When I first heard the term SSH Tunneling, I imagined some kind of secret underground network built by hackers.
The reality is much simpler.
SSH Tunneling is basically creating a secure path between two computers and then sending other traffic through that path.
Think of it as a private tunnel that nobody else can easily see inside.
Once you understand that idea, everything else starts making sense.
First, What Is SSH?
SSH stands for:
Secure Shell
It allows you to remotely control another machine.
Example:
ssh user@server.com
You connect to a remote server and get a terminal.
You can:
Run commands
Create files
Install software
Manage servers
All securely encrypted.
The Normal SSH Connection
Suppose you have:
Laptop
|
Internet
|
Server
You connect:
ssh user@server.com
and get a terminal.
Simple.
Most people stop learning here.
But SSH can do much more.
The Secret Superpower
SSH can transport more than terminal commands.
It can transport:
Web traffic
Database traffic
Remote desktop traffic
Application traffic
Almost anything
through the encrypted connection.
This is called:
SSH Tunneling
Why Does SSH Tunneling Exist?
Imagine a company database.
The database runs on:
10.0.0.5
Port 3306
The company does NOT want this database exposed to the internet.
So the firewall blocks everyone.
Good security.
But now a system administrator working remotely needs access.
What should they do?
Expose the database?
No.
Use SSH Tunneling.
Think Of A Tunnel Through A Mountain
Imagine two cities separated by a mountain.
Without a tunnel:
City A
^
Mountain
^
City B
Travel is difficult.
Now build a tunnel:
City A
|
Tunnel
|
City B
Everything passes through safely.
SSH Tunneling works exactly like that.
Local Port Forwarding (The Most Common Type)
This is the SSH tunnel most people encounter first.
Suppose:
Your Laptop
connects to:
Server
using SSH.
The server can access:
Database
10.0.0.5:3306
that your laptop cannot reach directly.
Without SSH Tunnel
Laptop
X
Database
Connection blocked.
With SSH Tunnel
Laptop
|
SSH Tunnel
|
Server
|
Database
Now traffic can travel through the SSH connection.
Real Command
ssh -L 3306:10.0.0.5:3306 user@server.com
Looks scary.
Let's decode it.
What Does This Mean?
-L
means:
Local Port Forwarding
This part:
3306
means:
Open local port 3306 on my laptop.
This part:
10.0.0.5:3306
means:
Forward traffic to the database server.
So the command really means:
"Anything I send to my laptop's port 3306 should travel through SSH and end up at 10.0.0.5:3306."
Visualizing It
Before:
Laptop
X
Database
After:
Laptop
|
localhost:3306
|
SSH Tunnel
|
Server
|
10.0.0.5:3306
Now your laptop thinks the database is local.
Pretty cool.
A Web Server Example
Suppose a web application is running on:
127.0.0.1:8080
inside a remote server.
Nobody else can access it.
Not even you.
Because it only listens locally.
SSH Tunnel:
ssh -L 9999:127.0.0.1:8080 user@server.com
Now:
localhost:9999
on your laptop becomes:
127.0.0.1:8080
on the remote server.
Open browser:
http://localhost:9999
and the website appears.
Magic?
No.
Tunnel.
Why Pentesters Love SSH Tunnels
Imagine you've compromised a machine inside a network.
That machine can access:
10.10.10.5
10.10.10.10
10.10.10.20
Internal systems.
Your laptop cannot.
Without tunnel:
You
X
Internal Network
With tunnel:
You
|
SSH Tunnel
|
Compromised Host
|
Internal Network
Now you can interact with internal systems through the tunnel.
This concept becomes the foundation for:
Pivoting
Lateral Movement
Internal Enumeration
Post Exploitation
in penetration testing.
Reverse SSH Tunnels
Sometimes the opposite problem exists.
Suppose a machine sits behind NAT.
Nobody can connect to it.
Example:
Home PC
behind a router.
Direct SSH doesn't work.
Instead:
Home PC
|
| Outbound SSH
|
VPS Server
The home PC initiates the connection.
Then the VPS exposes a port.
This is called:
Reverse SSH Tunneling
Very useful when direct connections are impossible.
The Hotel Analogy
Imagine a hotel.
The hotel represents the internet.
You need to secretly move packages between two rooms.
Instead of carrying them through public hallways, you build a private underground tunnel.
Nobody sees:
Where it came from
Where it went
What was inside
The package simply appears on the other side.
That's SSH Tunneling.
A secure private pathway for traffic.
Common Beginner Mistake
Many beginners think:
SSH Tunneling gives you access to things you were never allowed to access.
Not exactly.
SSH Tunneling only allows you to use access that already exists.
If the remote server can reach something, you can potentially send traffic through that server.
The tunnel doesn't create access.
It transports traffic.
The One-Sentence Explanation
If you remember only one thing from this article, remember this:
SSH Tunneling allows you to securely send traffic through an SSH connection as if that traffic originated from the remote machine.
Once this idea clicks, concepts like VPNs, pivoting, jump hosts, remote administration, cloud infrastructure, and penetration testing become much easier to understand.
Because at its core, SSH Tunneling is just a secure traffic tunnel between two places.
Top comments (0)