πͺPlink Windows Pivoting
π Module Overview
Purpose: Windows-based SSH tunneling and pivoting using Plink.exe Tool: PuTTY Link (plink.exe) - Windows command-line SSH client Scenario: Windows attack host or compromised Windows pivot Technique: Dynamic port forwarding with SOCKS proxy Integration: Proxifier for Windows application tunneling
1. Introduction to Plink.exe
What is Plink?
Full Name: PuTTY Link
Type: Windows command-line SSH tool
Package: Part of PuTTY suite
Capability: SSH tunneling, port forwarding, SOCKS proxy
Era: Pre-Windows 10 standard (before native OpenSSH)
Why Use Plink?
Living off the Land - often pre-installed on Windows systems
Windows Native - no need to transfer additional tools
Stealth - uses legitimate administrative tool
Compatibility - works on older Windows versions
Integration - pairs well with Windows tools like Proxifier
Common Scenarios
Windows-based attack host instead of Linux
Compromised Windows system as pivot point
Locked down environment where uploading tools is risky
Legacy systems with PuTTY already installed
File share access to plink.exe without installation
2. Plink vs SSH Comparison
Aspect
SSH (Linux)
Plink (Windows)
Platform
Linux/Unix
Windows
Syntax
ssh -D 9050 user@host
plink -ssh -D 9050 user@host
Authentication
Key/password
Key/password
Integration
Native Linux tools
Proxifier, Windows apps
Stealth
Standard on Linux
Legitimate Windows tool
Availability
Always present
Depends on PuTTY install
3. Basic Plink Dynamic Port Forwarding
Network Topology
Command Syntax
Expected Output
Verification
4. Proxifier Integration
What is Proxifier?
Purpose: Windows SOCKS/HTTP proxy client
Function: Routes application traffic through proxies
Capability: Proxy chaining, application-specific routing
Target: Desktop applications (RDP, browsers, etc.)
Proxifier Configuration Steps
Step 1: Add SOCKS Server
Step 2: Create Proxification Rules
Step 3: Enable Proxification
5. RDP Through Plink SOCKS Tunnel
Complete Workflow
Step 1: Start Plink SOCKS Tunnel
Step 2: Configure Proxifier
Step 3: Launch RDP Session
Traffic Flow Analysis
6. Advanced Plink Techniques
Authentication Methods
Password Authentication
Key-based Authentication
Multiple Port Forwards
Background Process
7. Windows Application Integration
Applications That Work with SOCKS Proxies
Native SOCKS Support
Proxifier-Required Applications
Browser Configuration Example
8. Operational Security with Plink
Stealth Considerations
Legitimate Tool - Plink is standard administrative software
Network Noise - SSH traffic appears normal
Process Name - plink.exe is not suspicious
Registry Traces - Minimal system footprint
Detection Risks
Network Monitoring - SSH connections to pivot hosts
Process Monitoring - Unusual plink.exe usage patterns
Proxy Detection - SOCKS traffic analysis
Authentication Logs - SSH login records
Mitigation Strategies
9. Troubleshooting Plink Issues
Common Problems and Solutions
Authentication Failures
Connection Refused
SOCKS Proxy Not Working
Proxifier Issues
10. Alternative Windows SSH Tools
Built-in Windows SSH (Windows 10+)
Other Windows SSH Clients
11. Lab Exercise Recreation
HTB Academy Optional Exercise
Task: "Attempt to use Plink from a Windows-based attack host. Set up a proxy connection and RDP to the Windows target (172.16.5.19) with 'victor:pass@123'"
Complete Solution Steps
Step 1: Environment Setup
Step 2: Establish Plink Tunnel
Step 3: Configure Proxifier
Step 4: RDP Connection
Step 5: Submit Answer
12. Comparison with Linux SSH Methods
Functionality Comparison
Feature
Linux SSH
Windows Plink
Dynamic Forward
ssh -D 9050
plink -ssh -D 9050
Local Forward
ssh -L 8080:target:80
plink -ssh -L 8080:target:80
Remote Forward
ssh -R 8080:localhost:80
plink -ssh -R 8080:localhost:80
Background
ssh -fN -D 9050
start /B plink -ssh -D 9050
Key Auth
ssh -i key
plink -i key.ppk
Integration Differences
Linux Integration
Windows Integration
13. Real-World Scenarios
Scenario 1: Corporate Windows Environment
Scenario 2: Legacy System Compromise
Scenario 3: Windows Red Team Operation
14. Best Practices
Operational Guidelines
Test Locally First - Verify Plink works before deployment
Multiple Tunnels - Create redundant paths when possible
Authentication Security - Use keys when possible
Clean Exit - Properly terminate sessions
Documentation - Record tunnel configurations
Security Recommendations
Timing Variation - Don't establish tunnels at predictable times
Port Diversity - Use different SOCKS ports
Session Management - Monitor and limit session duration
Log Cleanup - Clear relevant Windows event logs
Process Hiding - Consider process migration techniques
Performance Optimization
Compression - Use SSH compression for slow links
Keep-Alive - Maintain persistent connections
Concurrent Sessions - Balance load across multiple tunnels
Bandwidth Monitoring - Track usage patterns
15. Integration with Other Tools
Metasploit Integration
PowerShell Integration
Nmap through Proxy
References
HTB Academy: Pivoting, Tunneling & Port Forwarding - Page 8
PuTTY Documentation: Official PuTTY Manual
Proxifier Manual: Proxifier Documentation
Microsoft: Windows SSH Client
Last updated