ed Skoudis. Put here as a reminder.

Leave a Reply

Your email address will not be published. Required fields are marked *