Where It All Started.

Where It All Started.

Life, Stock Trading, Investments, Business and Startup. Most are programming stuff.

Tag: networking

Tunnel In Existing SSH Connection

Remote work, is a blessing and sometimes nightmare depending in your line of work. I’ve been in a situation where I’m connected to a remote workstation but due to some technicalities I’m not allowed to disconnect the current SSH1 connection and or create a new one. And where it lies, I need to tunnel a service from the remote workstation to my local machine.

So here’s how I did it!

The real voyage of discovery consists not in seeking new landscapes, but in having new eyes.

— Marcel Proust.

So where do we start?

Once you have an existing SSH session opened using the default OpenSSH2 client, to open a tunnel simply type <enter>~C where <enter> is the key on your computer keyboard.

~ (tilde) is the SSH’s default EscapeChar. You press <enter> first to clear the buffer, the ~ escape char and any one of a number of options.

If all goes well it will bring up a new console associated with your local SSH client, that will accept SSH command flags, which includes -R and -L.

To map a server service to your local workstation you need to use -L flag. The arguments for that flag would be [bind_address:]port:host:hostport but normally the bind_address is optional.

Then if you want to map local service and tunnel it to remote server, you’ll need to use -R flag. This flag holds similar arguments to the -L.

For example, if I want to forward a remote server Nginx deployed website and access it locally (with local bind IP). What could I do is type <enter>~C then -L 80:localhost:8080<enter>, after that I will immediately gain access to that when I access the site using localhost:8080 on my local machine.

To get a full list of escape sequence that the OpenSSH client accepts, type <enter>~?:

Supported escape sequences:
 ~.   - terminate connection (and any multiplexed sessions)
 ~B   - send a BREAK to the remote system
 ~C   - open a command line
 ~R   - request rekey
 ~V/v - decrease/increase verbosity (LogLevel)
 ~^Z  - suspend ssh
 ~#   - list forwarded connections
 ~&   - background ssh (when waiting for connections to terminate)
 ~?   - this message
 ~~   - send the escape character by typing it twice

That’s all guys. 🐲

Conclusion

Most of the command line tools have flags you probably haven’t explored. So try to explore each one to become proficient in the platform you are currently working on. Just like programming, you won’t memorize it on a day, but to truly know the tools capability you must use it in a very dire situation.

This OpenSSH2 escape sequence is really helpful for DevOps and software engineers (for software development).

Let me know in the comments if you have questions or queries, you can also DM me directly.

Follow me for similar article, tips, and tricks ❤.


  1. SSH or Secure Shell is a cryptographic network protocol for operating network services securely over an unsecured network. ↩︎
  2. OpenSSH (also known as OpenBSD Secure Shell) is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture. ↩︎

Top 10 NMAP Flags That I Use Daily

It is not the monsters we should be afraid of; it is the people that don’t recognize the same monsters inside of themselves.

— Shannon L. Alder.

If you’re a network IT (Information Technology) engineer or cybersecurity professional for sure you’d know about the tool nmap.

The tool nmap which stands for network mapper 1 is an open source tool for network discovery and is mostly use for security auditing. Been using this tool for many years and this are my favorite command line flags:

Skip reverse DNS call

This is a helpful flag specially if you don’t want that additional millisecond of fetching records from a DNS server. Or you have a specific case scenario that involves using only internal cached host file.

nmap -n scanme.nmap.org

Stop ping checks

The -PN flag specifically tells nmap that the host is online, skipping check if its alive through ping2. This is particularly useful in situation where you know the target is blocking all ICMP (Internet Control Message Protocol)3 in firewall.

nmap -PN scanme.nmap.org

Fingerprint scan

This -sV flag is useful specially in network auditing and determining if there are any ports available. The command will probe the target machine ports availability and guess the service (including the service version) that is running.

nmap -sV scanme.nmap.org

Finding live host

This command is specifically useful for network engineers to know if there are any alive host on the network. The notation below tells to scan the specific subnet4 using ICMP protocol and return the list of host that responded.

nmap -sP 192.168.1.1/24

Scan using specified network interface

If you have multiple NIC’s (Network Interface Controller)5 and you want to route the scan to a specific NIC, then this is the solution. Normally nmap or any other tool that utilize the computer network would use the OS designated network route (normally determined by network table and preferred gateway). The -e flag tells nmap to use that specific network controller to perform/resolve the scan.

nmap -e eth0 scanme.nmap.org

SYN ping scans

The SYN scan specifically tries to send request packets to target machine and check if it accepts the request packets. Mostly this is one of the default alternative ways of checking if the host is alive.

nmap -sP -PS scanme.nmap.org

ACK ping scans

The ACK scan is the opposite of SYN. In which this particular scan sends and ACK or (acknowledge) packet to the target machine if it will respond. Most modern firewalls block this if its not associated in a three way handshake.

nmap -sP -PA scanme.nmap.org

UDP port scans

This UDP6 port/ping scan is helpful when you know the target machine only blocks TCP packets. This specific flag sends a UDP packet to ports available on the machine and check’s if the target machine responds.

nmap -sP -PU scanme.nmap.org

IP (Internet Protocol) ping scans

Actually, this particular scan is special as its send IP packets to the specified IP protocol number in their IP header. It’s kinda special in a sense that if you didn’t supply a protocol type it will send multi-packets ICMP, IGMP, and IP-in-IP packet.

nmap -sP -PO scanme.nmap.org

ARP ping scans

This particular scan is mostly useful in LAN scenario. As you send an ARP packet it will return specific address or addresses that consumed the broadcast request.

nmap -sP -PR scanme.nmap.org

Mostly, that’s all. I’ve used other flags but this are my most used command flags for nmap.


  1. Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich). ↩︎
  2. Ping measures the round-trip time for messages sent from the originating host to a destination computer that are echoed back to the source. The name comes from active sonar terminology that sends a pulse of sound and listens for the echo to detect objects under water. ↩︎
  3. The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating success or failure when communicating with another IP address, for example, an error is indicated when a requested service is not available or that a host or router could not be reached. ↩︎
  4. A subnetwork or subnet is a logical subdivision of an IP network. ↩︎
  5. A network interface controller (NIC, also known as a network interface card, network adapter, LAN adapter or physical network interface, and by similar terms) is a computer hardware component that connects a computer to a computer network. ↩︎
  6. The User Datagram Protocol (UDP) is one of the core members of the Internet protocol suite. The protocol was designed by David P. Reed in 1980 and formally defined in RFC 768. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol (IP) network. Prior communications are not required in order to set up communication channels or data paths. ↩︎

Windows Network Discovery Using Built-in Tools

Success is neither magical nor mysterious. Success is the natural consequence of consistently applying basic fundamentals.

— E. James Rohn.

Hi guys, last week I’ve worked on a vanilla Windows 10 client computer without internet but is connected to a LAN with many computer.

I’ve asked myself on how to get all alive computers in the network using only built in tools from Windows.

Here are the things I’ve did in order to accomplish this feat.

First thing I did was ping all broadcast IP using ping <broadcast ip> -t -i 4. This will ping the broadcast IP, this action will spread and send all message to all active computers in the network. After that we would wait for around 5-10 seconds, and execute the follow up command which is arp -a. The arp command will check the address resolution protocol and list it down.

The -i 4 on the ping command instructs to ping only on IPv4 (Internet Protocol Version 4) network. That’s all there is to it. Kindly check the manual page of the commands for different flag combinations.

❌ Originally posted on August 18, 2019