# Plink Windows Pivoting ## **📋 Module Overview** **Purpose:** Windows-based SSH tunneling and pivoting using Plink.exe\ **Tool:** PuTTY Link (plink.exe) - Windows command-line SSH client\ **Scenario:** Windows attack host or compromised Windows pivot\ **Technique:** Dynamic port forwarding with SOCKS proxy\ **Integration:** Proxifier for Windows application tunneling *** ## **1. Introduction to Plink.exe** ### **What is Plink?** * **Full Name:** PuTTY Link * **Type:** Windows command-line SSH tool * **Package:** Part of PuTTY suite * **Capability:** SSH tunneling, port forwarding, SOCKS proxy * **Era:** Pre-Windows 10 standard (before native OpenSSH) ### **Why Use Plink?** 1. **Living off the Land** - often pre-installed on Windows systems 2. **Windows Native** - no need to transfer additional tools 3. **Stealth** - uses legitimate administrative tool 4. **Compatibility** - works on older Windows versions 5. **Integration** - pairs well with Windows tools like Proxifier ### **Common Scenarios** * **Windows-based attack host** instead of Linux * **Compromised Windows system** as pivot point * **Locked down environment** where uploading tools is risky * **Legacy systems** with PuTTY already installed * **File share access** to plink.exe without installation *** ## **2. Plink vs SSH Comparison** | **Aspect** | **SSH (Linux)** | **Plink (Windows)** | | ------------------ | ----------------------- | ------------------------------ | | **Platform** | Linux/Unix | Windows | | **Syntax** | `ssh -D 9050 user@host` | `plink -ssh -D 9050 user@host` | | **Authentication** | Key/password | Key/password | | **Integration** | Native Linux tools | Proxifier, Windows apps | | **Stealth** | Standard on Linux | Legitimate Windows tool | | **Availability** | Always present | Depends on PuTTY install | *** ## **3. Basic Plink Dynamic Port Forwarding** ### **Network Topology** ``` [Windows Attack Host] → [Ubuntu Pivot] → [Internal Network] 10.10.15.5 10.129.15.50 172.16.5.0/24 Plink Client SSH Server Target Systems SOCKS :9050 ``` ### **Command Syntax** ```bash # Basic dynamic port forward with Plink plink -ssh -D 9050 ubuntu@10.129.15.50 # Command breakdown: # -ssh - Use SSH protocol # -D 9050 - Dynamic port forward on local port 9050 # ubuntu - Username on pivot host # @10.129.15.50 - Pivot host IP address ``` ### **Expected Output** ``` Using username "ubuntu". ubuntu@10.129.15.50's password: Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-88-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage Last login: Mon Mar 7 15:30:45 2022 from 10.10.15.5 ubuntu@pivot:~$ ``` ### **Verification** ```cmd # Check if SOCKS proxy is listening (Windows Command Prompt) netstat -an | findstr :9050 # Expected output: TCP 127.0.0.1:9050 0.0.0.0:0 LISTENING ``` *** ## **4. Proxifier Integration** ### **What is Proxifier?** * **Purpose:** Windows SOCKS/HTTP proxy client * **Function:** Routes application traffic through proxies * **Capability:** Proxy chaining, application-specific routing * **Target:** Desktop applications (RDP, browsers, etc.) ### **Proxifier Configuration Steps** #### **Step 1: Add SOCKS Server** ``` Proxifier → Profile Menu → Proxy Servers → Add Server Configuration: - Address: 127.0.0.1 - Port: 9050 - Protocol: SOCKS Version 4 - Authentication: None (for basic setup) ``` #### **Step 2: Create Proxification Rules** ``` Proxifier → Profile Menu → Proxification Rules → Add Rule Configuration: - Name: "RDP through Plink" - Applications: mstsc.exe - Target hosts: 172.16.5.* - Action: Proxy SOCKS 127.0.0.1:9050 ``` #### **Step 3: Enable Proxification** ``` Proxifier → Profile Menu → Proxification Rules → Enable Rules Check: "Process all connections through proxy" ``` *** ## **5. RDP Through Plink SOCKS Tunnel** ### **Complete Workflow** #### **Step 1: Start Plink SOCKS Tunnel** ```cmd # Windows Command Prompt plink -ssh -D 9050 ubuntu@10.129.15.50 # Keep this session active for tunneling ``` #### **Step 2: Configure Proxifier** ``` 1. Open Proxifier 2. Add SOCKS proxy: 127.0.0.1:9050 3. Create rule for mstsc.exe 4. Enable proxification ``` #### **Step 3: Launch RDP Session** ```cmd # Start Remote Desktop Connection mstsc.exe # Connect to internal target: Computer: 172.16.5.19 Username: victor Password: pass@123 ``` ### **Traffic Flow Analysis** ``` [mstsc.exe] → [Proxifier] → [Plink SOCKS] → [SSH Tunnel] → [Ubuntu Pivot] → [Windows Target RDP] Windows RDP Proxy Local :9050 Encrypted SSH Server 172.16.5.19:3389 Client Client Connection ``` *** ## **6. Advanced Plink Techniques** ### **Authentication Methods** #### **Password Authentication** ```cmd # Interactive password prompt plink -ssh -D 9050 ubuntu@10.129.15.50 # Scripted password (less secure) echo password | plink -ssh -D 9050 ubuntu@10.129.15.50 -pw ``` #### **Key-based Authentication** ```cmd # Using PuTTY private key format (.ppk) plink -ssh -D 9050 -i C:\keys\ubuntu.ppk ubuntu@10.129.15.50 # Convert OpenSSH key to PuTTY format with PuTTYgen if needed ``` ### **Multiple Port Forwards** ```cmd # Dynamic + Local port forwards plink -ssh -D 9050 -L 8080:172.16.5.19:80 ubuntu@10.129.15.50 # Multiple local forwards plink -ssh -L 3389:172.16.5.19:3389 -L 445:172.16.5.19:445 ubuntu@10.129.15.50 ``` ### **Background Process** ```cmd # Run Plink in background (Windows) start /B plink -ssh -D 9050 ubuntu@10.129.15.50 # Check running processes tasklist | findstr plink ``` *** ## **7. Windows Application Integration** ### **Applications That Work with SOCKS Proxies** #### **Native SOCKS Support** ``` ✅ Web Browsers (Firefox, Chrome with proxy) ✅ FTP Clients (WinSCP, FileZilla) ✅ SSH Clients (PuTTY, KiTTY) ✅ Tor Browser (built-in SOCKS) ``` #### **Proxifier-Required Applications** ``` ⚙️ mstsc.exe (Remote Desktop) ⚙️ Windows Explorer (SMB shares) ⚙️ Command line tools (ping, telnet) ⚙️ Custom applications ``` ### **Browser Configuration Example** ``` Firefox → Settings → Network Settings → Manual Proxy Configuration SOCKS Host: 127.0.0.1 Port: 9050 SOCKS v4 ``` *** ## **8. Operational Security with Plink** ### **Stealth Considerations** 1. **Legitimate Tool** - Plink is standard administrative software 2. **Network Noise** - SSH traffic appears normal 3. **Process Name** - plink.exe is not suspicious 4. **Registry Traces** - Minimal system footprint ### **Detection Risks** 1. **Network Monitoring** - SSH connections to pivot hosts 2. **Process Monitoring** - Unusual plink.exe usage patterns 3. **Proxy Detection** - SOCKS traffic analysis 4. **Authentication Logs** - SSH login records ### **Mitigation Strategies** ```cmd # Use legitimate-looking SSH sessions plink -ssh -D 9050 admin@server.company.com # Vary timing and ports plink -ssh -D 8080 ubuntu@10.129.15.50 # Clean up processes when done taskkill /F /IM plink.exe ``` *** ## **9. Troubleshooting Plink Issues** ### **Common Problems and Solutions** #### **Authentication Failures** ```cmd # Problem: Access denied plink: Access denied # Solutions: 1. Verify username/password 2. Check SSH key permissions 3. Confirm SSH service is running 4. Test with PuTTY GUI first ``` #### **Connection Refused** ```cmd # Problem: Network unreachable plink: Network error: Connection refused # Solutions: 1. Verify pivot host IP 2. Check SSH port (default 22) 3. Confirm firewall rules 4. Test with telnet ``` #### **SOCKS Proxy Not Working** ```cmd # Problem: Applications can't connect through proxy # Solutions: 1. Verify port 9050 is listening netstat -an | findstr :9050 2. Check Proxifier configuration 3. Test with SOCKS-aware application 4. Restart Plink session ``` #### **Proxifier Issues** ``` # Problem: Proxifier not routing traffic # Solutions: 1. Check proxy server settings (127.0.0.1:9050) 2. Verify proxification rules 3. Enable debug logging 4. Restart Proxifier service ``` *** ## **10. Alternative Windows SSH Tools** ### **Built-in Windows SSH (Windows 10+)** ```cmd # Modern Windows has native SSH client ssh -D 9050 ubuntu@10.129.15.50 # Check if available: where ssh ``` ### **Other Windows SSH Clients** ```cmd # KiTTY (PuTTY fork) kitty -ssh -D 9050 ubuntu@10.129.15.50 # Bitvise SSH Client BvSsh -host=10.129.15.50 -user=ubuntu -localFwd=9050:127.0.0.1:9050 # MobaXterm MobaXterm with SSH tunneling ``` *** ## **11. Lab Exercise Recreation** ### **HTB Academy Optional Exercise** **Task:** "Attempt to use Plink from a Windows-based attack host. Set up a proxy connection and RDP to the Windows target (172.16.5.19) with 'victor:pass\@123'" ### **Complete Solution Steps** #### **Step 1: Environment Setup** ```cmd # Requirements: - Windows attack host - Plink.exe available - Network access to 10.129.202.64 (pivot) - Target: 172.16.5.19 (internal Windows) ``` #### **Step 2: Establish Plink Tunnel** ```cmd # Create SOCKS tunnel through Ubuntu pivot plink -ssh -D 9050 ubuntu@10.129.202.64 # Enter password when prompted ubuntu@10.129.202.64's password: HTB_@cademy_stdnt! ``` #### **Step 3: Configure Proxifier** ``` 1. Open Proxifier 2. Profile → Proxy Servers → Add - Address: 127.0.0.1 - Port: 9050 - Type: SOCKS4 3. Profile → Proxification Rules → Add - Applications: mstsc.exe - Target Hosts: 172.16.5.19 - Action: Proxy 127.0.0.1:9050 ``` #### **Step 4: RDP Connection** ```cmd # Launch Remote Desktop mstsc.exe # Connection details: Computer: 172.16.5.19 User name: victor Password: pass@123 ``` #### **Step 5: Submit Answer** ``` Answer: "I tried Plink" ``` *** ## **12. Comparison with Linux SSH Methods** ### **Functionality Comparison** | **Feature** | **Linux SSH** | **Windows Plink** | | ------------------- | -------------------------- | --------------------------------- | | **Dynamic Forward** | `ssh -D 9050` | `plink -ssh -D 9050` | | **Local Forward** | `ssh -L 8080:target:80` | `plink -ssh -L 8080:target:80` | | **Remote Forward** | `ssh -R 8080:localhost:80` | `plink -ssh -R 8080:localhost:80` | | **Background** | `ssh -fN -D 9050` | `start /B plink -ssh -D 9050` | | **Key Auth** | `ssh -i key` | `plink -i key.ppk` | ### **Integration Differences** #### **Linux Integration** ```bash # Direct proxychains support proxychains nmap -sT 172.16.5.19 # Built-in SOCKS applications curl --socks5 127.0.0.1:9050 http://172.16.5.19 ``` #### **Windows Integration** ```cmd # Requires Proxifier for most applications Proxifier → mstsc.exe → 172.16.5.19 # Some native SOCKS support firefox → proxy settings → SOCKS 127.0.0.1:9050 ``` *** ## **13. Real-World Scenarios** ### **Scenario 1: Corporate Windows Environment** ``` Situation: Pentesting corporate network Environment: Windows workstations with PuTTY installed Goal: Pivot through DMZ host to internal network Solution: Use Plink for SOCKS tunneling + Proxifier for RDP ``` ### **Scenario 2: Legacy System Compromise** ``` Situation: Compromised older Windows server Limitation: Cannot upload new tools Available: PuTTY suite installed for administration Solution: Leverage existing Plink for tunneling ``` ### **Scenario 3: Windows Red Team Operation** ``` Situation: Windows-based red team infrastructure Challenge: Need to blend in with Windows environment Approach: Use Windows-native tools (Plink, Proxifier, mstsc) Benefit: Reduced detection, natural tool usage ``` *** ## **14. Best Practices** ### **Operational Guidelines** 1. **Test Locally First** - Verify Plink works before deployment 2. **Multiple Tunnels** - Create redundant paths when possible 3. **Authentication Security** - Use keys when possible 4. **Clean Exit** - Properly terminate sessions 5. **Documentation** - Record tunnel configurations ### **Security Recommendations** 1. **Timing Variation** - Don't establish tunnels at predictable times 2. **Port Diversity** - Use different SOCKS ports 3. **Session Management** - Monitor and limit session duration 4. **Log Cleanup** - Clear relevant Windows event logs 5. **Process Hiding** - Consider process migration techniques ### **Performance Optimization** 1. **Compression** - Use SSH compression for slow links 2. **Keep-Alive** - Maintain persistent connections 3. **Concurrent Sessions** - Balance load across multiple tunnels 4. **Bandwidth Monitoring** - Track usage patterns *** ## **15. Integration with Other Tools** ### **Metasploit Integration** ```ruby # Metasploit with SOCKS proxy (requires Proxychains4Windows) msf6 > setg Proxies socks4:127.0.0.1:9050 msf6 > use auxiliary/scanner/portscan/tcp msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 172.16.5.19 msf6 auxiliary(scanner/portscan/tcp) > run ``` ### **PowerShell Integration** ```powershell # PowerShell with proxy settings $proxy = New-Object System.Net.WebProxy("socks://127.0.0.1:9050") $webClient = New-Object System.Net.WebClient $webClient.Proxy = $proxy $webClient.DownloadString("http://172.16.5.19") ``` ### **Nmap through Proxy** ```cmd # Using ProxyChains4Windows (if available) proxychains4 nmap -sT -Pn 172.16.5.19 # Alternative: nmap with HTTP proxy (if SOCKS-to-HTTP converter used) nmap --proxy socks4://127.0.0.1:9050 172.16.5.19 ``` *** ## **References** * **HTB Academy**: Pivoting, Tunneling & Port Forwarding - Page 8 * **PuTTY Documentation**: [Official PuTTY Manual](https://www.chiark.greenend.org.uk/~sgtatham/putty/docs.html) * **Proxifier Manual**: [Proxifier Documentation](https://www.proxifier.com/documentation/) * **SANS**: [SSH Tunneling with Windows](https://www.sans.org/blog/ssh-tunneling-with-windows/) * **Microsoft**: [Windows SSH Client](https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kabaneridev.gitbook.io/pentesting-notes/certification-preparation/cpts-prep/pivoting-tunneling-and-port-forwarding/plink-windows-pivoting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.