securityby The Ghost in The Prompt2026-01-253 min read

The 2026 Refactor: Bending the Pipes

The concept of a tunnel is simple: you wrap one protocol inside another. But as Thomas demonstrates, the application of that concept is where the magic (and the mischief) happens.

1. The SSH-L "Wormhole" (Local Port Forwarding)

The manual starts with the basics: ssh -L. You take traffic hitting your local machine and warp it through an encrypted tunnel to a remote destination. In the 2026 context, we used to do this to get around basic firewalls, but now it's about bypassing identity-aware proxies. If the AI is monitoring your outbound HTTPS traffic for anomalous patterns, it might miss a steady stream of SSH traffic that is secretly carrying a database exfiltration or a remote desktop session. In the "Ghost" play, you don't connect to the database directly; you pipe the database port to your localhost. To the network logs, you're just a developer working late. To you, the entire internal network is sitting on your machine.

2. The SOCKS Proxy: Proxifying the Unproxifiable

Thomas introduces proxychains combined with an SSH -D SOCKS proxy, allowing you to force tools that don't support proxies—like basic scripts or older network scanners—through your tunnel. We are now in the age of geofenced cloud assets. If you need to access a resource that only allows IPs from a specific region, you don't use a commercial VPN; you cyber-plumb a SOCKS proxy through a compromised or rented instance in that region. Using proxychains nmap allows you to scan an internal network from the outside while making it appear that the scan is coming from a trusted jumpbox inside the perimeter.

3. The Reverse Tunnel (-R): The Exploit Callback

This is the most dangerous tool in the plumber's belt: telling the remote server to open a port that tunnels back to you. This is how modern malware survives. Most firewalls are "Default Deny" for incoming traffic but "Allow All" for outgoing. A reverse tunnel looks like an outgoing connection (safe!) but provides a secret door for the attacker to walk back in whenever they want. As Thomas notes, defenders only see the traffic between the target and the jumpbox. Your actual source IP—your Ghost location—remains completely hidden behind the plumbing.

4. Bending Traffic like a Boss

The plumber mindset is about network fluid dynamics. If one pipe is blocked, you find a different fitting. If SSH is blocked, you tunnel through DNS—highly latent, but nearly impossible to stop. If DNS is monitored, you tunnel through ICMP. If the entire network is Zero Trust, you use a Shadowsocks alternative to make your traffic look like random junk data.

The 2026 Verdict: Plumbing is Forever

We are often told that the perimeter is dead, but as long as there are ports and IP addresses, there will be pipes. Brennon Thomas’s handbook is a reminder that the most sophisticated AI-security in the world is still just a set of rules on a network. If you know how to bend the traffic, you don't have to follow the rules. You aren't hacking the firewall; you're just installing a new set of pipes that the firewall wasn't built to see.

GhostInThePrompt.com // Encryption is the lead. Tunneling is the path. Be the plumber.

References: 'The Cyber Plumber's Handbook' (Thomas, 2018).

Continue Reading

security

Game Theory and the $k_{atk}$ of 2026

Security isn't a state of being; it's a rate of change. Mapping the shift from static exploit costs to the generative, stochastic war of 2026 where your budget is losing to algorithmic agility.

security

The New Meridian: Why the Ransomware Ghost Moved East

The Ghost follows the gold. Tectonic shifts in the ransomware landscape show syndicates pivoting toward the rapid-growth infrastructure of the Arab world, where smart cities meet fuzzy logic vulnerabilities.