SSH, Nmap, and Proxychains

This post demonstrates how to use SSH to create a tunnel to proxy a scan through a host into an internal network.

Let’s say you discover SSH credentials to an internal system and you gain access as a non-privileged user via SSH.


Eventually I’ll want to scan the internal network to see what else is there, but the target machine does not have any scanning tools installed. However, since I have SSH credentials, I can create an SSH tunnel and proxy a scan through the tunnel.

I’ll use the command:

ssh username@ -D 9050 -N -f

Which will create a tunnel starting at port 9050 on my local host to the target machine, The -N and -f indicate that I do not want to run a command and want to fork into the background. I chose port 9050 because it is the default port for the proxychains tool, which will be used to proxy an nmap scan through the tunnel into the internal network. You can use other ports, just be sure to edit the bottom of the /etc/proxychains.config file to read socks4 [port].

Now that the tunnel is set up I can scan the internal network looking for webservers:

proxychains nmap -n -sT -p 80

and I get a hit!

Nmap scan report for
Host is up (0.00085s latency).
80/tcp open  http
MAC Address: 00:0C:29:26:3D:5D (VMware)

Now I have discovered a new host to attack!


Next step: Create an SSH tunnel to proxy my web browser, so I can browse to the internal site…

Leave a Reply

Your email address will not be published. Required fields are marked *