βοΈNetsh Port Forwarding
π Module Overview
Purpose: Native Windows port forwarding using built-in tools Tool: netsh.exe - Windows network configuration utility Technique: IPv4-to-IPv4 port proxy forwarding Advantage: No external tools required (living off the land) Scenario: Windows workstation as pivot to internal network
1. Introduction to Windows Netsh
What is Netsh?
Full Name: Network Shell (netsh.exe)
Type: Built-in Windows command-line utility
Purpose: Network configuration and management
Location:
C:\Windows\System32\netsh.exeAvailability: Present on all Windows systems
Privileges: Requires administrator privileges for port forwarding
Netsh Capabilities
Finding routes - network path discovery
Viewing firewall configuration - Windows Firewall management
Adding proxies - proxy server configuration
Creating port forwarding rules - IPv4-to-IPv4 forwarding
Network interface management - adapter configuration
Netsh vs Other Windows Tools
Tool
Type
Availability
Configuration
Stealth
Netsh
Built-in
Always present
Command-line
High (legitimate tool)
Plink
External
PuTTY required
SSH-based
Medium (admin tool)
PowerShell
Built-in
Windows 7+
Script-based
High (native)
SSH
External
Windows 10+
SSH tunneling
Medium (newer feature)
Network Topology Example
[Attack Host] β [Windows 10 Pivot] β [Windows Server]
10.10.15.5 10.129.15.150 172.16.5.25:3389
xfreerdp netsh portproxy RDP service
:8080 :8080 β :3389 Domain Controller2. Basic Netsh Port Forwarding
IPv4-to-IPv4 Port Proxy
Creating Port Forward Rule
# Basic netsh port forwarding syntax
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25
# Command breakdown:
# interface portproxy - portproxy interface
# add v4tov4 - add IPv4-to-IPv4 forwarding rule
# listenport=8080 - port to listen on (pivot host)
# listenaddress= - IP to bind listener (pivot host)
# connectport=3389 - destination port (target)
# connectaddress= - destination IP (target)Verifying Port Forward
# Show all IPv4-to-IPv4 port forwards
netsh.exe interface portproxy show v4tov4
# Expected output:
Listen on ipv4: Connect to ipv4:
Address Port Address Port
--------------- ---------- --------------- ----------
10.129.15.150 8080 172.16.5.25 3389Understanding the Configuration
Listen Address: 10.129.15.150 (Windows 10 pivot host)
Listen Port: 8080 (accessible from attack host)
Connect Address: 172.16.5.25 (internal Windows server)
Connect Port: 3389 (RDP service)
3. Practical Implementation
Step 1: Access Windows Pivot Host
# RDP to Windows 10 pivot (from HTB Academy lab)
xfreerdp /v:<windows_pivot_ip> /u:htb-student /p:HTB_@cademy_stdnt!
# Verify current network configuration
ipconfig
netstat -an | findstr :3389Step 2: Create Port Forward Rule
# Open Command Prompt as Administrator
# Run netsh port forwarding command
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.19
# Note: Adjust IP addresses based on lab environmentStep 3: Verify Configuration
# Check if rule was created successfully
netsh.exe interface portproxy show v4tov4
# Verify port is listening
netstat -an | findstr :8080
# Expected output:
TCP 10.129.15.150:8080 0.0.0.0:0 LISTENINGStep 4: Test Port Forward
# From attack host (Pwnbox), connect through port forward
xfreerdp /v:10.129.15.150:8080 /u:victor /p:pass@123 /cert:ignore
# Traffic flow: Attack Host β Pivot:8080 β DC:33894. Advanced Netsh Configurations
Multiple Port Forwards
# Forward multiple services simultaneously
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.19
netsh.exe interface portproxy add v4tov4 listenport=8445 listenaddress=10.129.15.150 connectport=445 connectaddress=172.16.5.19
netsh.exe interface portproxy add v4tov4 listenport=8135 listenaddress=10.129.15.150 connectport=135 connectaddress=172.16.5.19
# Verify all forwards
netsh.exe interface portproxy show v4tov4Different Interface Binding
# Bind to all interfaces (0.0.0.0)
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=3389 connectaddress=172.16.5.19
# Bind to specific interface only
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=192.168.1.100 connectport=3389 connectaddress=172.16.5.19IPv6 Support
# IPv6-to-IPv6 forwarding
netsh.exe interface portproxy add v6tov6 listenport=8080 listenaddress=::1 connectport=3389 connectaddress=fe80::1
# IPv4-to-IPv6 forwarding
netsh.exe interface portproxy add v4tov6 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=fe80::1
# IPv6-to-IPv4 forwarding
netsh.exe interface portproxy add v6tov4 listenport=8080 listenaddress=::1 connectport=3389 connectaddress=172.16.5.195. HTB Academy Lab Exercise
Lab Challenge
"Using the concepts covered in this section, take control of the DC (172.16.5.19) using xfreerdp by pivoting through the Windows 10 target host. Submit the approved contact's name found inside the 'VendorContacts.txt' file located in the 'Approved Vendors' folder on Victor's desktop (victor's credentials: victor:pass@123)."
Complete Solution Steps
Step 1: Connect to Windows 10 Pivot
# RDP to Windows 10 pivot host
xfreerdp /v:<windows10_ip> /u:htb-student /p:HTB_@cademy_stdnt! /cert:ignore
# Example IP from lab environment
xfreerdp /v:10.129.42.198 /u:htb-student /p:HTB_@cademy_stdnt! /cert:ignoreStep 2: Configure Netsh Port Forward
# In Windows 10 Command Prompt (Run as Administrator)
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.42.198 connectport=3389 connectaddress=172.16.5.19
# Verify configuration
netsh.exe interface portproxy show v4tov4
# Expected output:
Listen on ipv4: Connect to ipv4:
Address Port Address Port
--------------- ---------- --------------- ----------
10.129.42.198 8080 172.16.5.19 3389Step 3: Test Port Forward
# Verify port is listening
netstat -an | findstr :8080
# Expected output:
TCP 10.129.42.198:8080 0.0.0.0:0 LISTENINGStep 4: Connect to DC through Port Forward
# From attack host (Pwnbox)
xfreerdp /v:10.129.42.198:8080 /u:victor /p:pass@123 /cert:ignore
# This connects: Attack Host β Windows10:8080 β DC:3389Step 5: Navigate to File Location
# Once logged in as victor on DC (172.16.5.19):
1. Open File Explorer
2. Navigate to Desktop
3. Open "Approved Vendors" folder
4. Open "VendorContacts.txt" file
5. Find the approved contact nameStep 6: Submit Answer
# Format: 1 space, not case-sensitive
Answer: [Approved contact name from VendorContacts.txt]Expected File Path: C:\Users\victor\Desktop\Approved Vendors\VendorContacts.txt
6. Troubleshooting Netsh Issues
Common Problems
Access Denied Errors
# Problem: Insufficient privileges
Access is denied.
# Solutions:
1. Run Command Prompt as Administrator
Right-click CMD β "Run as administrator"
2. Verify user privileges
whoami /priv
3. Check if user is in Administrators group
net user %username%Port Already in Use
# Problem: Listen port already bound
The process cannot access the file because it is being used by another process.
# Solutions:
1. Check what's using the port
netstat -ano | findstr :8080
2. Kill process using port
taskkill /PID <process_id> /F
3. Use different port
netsh.exe interface portproxy add v4tov4 listenport=8081 ...Connection Refused
# Problem: Cannot connect to forwarded port
Connection refused
# Solutions:
1. Verify port forward exists
netsh.exe interface portproxy show v4tov4
2. Check Windows Firewall
netsh advfirewall firewall show rule name=all
3. Test local connectivity
telnet 172.16.5.19 3389Firewall Blocking
# Problem: Windows Firewall blocking connections
# Solutions:
1. Add firewall exception for port
netsh advfirewall firewall add rule name="Port 8080" dir=in action=allow protocol=TCP localport=8080
2. Temporarily disable firewall (testing only)
netsh advfirewall set allprofiles state off
3. Check existing rules
netsh advfirewall firewall show rule name=all | findstr 80807. Management and Cleanup
Listing Port Forwards
# Show all IPv4-to-IPv4 forwards
netsh.exe interface portproxy show v4tov4
# Show all IPv6-to-IPv6 forwards
netsh.exe interface portproxy show v6tov6
# Show all port proxy configurations
netsh.exe interface portproxy show allDeleting Port Forwards
# Delete specific IPv4-to-IPv4 forward
netsh.exe interface portproxy delete v4tov4 listenport=8080 listenaddress=10.129.15.150
# Delete all IPv4-to-IPv4 forwards
netsh.exe interface portproxy reset
# Delete specific IPv6 forwards
netsh.exe interface portproxy delete v6tov6 listenport=8080 listenaddress=::1Persistent Configuration
# Port forwards created with netsh are persistent across reboots
# They survive system restarts automatically
# To make temporary (session-only) forwards, consider alternatives:
# - SSH local forwarding
# - PowerShell port forwarding scripts
# - Third-party tools8. Security Considerations
Operational Security (OPSEC)
Legitimate Tool - netsh.exe is standard Windows utility
Administrative Logs - commands logged in Windows Event Log
Persistent Rules - forwards survive reboots (good for persistence)
Firewall Integration - works with Windows Firewall
Process Visibility - no additional processes required
Detection Risks
Command Line Auditing - PowerShell/CMD logging may capture commands
Event Log Entries - Windows Security log may record configuration changes
Network Monitoring - unusual port listeners detectable
Registry Changes - port proxy rules stored in registry
Forensic Artifacts - commands may be recoverable from memory/disk
Registry Storage
# Port proxy rules stored in registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp
# View registry entries
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp9. Integration with Other Techniques
Netsh + SSH Tunneling
# Combine netsh port forwarding with SSH tunnels
# 1. Create netsh forward on Windows pivot
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=22 connectaddress=172.16.5.100
# 2. SSH through the forward from attack host
ssh -L 9999:172.16.5.19:3389 user@10.129.15.150 -p 8080Netsh + Meterpreter
# Use Meterpreter to execute netsh commands
meterpreter > shell
C:\> netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.19
# Or use Meterpreter's portfwd along with netsh
meterpreter > portfwd add -l 8081 -p 3389 -r 172.16.5.19PowerShell Integration
# PowerShell wrapper for netsh commands
function New-PortForward {
param(
[int]$ListenPort,
[string]$ListenAddress,
[int]$ConnectPort,
[string]$ConnectAddress
)
$cmd = "netsh.exe interface portproxy add v4tov4 listenport=$ListenPort listenaddress=$ListenAddress connectport=$ConnectPort connectaddress=$ConnectAddress"
Invoke-Expression $cmd
}
# Usage
New-PortForward -ListenPort 8080 -ListenAddress "10.129.15.150" -ConnectPort 3389 -ConnectAddress "172.16.5.19"10. Advanced Scenarios
Multi-Hop Pivoting
# Chain multiple netsh forwards
# Windows Pivot 1 (DMZ)
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=192.168.1.100 connectport=8080 connectaddress=10.0.0.50
# Windows Pivot 2 (Internal)
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.0.0.50 connectport=3389 connectaddress=10.0.1.10Service-Specific Forwarding
# RDP forwarding
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=3389 connectaddress=172.16.5.19
# SMB forwarding
netsh.exe interface portproxy add v4tov4 listenport=8445 listenaddress=0.0.0.0 connectport=445 connectaddress=172.16.5.19
# WinRM forwarding
netsh.exe interface portproxy add v4tov4 listenport=8985 listenaddress=0.0.0.0 connectport=5985 connectaddress=172.16.5.19
# HTTPS forwarding
netsh.exe interface portproxy add v4tov4 listenport=8443 listenaddress=0.0.0.0 connectport=443 connectaddress=172.16.5.19Load Balancing Simulation
# Forward to multiple backends (manual round-robin)
netsh.exe interface portproxy add v4tov4 listenport=8081 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.5.10
netsh.exe interface portproxy add v4tov4 listenport=8082 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.5.11
netsh.exe interface portproxy add v4tov4 listenport=8083 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.5.1211. Comparison with Other Windows Tools
Netsh vs Windows Alternatives
Tool
Complexity
Persistence
Admin Required
Stealth
Netsh
Low
High (persistent)
Yes
High
PowerShell
Medium
Low (script-based)
Depends
Medium
Windows Firewall
High
High
Yes
High
IIS URL Rewrite
High
High
Yes
Medium
When to Use Netsh
β Windows environment with admin access β Persistent forwarding needed across reboots β Simple port forwarding requirements β Living off the land approach preferred β No external tools can be installed
When NOT to Use Netsh
β No admin privileges available β Complex routing requirements β Cross-platform compatibility needed β Temporary forwarding only (creates persistent rules) β Stealth operation (logged extensively)
12. Best Practices
Operational Guidelines
Test locally first - verify connectivity before deployment
Use non-standard ports - avoid common port detection
Document configurations - track created port forwards
Clean up after use - remove forwards when done
Monitor connections - watch for unexpected traffic
Security Recommendations
Minimize exposure time - create forwards only when needed
Use specific bind addresses - avoid 0.0.0.0 when possible
Implement access controls - Windows Firewall rules
Monitor event logs - watch for detection indicators
Rotate ports regularly - vary port usage patterns
Performance Considerations
Limit concurrent forwards - avoid resource exhaustion
Monitor bandwidth usage - track network utilization
Consider connection limits - Windows has TCP connection limits
Optimize for target services - tune for specific protocols
Test under load - verify performance with multiple connections
References
HTB Academy: Pivoting, Tunneling & Port Forwarding - Page 11
Microsoft Netsh Documentation: Official Netsh Reference
Netsh Portproxy: Port Proxy Commands
Windows Network Security: Security Considerations
SANS Windows Pivoting: Windows Lateral Movement Techniques
Last updated