Home Basic SSH & SSH Port Forwarding

Basic SSH & SSH Port Forwarding

Guide for basic SSH usage and SSH Port Forwarding.

  1. Basic SSH
  2. SSH Port Forwarding

Basic SSH

Connect to Host

ssh USER@HOST_IP -p 2222
  • -p to specify the port (22 is default)

Connect to Host with Private Key


Copy Files to Host

scp local_file.txt USER@HOST_IP:/tmp/remote_file.txt

Copy Files from Host

scp USER@HOST_IP:/tmp/remote_file.txt local_file.txt 

Connect to Host with Certain KeyExchange & Cipher

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes256-ctr USER@HOST_IP

SSH Algorithms

Run the below commands to get the supported Cipher, MAC, & Key Exchange algorithms respectively:

ssh -Q cipher
ssh -Q mac
ssh -Q kex

Nmap Scanning

Check Authentication Methods

nmap -p 22 --script ssh-auth-methods --script-args="ssh.user=<username>" <target>

Check Supported Encryption Algorithms

nmap -p 22 --script ssh2-enum-algos <target>

Check Supported SSH Versions

nmap -p 22 -sV -sC <target>

Retrieve Host Key

nmap -p 22 --script ssh-hostkey --script-args ssh_hostkey=all <target>

SSH Port Forwarding

Local SSH Port Forward

Let’s say a remote host has an application listening on localhost:3000 and you want to connect to it from your local computer. Perhaps it’s a database listening on localhost and you don’t want it exposed to the network/internet.

Using a Local Port Forward we can setup a listener on our local computer, which when we connect to will go through the SSH tunnel to the listener on the remote host.

Here is the command that will allow us to do that:

ssh -L 1337:localhost:3000 USER@REMOTE_HOST_IP

This command will setup a listener on your local machine on localhost:1337. Connecting to this will be the same as if you connected to localhost:3000 on the remote host.

Remote SSH Port Forward

Let’s say you have an application listening on localhost:9595 on your local computer and your friend wants to connect to your application. However, both you and your friend home networks are behind CGNAT so you can’t directly connect to each other or setup normal router port forwards.

With an additional internet facing server (VPS such as an EC2 instance), you can do the following:

On your computer:

ssh -R 9000:localhost:9595 USER@REMOTE_HOST_IP

This command will setup a listener on the remote host on localhost:9000. Connecting to the remote host on localhost:9000 will be the same as if you connected to localhost:9595 on your local machine.

This situation is now the same as a Local Port Forward. The remote host is now listening on localhost:9000. Your friend can now create a new listener on their computer using a Local Port Forward.

On your friends computer:

ssh -L 1337:localhost:9000 USER@REMOTE_HOST_IP

Gateway Ports

For the above example we had todo two port forwards, this isn’t ideal is some cases. Ideally we would like to setup a listen on a specific interface or on However, when we do an SSH Port Forward, the default listener is on To change this and allow it to listen on all interfaces, we need to enabled the GatewayPorts options on the SSH Server and restart it.

Dynamic SSH Port Forward

When setting up a dynamic SSH port forward, a SOCKS server is created that is enclosed by an SSH tunnel. This allows arbitrary TCP connections to be proxies through the target server.

For example, if you were in on network and needed to access resources that were only accessible through a jump host, you could use a dynamic SSH port forward to access them. After setting up the port forward with the below command, a SOCKS proxy server will be listen on port 1080 (the default SOCKS port) on the local computer. Arbitrary programs can now use the SOCKS proxy to access the restricted resources as the connections will be coming from the jump host (which is allowed to communicate with said resources).


A SOCKS proxy can also be setup through an RDP connection using the SocksOverRDP tool from NCC Group. This version of the RDP client may need to be used for the latest version of RDP

This post is licensed under CC BY 4.0 by the author.