Windows – How to forward external port to internal port using plink


For a penetration test where I have shell access to a computer running an old Windows, I'd like to forward port 4450 to because the firewall is blocking 445 externally.

I'm stuck on the following:

plink -L 4450: SSH-Server

According to the documentation I've found, I'd have to specify a SSH-Server. But all documentation I've found just uses an SSH-Server in the same network. To forward it to a localhost port, that wouldn't help.

Do I have to install an SSH-Server on that machine or are there other ways?

Best Answer

If you have an ssh client on the Windows system, and you can establish SSH outbound to a system you control, then you can use a remote port forward, i.e. with option -R. This is effectively the opposite of -L, it sets up a listener on the remote (connected to) and forwards back [sic] through the system you're connecting from.

So, run ssh/putty/plink on the windows system with -R 4450: or equivalent, and log in to an sshd you control. You can then connect to on that system.

Depending on the nature of your "shell access", other options may include running socat or netcat across it, e.g.:

socat -ddd SYSTEM:"ssh somewhere 'socat TCP4-LISTEN:4450 STDIO'"  TCP:

Note this gets you a single connection back only, you need socat on each side.

Related Question