N-SSH-PROXYLateral Movement

SSH Dynamic / Reverse Tunnel

ssh -D / -R from a foothold to expose internal services through the attacker host — go-to pivot primitive.

§ Where this technique fits

N-SSH-PROXY is catalogued under the Lateral Movement tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 5.5 on average.

§ Dossiers chaining this technique

VLAN hopping → cross into production
Discover that the access port negotiates trunking (DTP). Send double-tagged frames or set up a fake trunk to send packets into restricted VLANs.
step 5 / 5
SSRF → reach internal Redis → write SSH key → RCE
Web app SSRF lets the attacker hit gopher://redis on the internal network. Inject CONFIG SET dir + dbfilename + SAVE to write an SSH authorized_keys onto the Redis host — log in as the Redis user.
step 6 / 6

§ Where this technique fits

§ Dossiers chaining this technique

VLAN hopping → cross into production

SSRF → reach internal Redis → write SSH key → RCE