All posts
August 25, 20223 min read

Nmap SSH Access Proxy: A Practical Guide for Secure Network Exploration

Nmap stands out as a powerful network scanning tool, essential to system administrators, penetration testers, and network engineers. Among its many capabilities is the ability to establish an SSH access proxy. This can be a crucial workflow enhancement for secure network assessments in otherwise restricted environments. In this post, we will explore what an Nmap SSH access proxy is, why it’s useful for network reconnaissance, and how you can use this versatile feature for controlled internal sc

Free White Paper

SSH Access Management + VNC Secure Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Nmap stands out as a powerful network scanning tool, essential to system administrators, penetration testers, and network engineers. Among its many capabilities is the ability to establish an SSH access proxy. This can be a crucial workflow enhancement for secure network assessments in otherwise restricted environments.

In this post, we will explore what an Nmap SSH access proxy is, why it’s useful for network reconnaissance, and how you can use this versatile feature for controlled internal scans.

What is an Nmap SSH Access Proxy?

An Nmap SSH access proxy enables you to conduct network scans through an intermediary system, securely routed over SSH. This is particularly useful in scenarios where your system lacks direct access to a target network, such as when working in secured zones or behind firewalls.

Instead of running Nmap from your local machine and exposing sensitive traffic to the open network, the SSH proxy uses a bounce host to perform scans within the target environment. The result is improved network visibility combined with enhanced security.

Why Use an Nmap SSH Access Proxy?

1. Controlled Access to Restricted Networks

When analyzing segmented or private networks, your system might not have direct access. By establishing a proxy over SSH, you can securely scan these networks as though you were operating from inside the restricted perimeter.

2. Enhanced Security

Sensitive data must not be exposed on unsecured or public networks. An SSH-proxied Nmap scan ensures encrypted communication during network reconnaissance, protecting both source and target environments.

3. Improved Flexibility in Multi-Host Networks

Some environments consist of co-located systems where secondary tools may lack sufficient access. By coupling Nmap's features with an SSH proxy, scans become feasible across complex subnet structures.

How to Set Up an Nmap SSH Access Proxy

Configuring Nmap to leverage SSH for proxied access does not require advanced reconfiguration. Below is a step-by-step guide:

Continue reading? Get the full guide.

SSH Access Management + VNC Secure Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Step 1: Prepare the Bounce Host

Ensure your SSH bounce host can access both the source (your terminal) and the target environment. Confirm its SSH configuration is secure and up-to-date.

Step 2: Build an SSH Tunnel

Run the following command in your terminal to forward traffic via the bounce host:

ssh -f -N -L <local-port>:<target-IP>:<target-port> <user>@<bounce-host-IP>
  • <local-port>: The local listening port.
  • <target-IP>: The IP of the network resource you’re scanning.
  • <target-port>: The forwarded port for scan traffic.
  • <bounce-host-IP>: The IP of your SSH host.

Step 3: Point Nmap to the Tunnel

Once the SSH tunnel is active, direct Nmap to the proxied connection using the -Pn and -sS flags for stealth scanning:

nmap -Pn -sS -p <ports> <localhost>:<local-port>

Here’s what happens:

  • -Pn: Skips host discovery, assuming all target ports are up.
  • -sS: Activates stealth scanning using TCP SYN packets.
  • Ports and destination are routed through your locally forwarded port (localhost:<local-port>).

Advanced Configuration Tips

  • Automate SSH Proxy Setup: Use tools like autossh for persistent connections in dynamic scan scenarios.
  • Port Forwarding for Ranges: If your target analysis covers multiple hosts, configure your SSH tunnel for dynamic port forwarding with the -D flag.
  • Simplify with Config Files: Add proxy settings to your local SSH config to reduce command complexity.

For example, append the following to ~/.ssh/config:

Host bounce-proxy
 HostName <bounce-host-IP>
 User <user>
 LocalForward 9090 <target-IP>:<target-port>

Now, just run:

ssh bounce-proxy

and perform your scans seamlessly.

Streamline Secure Proxies with Hoop.dev

Static SSH configurations can become a bottleneck when pivoting between hosts or managing access permissions in larger organizations. Hoop.dev simplifies SSH access across infrastructure, automating complex routing setups and centralizing identity validation.

You can set up secure connections to proxied environments in minutes, integrating smoothly with your workflows. See how Hoop.dev helps you orchestrate multi-host access while maintaining secure Nmap usage. Try it today and take the headache out of manual SSH configurations.

With an Nmap SSH access proxy, you can efficiently perform secure, high-visibility scans in controlled environments. Ensure your teams are equipped with streamlined tools like Hoop.dev to maximize productivity and operational security.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts