Network segmentation is common in the enterprise but becoming more common in smaller environments.  If I compromise a box in my local segment and that box has access to another segment, we can use port forwarding to leap frog across.

The typical example has us making an actual connection which ties up one of our terminal sessions with an open ssh connection.  Fine, we can spawn a bunch of terminal sessions but we can also background it.

Let's say I compromise a *nix machine and when I scan the remote segment, I see a Windows machine with an open FTP server.  I execute the following command:

ssh -L 127.0.0.1:10021:192.168.15.20:21 This email address is being protected from spambots. You need JavaScript enabled to view it. -f -N

Spelling this out a bit --

I'm creating a connection on my localhost on port 10021.  My connection is to the remote segmented machine's FTP port.  I'm passing this through my locally compromised machine at 192.168.100.10 and I'm putting everything in the background.

If you execute:  

ps -ef | grep ssh

You should see your connection listed:

root      6390     1  0 13:48 ?        00:00:00 ssh -L 127.0.0.1:10021:192.168.15.20:21 This email address is being protected from spambots. You need JavaScript enabled to view it. -f -N

Now you should be able to run the following:

ftp 127.0.0.1 10021