Neon rain pattered on steel plates, fluorescent tubes flickered in perpetual twilight, the city’s network veins pulsed beneath synthetic skin. I watched from the rooftop, circuits humming, firewalls shimmering in phosphorescent haze. In this urban sprawl of data towers and drone patrols I felt the thrill of infiltration, the promise, and danger, of corridor breaches, ghost packets slipping through digital gaps. You are newly awakened in this world, a spark in the machine, learning the tools and rituals of livewire infiltration: SSH, jumps, proxies, pivots, the essential arsenal of the cyber samurai.
Under blinking billboards casting rainbows over cracked pavements I remember my first time with an SSH session, tunnelling, forwarding, chaining hosts. Each tunnel a wormhole, each proxy a mirror into territories unseen, each pivot a gambit into the heart of the beast. The code is my trigger; the network my target. Now I hand over to you, the novice craving the clean slice of knowledge, the understanding to walk through firewalls, not to burn the world down, unless you must.
Understanding SSH, Jumps, Proxies and Pivots
When you SSH (Secure Shell), you create an encrypted channel between a client and a server, ensuring confidentiality and integrity. SSH is used to administer remote machines securely; it supports public‐key authentication, port‐forwarding, tunnelling, and agent forwarding. Frequently you may encounter networks segmented by hosts termed “jump servers” or “jump hosts”. These are bastions through which you SSH to reach more deeply internal systems.
A proxy acts as an intermediary in network communication; common types include HTTP proxies, SOCKS proxies, and reverse proxies. Proxies can redirect, filter, disguise or alter traffic. A pivot occurs when, once you have compromised one system, you route traffic through it to reach further systems otherwise inaccessible. Pivots often combine SSH tunnelling or proxy chaining with port-forwarding to walk laterally within a network.
SSH Jumps: Leveraging Jump Hosts
A jump host is like a gatekeeper in the network fortress. To reach internal servers you might must SSH first into the jump host, then SSH from there into the internal machine. SSH supports this via the ProxyJump or ProxyCommand directives in its configuration.
SSH-Config with ProxyJump
In your ~/.ssh/config you could have:
sshconfig
Host internal-server
HostName 10.0.2.15
User ubuntu
ProxyJump bastion.example.com
Here when you run ssh internal-server, SSH automatically jumps via bastion.example.com. No tedium, no tcpip stepping stones manually.
Manual Jump
Alternatively:
bash
ssh -J [email protected] user@internal-server
Again this uses -J (ProxyJump). If version of OpenSSH is older and lacks -J, one can do:
bash
ssh -o ProxyCommand="ssh -W %h:%p [email protected]" user@internal-server
That’s classic.
Proxies: Chaining, Tunnelling, and SOCKS
A proxy like a mirror in dim corridors reflects traffic invisibly. SOCKS5 is powerful: you can proxy arbitrary TCP, sometimes UDP. Combine proxies with SSH to tunnel traffic.
SSH as SOCKS Proxy
You can turn your local machine into a SOCKS proxy via SSH:
bash
ssh -D 1080 -C -q -N [email protected]
This opens a dynamic port on localhost:1080. Then configure your browser or tool to use SOCKS5 proxy at localhost:1080, diverting traffic through remote-proxy.example.com. Useful for bypassing local network restrictions, reaching into enclaves.
Interactive tools (curl, curl‐based, Python requests) can also use SOCKS proxies.
Example Python with Proxy
python
import requests
proxies = {
"http": "socks5h://localhost:1080",
"https": "socks5h://localhost:1080"
}
response = requests.get("https://internalservice.example.com", proxies=proxies)
print(response.status_code, response.text[:200])
Use caution: always respect legal and ethical boundaries. Misuse of proxies can be malicious.
Pivoting: Lateral Movement Inside Networks
Pivoting occurs after you compromise a host inside the network. That host becomes your springboard. You use port-forwarding, proxy chains or VPNs to reach other segments, stealthily moving without exposing your origin.
Local Port Forwarding (L-forward)
You can forward a port from your local machine through the compromised host to a target inside the network:
bash
ssh -L 9000:target.internal:80 [email protected]
Then accessing http://localhost:9000 connects you to target.internal:80 via the compromised host.
Remote Port Forwarding (R-forward)
If you need to expose a service inside the internal network to your attacking machine (or another external machine), you use remote port forwarding:
bash
ssh -R 9001:internal.service:22 [email protected]
Now connections to compromised.host.com port 9001 get forwarded to internal.service:22. Use this carefully; opening remote ports can attract detection.
SSH-Jump Pivot Chain Example
Suppose you have:
- Public bastion
bastion.example.com(accessible from internet) - Internal compromised host
compromised.example.com(not directly reachable from your laptop) - Final target service
service.internal.example.com
You could chain:
bash
ssh -J [email protected] [email protected] -L 8080:service.internal.example.com:80
Then locally browse http://localhost:8080 to reach the internal service.
Defending and Auditing: What Security Teams Watch Out For
While these tools empower attackers, defenders use them too for penetration tests or red teaming. As an ethical learner you must understand detection and mitigation.
- Auditing SSH logs (
/var/log/auth.log,/var/log/secure) for unusual ProxyJump usage or agent forwarding. - Restricting jump hosts’ ability to SSH onward; disable agent forwarding where unnecessary.
- Network segmentation and ACLs so compromised hosts cannot reach certain internal segments.
- Monitoring for open ports or remote forwarding, perhaps using intrusion detection systems.
Ethical Use and Responsible Discovery
These techniques are powerful; in untrained or malevolent hands they are tools of chaos. Always test in controlled environments, with explicit permission. Never misuse compromised hosts to access private systems you do not own or have a consent agreement for. Some of the code snippets shown here can be used for illicit purposes; ensure your actions align with law and ethical codes of conduct.
Mastering SSH, Jumps, Proxies and Pivots: A Practical Guide
Aim
You will learn how to use Secure Shell (SSH) to navigate through complex networks using jumps, proxies and pivots. Practical examples will guide you to set up intermediate hosts, tunnel traffic, and pivot into internal systems securely.
Learning outcomes
By the end you will be able to:
- configure SSH jump-hosts to reach remote hosts through intermediate machines
- use SSH local, remote and dynamic tunnels as proxies
- pivot through compromised or trusted machines to access target subnets
- combine SSH and proxychains or SOCKS for flexible proxying
- write small scripts to automate SSH tunnelling and pivot setup
Prerequisites
You will need:
- a Linux or macOS environment (or Windows with WSL or Cygwin)
- SSH client (ssh) and SSH server (sshd) installed on relevant machines
- basic familiarity with command-line usage, keys, ports and networking
- at least three machines: your local host, an intermediate host (jump-host) and a target machine inside a protected network
Step-by-Step Guide
1. Generate SSH key pair and configure authorised keys
bash
ssh-keygen -t ed25519 -C "[email protected]"
ssh-copy-id [email protected]
2. Simple SSH jump using the -J option
bash
ssh -J [email protected] [email protected]
3. Config file for repeated jumps
Edit ~/.ssh/config:
text
Host jumphost
HostName jumphost.example.com
User user
Host target
HostName target.internal.net
User user
ProxyJump jumphost
Then connect with:
bash
ssh target
4. SSH local-port forwarding (forwarding remote service to local machine)
bash
ssh -L 8080:target.internal.net:80 [email protected]
Then access http://localhost:8080 on your local computer to reach the target’s web server.
5. SSH remote-port forwarding (forward local service to remote host)
bash
ssh -R 9090:localhost:3000 [email protected]
Remote users connecting to jumphost:9090 will reach localhost:3000 on your local host.
6. Dynamic port forwarding (SOCKS proxy)
bash
ssh -D 1080 [email protected]
Configure your applications or proxychains to use SOCKS5 via localhost:1080.
7. Pivoting through a compromised intermediate host
On your local host:
bash
ssh -J [email protected] [email protected]
Then on pivot.internal.net run:
bash
ssh -L 2222:target.internal.net:22 [email protected]
Back on your local:
bash
ssh -p 2222 localhost
8. Automate with Bash script
bash
#!/bin/bash
JUMP="[email protected]"
TARGET="[email protected]"
LOCAL_PORT=2222
ssh -f -N -L ${LOCAL_PORT}:target.internal.net:22 ${JUMP}
ssh -p ${LOCAL_PORT} localhost
Save as pivot.sh, make executable (chmod +x pivot.sh) and run.
9. Proxy chaining using proxychains or similar tools
Install proxychains, then in its config set:
text
[ProxyList]
socks5 127.0.0.1 1080
Then prefix commands:
bash
proxychains curl http://target.internal.net
10. Security and cleanup best practice
- use SSH key-based authentication with passphrases
- disable root login and password authentication in
sshd_configon intermediate hosts - regularly close tunnelling sessions and kill lingering background processes
- monitor logs for unauthorised SSH port forwards
You now have hands-on skills in using SSH for jumps, proxies and pivots. Practice in lab environments to reinforce learning.
You are now equipped with the core concepts: SSH channels, jump hosts, proxies, pivots, they form the latticework of modern cyber operations. Walk through the neon maze with intention, work on small labs, experiment safely. The machine’s heartbeat is yours to understand.