From 198a70ae8983084db7a1ed9973e86214bcff9cf4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Faisal=20Fs=20=E2=9A=94=EF=B8=8F?=
<51811615+faisalfs10x@users.noreply.github.com>
Date: Thu, 13 Apr 2023 04:14:51 +0800
Subject: [PATCH] Update README.md
SSH pivoting via ProxyJump
---
README.md | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/README.md b/README.md
index 6283674..5237be0 100644
--- a/README.md
+++ b/README.md
@@ -20,6 +20,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg)
1. [SSH tunnel](#ssh-tunnel)
1. [SSH socks5 tunnel](#ssh-socks-tunnel)
1. [SSH to NATed host](#ssh-j)
+ 1. [SSH pivot via ProxyJump](#ssh-pj)
1. [Network](#network)
1. [Discover hosts](#discover)
1. [Tcpdump](#tcpdump)
@@ -301,6 +302,28 @@ ssh -J 5dmxf27tl4kx@ssh-j.com root@5dmxf27tl4kx
```
The ssh connection goes via ssh-j.com into the reverse tunnel to the host behind NAT. The traffic is end-2-end encrypted and ssh-j.com can not see the content.
+
+**2.v SSH pivoting to multiple servers**
+
+SSH ProxyJump trick can save you a lot of time and hassle when working with remote servers. Let's assume the scenario as below.
+We have $local-kali behind NAT, we want to ssh into $target-host without interactively login to each intermediary servers.
+The route is; we can SSH to C2, the C2 can SSH to internal-jumphost via internal IP(eth1) and internal-jumphost can SSH to target-host via eth2.
+```
+ $local-kali -> $C2 -> $internal-jumphost -> $target-host
+eth0 192.168.8.160 10.25.237.119
+eth1 192.168.5.130 192.168.5.135
+eth2 172.16.2.120 172.16.2.121
+```
+```
+# if we want to SSH to $target-host:
+kali@local-kali$ ssh -J c2@10.25.237.119:22,jumpuser@192.168.5.135:22 target@172.16.2.121
+
+# if we want to SSH to $internal-jumphost:
+kali@local-kali$ ssh -J c2@10.25.237.119:22 jumpuser@192.168.5.135:22
+```
+
+
+
---
## 3. Network