Netsh
Netsh is a Windows command-line tool that can help with network configuration on Windows system. Note that administrator privileges are required.
Netsh can be used to perform the following:
- Finding routes
- Viewing the firewall configuration
- Adding proxies
- Creating port forwarding rules
We can use the following command on the pivot host to perform port forwarding.
netsh.exe interface portproxy add v4tov4 listenport=<Local port> listenaddress=<Machine IP> connectport=<Remote port> connectaddress=<Remote host>
Command breakdown:
interface portproxy- Specify to work with port proxy settings.add v4tov4- Add a new entry for IPv4 to IPv4 traffic redirection.listenport=<Local port>- Specify the port to listen or incoming traffic.listenaddress=<Machine IP>- Specify the IP address of the interface to listen on.connectport=<Remote port>- Specify the port to forward traffic to on the remote target.connectaddress=<Remote host>- Specify the IP address of the destination machine.
An example will be:
netsh.exe interface portproxy add v4tov4 listenport=30100 listenaddress=10.42.0.100 connectport=3389 connectaddress=172.21.0.20
To view the added route, we can use the following command.
netsh interface portproxy show v4tov4
On the attacker machine, an example will be where we can connect to the internal host using RDP with xfreerdp with the RDP credentials for the internal host.
xfreerdp /v:10.42.0.100:30100 /u:<username> /p:<password>
The diagram will help visualise this.
The Windows 1 machine will listen for incoming connections on eth1 (10.42.0.100) port 30100 and forward all incoming traffic to Windows 2 tun0 (172.21.0.20) port 3389.
When the attacker attempts to connect via RDP, It will be connecting to Windows 1 eth0 port 30100 but because of the port forward, it will connecting to Windows 2 tun0 (172.21.0.20) and obtain a RDP session on it instead.
To have a remote connection, all we need to do is reverse the order for the listen and forward IP addresses and ports.