Scenario: you've compromised a server that has ssh service enabled and saw it connected to another network which has certain services running such as SMB. We can create an ssh tunnel to send all the SMB traffic to our machine and then to the another network.
By doing this, we can execute smb related commands to the localhost:127.0.0.1 which redirects to the target IP (remote machine that we don't have access to)!
make sure to edit /etc/samba/smb.conf if the server is new (2016) as it doesn't support SMB2.
sudo nano /etc/samba/smb.conf
min protocol = SMB2
sudo /etc/init.d/smbd restart
Validate that our smb server is listening:
ss -antp | grep "445"
Running smbclient through the SSH tunnel:
smbclient -L 127.0.0.1 -U Administrator
SSH remote forwarding
Scenario --- you compromised the machine (low-level shell) but an inbound ssh connection is filtered from outside (Kali can't access the target machine via ssh) and there's another service running as root like MySQL (3306)
If the outbound connection with ssh is not filtered by firewall, we can create a remote port forwarding tunnel via ssh to kali and we will be able to access mysql through kali.