Neutron Security

Port Forwarding Windows: Netsh

Neutron Security

Home
About
About
- About Me
Blog
Blog
- Index
- Archive
  Archive
  - 2022
- Categories
  Categories
  - Azure
  - Blog
  - Blue Team
  - HackTheBox
  - Powershell
  - Security
  - SOC
Docs
Docs
- Unlocking Cybersecurity: A Documentation of Discoveries
- Offensive
  Offensive
  - Active Directory
    Active Directory
    
    Initial Enumeration
    Initial Enumeration
    
    External Recon
    
    Initial Enumeration of the Domain
    
    Gaining a Foothold
    Gaining a Foothold
    
    LLMNR/NBT-NS Poisoning - Linux
    
    LLMNR/NBT-NS Poisoning - Windows
    
    Hunting for a User
    Hunting for a User
    
    Enumerating & Retrieving PwdPols
    
    Pwd Spraying - Making a Targeted User List
    
    PwSpray
    PwSpray
    
    Internal Spraying - Linux
    
    Internal Spraying - Windows
    
    Post Foothold
    Post Foothold
    
    Enumerating Security Controls
    
    Credentialed Enumeration - Linux
    
    Credentialed Enumeration - Windows
    
    Living Off The Land
    
    Kerberoasting
    Kerberoasting
    
    Kerberoasting - Linux
    
    Kerberoasting - Windows
    
    ACLs
    ACLs
    
    ACL Enumeration
    
    ACL Abuse Tactics
    
    DCSync
    
    Privilege Escalation
    Privilege Escalation
    
    Privileged Access
    
    Kerberos Double Hop
    
    Vulnerabilities
    
    Misconfigurations
    
    Domain Trusts
    Domain Trusts
    
    Domain Trusts Primer
    
    Attacking Domain Trusts - Child -> Parent - from Windows
    
    Attacking Domain Trusts - Child -> Parent - from Linux
    
    Cross-Forest Trust Abuse
    Cross-Forest Trust Abuse
    
    Cross-Forest Trust Abuse - from Windows
    
    Cross-Forest Trust Abuse - from Linux
    
    Defensive Considerations
    Defensive Considerations
    
    Hardening Active Directory
    
    Additional AD Auditing Techniques
  - Footprinting
    Footprinting
    
    Domain Information
    
    Host Based Enumeration
    Host Based Enumeration
    
    FTP
    
    SMB
    
    NFS
    
    DNS
    
    SMTP
    
    IMAP/POP3
    
    SNMP
    
    MySQL
    
    MSSQL
    
    IPMI
    
    Remote Management Protocols
    Remote Management Protocols
    
    Linux
    
    Windows
  - Common Services
    Common Services
    
    Interacting
    
    FTP
    
    SMB
    
    SQL Databases
    
    RDP
    
    DNS
    
    Email Services
  - Privilege Escalation
    Privilege Escalation
    
    Windows
    Windows
    
    Enumeration
    Enumeration
    
    Situational Awareness
    
    Initial Enumeration
    
    Communication with Processes
    
    User Privileges
    User Privileges
    
    SeImpersonate and SeAssignPrimaryToken
    
    SeDebugPrivilege
    
    SeTakeOwnershipPrivilege
    
    Group Privileges
    Group Privileges
    
    Windows Built-in Groups
    
    Event Log Readers
    
    DnsAdmins
    
    Hyper-V Administrators
    
    Print Operators
    
    Server Operators
    
    OS
    OS
    
    User Account Control
    
    Weak Permissions
    
    Vulnerable Services
    
    Credential Theft
    Credential Theft
    
    Credential Hunting
    
    Other Files
    
    Further Credential Theft
    
    Additional Techniques
    Additional Techniques
    
    Interacting with Users
    
    Miscellaneous Techniques
    
    Linux
    Linux
    
    Enumeration
    
    Local Techniques
    Local Techniques
    
    Kernel Exploits
    
    Vulnerable Services
    
    Cron Jobs
    
    Special Permissions
    
    Sudo Rights Abuse
    
    Path Abuse
    
    Wildcard Abuse
    
    Credential Hunting
    
    Shared Libraries
    
    Shared Object Hijacking
    
    Privileged Groups
    
    Miscellaneous Techniques
  - File Transfers
    File Transfers
    
    File Tranfer Methods
    File Tranfer Methods
    
    Windows
    
    Linux
    
    Transfering Files with Code
    
    Miscellaneous
    
    Protected File Transfers
    
    Catching Files over HTTP/S
    
    LOTL
  - Tools
    Tools
    
    Nmap
    
    MSF
    MSF
    
    Components
    Components
    
    Modules
    
    Targets
    
    Payloads
    
    Sessions
    Sessions
    
    Sessions & Jobs
    
    Meterpreter
    
    Evasion
  - Password Attacks
    Password Attacks
    
    Remote Attacks
    Remote Attacks
    
    Network Services
    
    Password Mutations
    
    Windows Local Attacks
    Windows Local Attacks
    
    Attacking Sam
    
    Attacking LSASS
    
    Attacking AD & NTDS.dit
    
    Credential Hunting
    
    Linux Local Attacks
    Linux Local Attacks
    
    Credential Hunting
    
    Passwd, Shadow, Opasswd
    
    Cracking Files
    Cracking Files
    
    Protected Files
    
    Protected Archives
  - Pivoting
    Pivoting
    
    Dynamic Port Forwarding w/ SSH and SOCKS Tunneling
    
    Remote/Reverse Port Forwarding w/ SSH
    
    Meterpreter Tunneling & Port Forwarding
    
    Socat
    Socat
    
    Reverse Shell
    
    Bind Shell
    
    SSH for Windows: plink
    
    SSH Pivoting w/ Sshuttle
    
    WebServer Pivoting w/ Rpivot
    
    Port Forwarding Windows: Netsh
    
    DNS Tunneling w/ Dnscat2
    
    SOCKS5 Tunneling with Chisel
    
    ICMP Tunneling with SOCKS
    
    RDP and SOCKS Tunneling w/ SocksOverRDP
  - Web
    Web
    
    Information Gathering
    Information Gathering
    
    Passive Information Gathering
    Passive Information Gathering
    
    WHOIS
    
    DNS
    
    Subdomain Enumeration
    
    Infrastructure Identification
    
    Active Information Gathering
    Active Information Gathering
    
    Infrastructure Identification
    
    Subdomain Enumeration
    
    Virtual Hosts
    
    Crawling
    
    Ffuf
    
    Hydra
    
    SQLMap
    SQLMap
    
    Building Attacks
    
    DB Enumeration
    
    Advanced DB Enumeration
    
    Bypassing Web App Protections
    
    OS Exploitation
    
    XSS
    
    Local File Inclusion
  - Documenting
    Documenting
    
    Preparation
- Defensive
  Defensive
  - File Analysis
- Cheatsheets
  Cheatsheets
  - CTF
    CTF
    
    Active Directory
    Active Directory
    
    Basics
    
    Enumeration/Attacks
    
    Exploitation
    
    Privilege Escalation
    Privilege Escalation
    
    Linux
    
    Windows
    
    Commands
    
    Linux Shortcuts
    
    Windows
    
    Shells & Payloads
    
    Web requests
    
    (De)Obfuscation
    
    Brute Forcing
    
    Common Applications
    
    Web Attacks
    
    File Transfer
    
    Footprinting
    
    Pivoting, Tunnel, Port Forwarding
    
    Information Gathering - Web
    
    MSF
    
    Password Attacks
    
    Attacking Common Services
    
    FFUF
    
    Hydra
    
    Network Traffic Analysis
  - Powershell

Port Forwarding Windows: Netsh

E.g. compromised a Windows 10 host, which would allow to pivor further from within the network the workstation is in.

We can use netsh.exe to forward all data received on a specific port (say 8080) to a remote host on a remote port.

C:\Windows\system32> netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25

Verifying Port Forward

C:\Windows\system32> netsh.exe interface portproxy show v4tov4

Listen on ipv4:             Connect to ipv4:

Address         Port        Address         Port
--------------- ----------  --------------- ----------
10.129.42.198   8080        172.16.5.25     3389

After configuring the portproxy on our Windows-based pivot host, we will try to connect to the 8080 port of this host from our attack host using xfreerdp. Once a request is sent from our attack host, the Windows host will route our traffic according to the proxy settings configured by netsh.exe.