How to get the list of SSH tunnels connected with the username used?
The use of ssh -D is not visible to the server. It is only once a socks client connects to the ssh client and request a connection, that the ssh client will ask the server for a forwarding.
Once a connection is fully established, it will be visible on the server. You can see it with netstat -ntp.
It will obviously not be visible with netstat -lntp on the server, because it does not involve any listening sockets.
On the client side running netstat -lntp will show that ssh is listening on the specified port.
Related videos on Youtube
58 : 42
06 : 04
![SSH Tunneling [Explained] | Reverse Shell over the Internet [WAN]](https://i.ytimg.com/vi/dKDgynsTAkw/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBjfK8NOkDinSlzt6iMN4q_yv04Pg)
20 : 24
19 : 54
01 : 27
randunel
Updated on September 18, 2022Comments
-
randunel almost 2 years
The connection is established from Desktop(D) to Server(S) with
ssh -D PORT username@Server.From the Server, the list of ssh users connected can be obtained with
who, but the ssh tunnels are not listed inwhoorw. Also, withnetstat -lnpt | grep ssh, the connected user is not listed.With other commands, such as
ps aux | grep sshorlsof -i -n | egrep '\<ssh\>', a lot more information is retrieved, looking as if more users were connected.Is there a (What is the) reliable way of getting the list of ssh tunnels with their respective users on S, ideally including the IP address of D?
-
Steve Townsend almost 10 yearsss -pltgets you part of the way there.
-
-
randunel almost 10 yearsOh, good catch with the
-lntpvs-ntpoversight. So you are saying that once a socks client connects to the ssh client, it will be visible on the server how, withwho? -
kasperd almost 10 years@randunel No. It will not be visible with thewhocommand, but it will be visible with thenetstat -ntpcommand. The socks client has to say where it wants to connect to first though, if client connects to the port on whichsshis listening without saying where it wants to connect to, nothing will be visible on the server. -
randunel almost 10 yearsYou are correct, the connections are visible. But the information in
netstat -ntpprovides some hints regarding the user connected, but there are too many lines, it seems impossible to filter out the extra lines, so this does not answer my question. Same result would be obtained withlsof, as stated in the question, too much information. -
randunel almost 10 years
netstat -ntpis unreliable, again, because it truncates thePID/Program namecolumn to 19 chars for the whole information. Calling it with-Wdoes not help, since that widens other columns, not this one. I can't see the logged in user in the Program name part on some instances anyway :( so I cannot rely on it -
kasperd almost 10 years@randunel 19 columns is more than enough to get the pid. With the pid you can look up the rest using
ps. Alternatively you can trylsof, which can select sockets to display much more flexibly thannetstat, plus it can display more information. -
Wilhelm Erasmus almost 5 yearsIs it possible to list local and remote ports and addresses on the local ssh client?