SPICE | SSH Tunneling Guide - UMCST/SPICE-user-info GitHub Wiki
Quick Reference
Use this argument to start a tunnel:
-L [LOCAL PORT]:[DESTINATION IP]:[DESTINATION PORT]
Introduction
SSH, at its core, is a method of sending data over an encrypted tunnel. SSH tunneling, or SSH port forwarding, on the other hand, is using this tunnel to transfer data between ports. While SSH is often used for remote access and file transfer, SSH can also be used as a means of port forwarding data from other hosts that the SSH server has access to. SSH tunneling can also be used as a way to secure data that is exchanged between two hosts, so that no one could intercept the data.
In the scope of SPICE and various competition prep environments used by UMCST, SSH tunneling is used to access ports within a private network that only the SSH server can access. Some examples include accessing remote desktop (RDP) for internal Windows boxes and accessing web clients (HTTP/S) from within a private network, such as Wazuh.
SSH tunneling can be done by using the -L argument in your SSH command. A local port, a destination ip, and a destination port then has to be put in this format:
-L [LOCAL PORT]:[DESTINATION IP]:[DESTINATION PORT]
Example
This may be a little confusing for those who are new to either SSH or port forwarding, so let’s try an example scenario.
Let’s say that there’s a Windows workstation running in a private subnet that your local machine does not have access to. You do have access, however, to a jumpbox located at jump.testhosts.net that happens to have access to this workstation. To be able to RDP into this workstation, you will have to tunnel the workstation’s RDP port through the jumpbox into a local port on your machine. NOTE: This local port can technically be any port above 1024, but a good practice is to add a 1 in front of whatever port you are using, for example, using 13389 for the local port when receiving tunneled data from port 3389. To tunnel the RDP port into your local machine in this specific scenario, use this command:
After putting in credentials for the server, there should now be a tunnel between the destination port and the local port. This means that you may now access the workstation using localhost:13389 on any RDP client.