Black Hat Python — SSH Tunnelling with Paramiko
Aug 27, 2017 · 2 min read
Chapter 2 ends with an SSH Tunnelling example. This post will show how to tunnel traffic from server to client using SSH. The end goal is to be able to access a machine or service that is reachable from the client using a localhost/ 127.0.0.1 address on the server over the ssh tunnel. This is called reverse port forwarding.

Here is client script.:
And the server:
In my limited testing, I was able to access a webpage on https://127.0.0.1:8888 server side and tunnel the traffic to its destination which is the webserver reachable from the client. The destination is 10.0.0.3 listening on tcp 9005.
Server output:
python3 ch2_rforward_server.py 127.0.0.1 22022[*] Bind Success 127.0.0.1:22022
[*] Incoming TCP connection from 127.0.0.1:57506
[*] SSH Negotiation Success
[*] Authenticating
[*] Success - SSH channel active
[*] Incoming tunneled conenction from 127.0.0.1:57525
[*] Sending 179 bytes via SSH Channel
[*] Sending 1024 bytes via TCP Channel
[*] Sending 175 bytes via TCP Channel
[*] Sending 126 bytes via SSH Channel
[*] Sending 226 bytes via TCP Channel
[*] Incoming tunneled conenction from 127.0.0.1:57529
[*] Sending 179 bytes via SSH Channel
[*] Sending 1024 bytes via TCP Channel
[*] Sending 175 bytes via TCP Channel
[*] Sending 126 bytes via SSH Channel
[*] Sending 226 bytes via TCP Channel
Client Output:
python3 ch2_rforward.py 8888 127.0.0.1 22022 10.0.0.3 9005[*] SSH reverse port forwarding tool started
Enter username: user
Enter password: password
[*] Starting reverse port forwarding
[*] Started. Waiting for tcp connection on 127.0.0.1:8888 from SSH server
[*] Established tcp connection to 10.0.0.3:9005
[*] Sending 179 bytes via TCP socket
[*] Sending 1024 bytes via SSH channel
[*] Sending 175 bytes via SSH channel
[*] Sending 126 bytes via TCP socket
[*] Sending 226 bytes via SSH channel
[*] Established tcp connection to 10.0.0.3:9005
[*] Sending 179 bytes via TCP socket
[*] Sending 1024 bytes via SSH channel
[*] Sending 175 bytes via SSH channel
[*] Tunnel connection is closed
[*] Sending 126 bytes via TCP socket
[*] Sending 226 bytes via SSH channel
Moving on to chapter 3: Raw Sockets and Sniffing!