πͺPlink Windows Pivoting
π Module Overview
Purpose: Windows-based SSH tunneling and pivoting using Plink.exe Tool: PuTTY Link (plink.exe) - Windows command-line SSH client Scenario: Windows attack host or compromised Windows pivot Technique: Dynamic port forwarding with SOCKS proxy Integration: Proxifier for Windows application tunneling
1. Introduction to Plink.exe
What is Plink?
Full Name: PuTTY Link
Type: Windows command-line SSH tool
Package: Part of PuTTY suite
Capability: SSH tunneling, port forwarding, SOCKS proxy
Era: Pre-Windows 10 standard (before native OpenSSH)
Why Use Plink?
Living off the Land - often pre-installed on Windows systems
Windows Native - no need to transfer additional tools
Stealth - uses legitimate administrative tool
Compatibility - works on older Windows versions
Integration - pairs well with Windows tools like Proxifier
Common Scenarios
Windows-based attack host instead of Linux
Compromised Windows system as pivot point
Locked down environment where uploading tools is risky
Legacy systems with PuTTY already installed
File share access to plink.exe without installation
2. Plink vs SSH Comparison
Aspect
SSH (Linux)
Plink (Windows)
Platform
Linux/Unix
Windows
Syntax
ssh -D 9050 user@host
plink -ssh -D 9050 user@host
Authentication
Key/password
Key/password
Integration
Native Linux tools
Proxifier, Windows apps
Stealth
Standard on Linux
Legitimate Windows tool
Availability
Always present
Depends on PuTTY install
3. Basic Plink Dynamic Port Forwarding
Network Topology
[Windows Attack Host] β [Ubuntu Pivot] β [Internal Network]
10.10.15.5 10.129.15.50 172.16.5.0/24
Plink Client SSH Server Target Systems
SOCKS :9050Command Syntax
# Basic dynamic port forward with Plink
plink -ssh -D 9050 ubuntu@10.129.15.50
# Command breakdown:
# -ssh - Use SSH protocol
# -D 9050 - Dynamic port forward on local port 9050
# ubuntu - Username on pivot host
# @10.129.15.50 - Pivot host IP addressExpected Output
Using username "ubuntu".
ubuntu@10.129.15.50's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-88-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Last login: Mon Mar 7 15:30:45 2022 from 10.10.15.5
ubuntu@pivot:~$Verification
# Check if SOCKS proxy is listening (Windows Command Prompt)
netstat -an | findstr :9050
# Expected output:
TCP 127.0.0.1:9050 0.0.0.0:0 LISTENING4. Proxifier Integration
What is Proxifier?
Purpose: Windows SOCKS/HTTP proxy client
Function: Routes application traffic through proxies
Capability: Proxy chaining, application-specific routing
Target: Desktop applications (RDP, browsers, etc.)
Proxifier Configuration Steps
Step 1: Add SOCKS Server
Proxifier β Profile Menu β Proxy Servers β Add
Server Configuration:
- Address: 127.0.0.1
- Port: 9050
- Protocol: SOCKS Version 4
- Authentication: None (for basic setup)Step 2: Create Proxification Rules
Proxifier β Profile Menu β Proxification Rules β Add
Rule Configuration:
- Name: "RDP through Plink"
- Applications: mstsc.exe
- Target hosts: 172.16.5.*
- Action: Proxy SOCKS 127.0.0.1:9050Step 3: Enable Proxification
Proxifier β Profile Menu β Proxification Rules β Enable Rules
Check: "Process all connections through proxy"5. RDP Through Plink SOCKS Tunnel
Complete Workflow
Step 1: Start Plink SOCKS Tunnel
# Windows Command Prompt
plink -ssh -D 9050 ubuntu@10.129.15.50
# Keep this session active for tunnelingStep 2: Configure Proxifier
1. Open Proxifier
2. Add SOCKS proxy: 127.0.0.1:9050
3. Create rule for mstsc.exe
4. Enable proxificationStep 3: Launch RDP Session
# Start Remote Desktop Connection
mstsc.exe
# Connect to internal target:
Computer: 172.16.5.19
Username: victor
Password: pass@123Traffic Flow Analysis
[mstsc.exe] β [Proxifier] β [Plink SOCKS] β [SSH Tunnel] β [Ubuntu Pivot] β [Windows Target RDP]
Windows RDP Proxy Local :9050 Encrypted SSH Server 172.16.5.19:3389
Client Client Connection6. Advanced Plink Techniques
Authentication Methods
Password Authentication
# Interactive password prompt
plink -ssh -D 9050 ubuntu@10.129.15.50
# Scripted password (less secure)
echo password | plink -ssh -D 9050 ubuntu@10.129.15.50 -pwKey-based Authentication
# Using PuTTY private key format (.ppk)
plink -ssh -D 9050 -i C:\keys\ubuntu.ppk ubuntu@10.129.15.50
# Convert OpenSSH key to PuTTY format with PuTTYgen if neededMultiple Port Forwards
# Dynamic + Local port forwards
plink -ssh -D 9050 -L 8080:172.16.5.19:80 ubuntu@10.129.15.50
# Multiple local forwards
plink -ssh -L 3389:172.16.5.19:3389 -L 445:172.16.5.19:445 ubuntu@10.129.15.50Background Process
# Run Plink in background (Windows)
start /B plink -ssh -D 9050 ubuntu@10.129.15.50
# Check running processes
tasklist | findstr plink7. Windows Application Integration
Applications That Work with SOCKS Proxies
Native SOCKS Support
β
Web Browsers (Firefox, Chrome with proxy)
β
FTP Clients (WinSCP, FileZilla)
β
SSH Clients (PuTTY, KiTTY)
β
Tor Browser (built-in SOCKS)Proxifier-Required Applications
βοΈ mstsc.exe (Remote Desktop)
βοΈ Windows Explorer (SMB shares)
βοΈ Command line tools (ping, telnet)
βοΈ Custom applicationsBrowser Configuration Example
Firefox β Settings β Network Settings β Manual Proxy Configuration
SOCKS Host: 127.0.0.1
Port: 9050
SOCKS v48. Operational Security with Plink
Stealth Considerations
Legitimate Tool - Plink is standard administrative software
Network Noise - SSH traffic appears normal
Process Name - plink.exe is not suspicious
Registry Traces - Minimal system footprint
Detection Risks
Network Monitoring - SSH connections to pivot hosts
Process Monitoring - Unusual plink.exe usage patterns
Proxy Detection - SOCKS traffic analysis
Authentication Logs - SSH login records
Mitigation Strategies
# Use legitimate-looking SSH sessions
plink -ssh -D 9050 admin@server.company.com
# Vary timing and ports
plink -ssh -D 8080 ubuntu@10.129.15.50
# Clean up processes when done
taskkill /F /IM plink.exe9. Troubleshooting Plink Issues
Common Problems and Solutions
Authentication Failures
# Problem: Access denied
plink: Access denied
# Solutions:
1. Verify username/password
2. Check SSH key permissions
3. Confirm SSH service is running
4. Test with PuTTY GUI firstConnection Refused
# Problem: Network unreachable
plink: Network error: Connection refused
# Solutions:
1. Verify pivot host IP
2. Check SSH port (default 22)
3. Confirm firewall rules
4. Test with telnetSOCKS Proxy Not Working
# Problem: Applications can't connect through proxy
# Solutions:
1. Verify port 9050 is listening
netstat -an | findstr :9050
2. Check Proxifier configuration
3. Test with SOCKS-aware application
4. Restart Plink sessionProxifier Issues
# Problem: Proxifier not routing traffic
# Solutions:
1. Check proxy server settings (127.0.0.1:9050)
2. Verify proxification rules
3. Enable debug logging
4. Restart Proxifier service10. Alternative Windows SSH Tools
Built-in Windows SSH (Windows 10+)
# Modern Windows has native SSH client
ssh -D 9050 ubuntu@10.129.15.50
# Check if available:
where sshOther Windows SSH Clients
# KiTTY (PuTTY fork)
kitty -ssh -D 9050 ubuntu@10.129.15.50
# Bitvise SSH Client
BvSsh -host=10.129.15.50 -user=ubuntu -localFwd=9050:127.0.0.1:9050
# MobaXterm
MobaXterm with SSH tunneling11. Lab Exercise Recreation
HTB Academy Optional Exercise
Task: "Attempt to use Plink from a Windows-based attack host. Set up a proxy connection and RDP to the Windows target (172.16.5.19) with 'victor:pass@123'"
Complete Solution Steps
Step 1: Environment Setup
# Requirements:
- Windows attack host
- Plink.exe available
- Network access to 10.129.202.64 (pivot)
- Target: 172.16.5.19 (internal Windows)Step 2: Establish Plink Tunnel
# Create SOCKS tunnel through Ubuntu pivot
plink -ssh -D 9050 ubuntu@10.129.202.64
# Enter password when prompted
ubuntu@10.129.202.64's password: HTB_@cademy_stdnt!Step 3: Configure Proxifier
1. Open Proxifier
2. Profile β Proxy Servers β Add
- Address: 127.0.0.1
- Port: 9050
- Type: SOCKS4
3. Profile β Proxification Rules β Add
- Applications: mstsc.exe
- Target Hosts: 172.16.5.19
- Action: Proxy 127.0.0.1:9050Step 4: RDP Connection
# Launch Remote Desktop
mstsc.exe
# Connection details:
Computer: 172.16.5.19
User name: victor
Password: pass@123Step 5: Submit Answer
Answer: "I tried Plink"12. Comparison with Linux SSH Methods
Functionality Comparison
Feature
Linux SSH
Windows Plink
Dynamic Forward
ssh -D 9050
plink -ssh -D 9050
Local Forward
ssh -L 8080:target:80
plink -ssh -L 8080:target:80
Remote Forward
ssh -R 8080:localhost:80
plink -ssh -R 8080:localhost:80
Background
ssh -fN -D 9050
start /B plink -ssh -D 9050
Key Auth
ssh -i key
plink -i key.ppk
Integration Differences
Linux Integration
# Direct proxychains support
proxychains nmap -sT 172.16.5.19
# Built-in SOCKS applications
curl --socks5 127.0.0.1:9050 http://172.16.5.19Windows Integration
# Requires Proxifier for most applications
Proxifier β mstsc.exe β 172.16.5.19
# Some native SOCKS support
firefox β proxy settings β SOCKS 127.0.0.1:905013. Real-World Scenarios
Scenario 1: Corporate Windows Environment
Situation: Pentesting corporate network
Environment: Windows workstations with PuTTY installed
Goal: Pivot through DMZ host to internal network
Solution: Use Plink for SOCKS tunneling + Proxifier for RDPScenario 2: Legacy System Compromise
Situation: Compromised older Windows server
Limitation: Cannot upload new tools
Available: PuTTY suite installed for administration
Solution: Leverage existing Plink for tunnelingScenario 3: Windows Red Team Operation
Situation: Windows-based red team infrastructure
Challenge: Need to blend in with Windows environment
Approach: Use Windows-native tools (Plink, Proxifier, mstsc)
Benefit: Reduced detection, natural tool usage14. Best Practices
Operational Guidelines
Test Locally First - Verify Plink works before deployment
Multiple Tunnels - Create redundant paths when possible
Authentication Security - Use keys when possible
Clean Exit - Properly terminate sessions
Documentation - Record tunnel configurations
Security Recommendations
Timing Variation - Don't establish tunnels at predictable times
Port Diversity - Use different SOCKS ports
Session Management - Monitor and limit session duration
Log Cleanup - Clear relevant Windows event logs
Process Hiding - Consider process migration techniques
Performance Optimization
Compression - Use SSH compression for slow links
Keep-Alive - Maintain persistent connections
Concurrent Sessions - Balance load across multiple tunnels
Bandwidth Monitoring - Track usage patterns
15. Integration with Other Tools
Metasploit Integration
# Metasploit with SOCKS proxy (requires Proxychains4Windows)
msf6 > setg Proxies socks4:127.0.0.1:9050
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 172.16.5.19
msf6 auxiliary(scanner/portscan/tcp) > runPowerShell Integration
# PowerShell with proxy settings
$proxy = New-Object System.Net.WebProxy("socks://127.0.0.1:9050")
$webClient = New-Object System.Net.WebClient
$webClient.Proxy = $proxy
$webClient.DownloadString("http://172.16.5.19")Nmap through Proxy
# Using ProxyChains4Windows (if available)
proxychains4 nmap -sT -Pn 172.16.5.19
# Alternative: nmap with HTTP proxy (if SOCKS-to-HTTP converter used)
nmap --proxy socks4://127.0.0.1:9050 172.16.5.19References
HTB Academy: Pivoting, Tunneling & Port Forwarding - Page 8
PuTTY Documentation: Official PuTTY Manual
Proxifier Manual: Proxifier Documentation
Microsoft: Windows SSH Client
Last updated