Network Penetration Testing

SSH Tunneling for Pentesters

our services

Establishing a source IP is an important part of most pentest engagements. Many customers want to know your IP for whitelisting purposes.

Using SSH tunneling is a great way to quickly allow multiple pentesters to share an IP with the overhead of VPN servers or clients.

Method 1 – Basic SSH Tunnel with Putty

This method will route your web traffic through the SSH server, allowing your web traffic to masquerade behind your jump box.

Step 1

Add your SSH server’s IP and port

Putty SSH Tunnel

Step 2

Navigate to Connection -> SSH -> Tunnels. Add a local source port, and set Dynamic. This port will open on your local machine; we will later point our browser to use this as the proxy.

Putty Dynamic Port

Step 3

Head back to Session, add a name, and hit save.

Putty save session

Browser Configuration

To make our lives much easier during pentesting activities, we will use foxyproxy to switch back and forth between proxies as needed.

We simply fill in a name, select Socks5, and use port 9999 as the proxy server.

Foxy Proxy

Method 2 – Multi-hop or “Nested” SSH Tunnels

In this example we want to masquerade behind a server which is only accessible via multiple SSH hops. To do this we do the following:

  1. Create an ssh tunnel with local port forwarding. This will use our SSH session to open a tunnel to the second pentest jump box.

  2. We will open a second SSH session to (this now points to our second pentest jump box). This SSH session will use a dynamic tunnel to allow us to masquerade behind the second hop.

Step 1

Create a new profile in Putty to your jump box. This will be the first of two we will need. This time we will add a Local tunnel as follows:

Putty local port forward

Save this profile and open the connection.

Step 2

Create a second Putty profile. This time, the destination is Remember, this is now forwarding to the jump box.

Putty host config

Step 3

Now add the dynamic tunnel to this as we did in method 1.

Multi-hop dynamic tunnel

You should now be able to send your traffic with an origin of (which passes through


Although these methods are used often for pentesting, they can be applied to many other use cases.

  • Application
  • Network
  • Mobile
  • AWS