Port Forwarding with Windows Netsh
Netsh is a Windows command-line tool that can help with the network configuration of a particular Windows system. Here are just some of the networking related tasks we can use Netsh for:
- Finding routes
- Viewing the firewall configuration
- Adding proxies
- Creating port forwarding rules
Let's take an example of the below scenario where our compromised host is a Windows 10-based IT admin's workstation (10.129.49.126, 172.16.5.150). Keep in mind that it is possible on an engagement that we may gain access to an employee's workstation through methods such as social engineering and phishing. This would allow us to pivot further from within the network the workstation is in.
We can use netsh.exe to forward all data received on a specific port (say 8080) to a remote host on a remote port. This can be performed using the below command.
Step 1 - connect to Pivot Host
Using Netsh.exe to Port Forward - on Pivot Host
cd C:\Windows\System32
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.49.126 connectport=3389 connectaddress=172.16.5.19
Verifying Port Forward - on Pivot Host
cd C:\Windows\System32
netsh.exe interface portproxy show v4tov4
|->
Listen on ipv4: Connect to ipv4:
Address Port Address Port
--------------- ---------- --------------- ----------
10.129.49.126 8080 172.16.5.19 3389
After configuring the portproxy on our Windows-based pivot host, we will try to connect to the 8080 port of this host from our attack host using xfreerdp. Once a request is sent from our attack host, the Windows host will route our traffic according to the proxy settings configured by netsh.exe.