netsh

Netsh is a native Windows command-line tool that can help with the network & firewall configuration of a particular Windows system.

Netsh can be used for:

  • Finding routes

  • Viewing the firewall configuration

  • Adding proxies

  • Creating port forwarding rules

Using Netsh to Port Forward

Port Forward - Cmd

C:\Windows\system32> netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25

connectaddress & connectport is the computer we're pivoting to.

listenaddress & listenport is the jump host

Verifying Port Forward

C:\Windows\system32> netsh.exe interface portproxy show all

Listen on ipv4:             Connect to ipv4:

Address         Port        Address         Port
--------------- ----------  --------------- ----------
10.129.42.198   8080        172.16.5.25     3389
C:\Windows\system32>netstat -anp TCP | find "2222"
  TCP    192.168.50.64:2222     0.0.0.0:0              LISTENING

C:\Windows\system32>

Adding Port to Firewall rules

Now that we've successfully opened a new port, we need to configure it to the firewall

C:\Windows\system32> netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.50.64 localport=2222 action=allow
Ok.

C:\Windows\system32>

Confirming Port Forward

We can confirm the port is open on our kali host by scanning the open ports

kali@kali$ nmap -p2222 -Pn 192.168.234.64
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-26 22:00 EST
Nmap scan report for 192.168.234.64
Host is up (0.20s latency).

PORT     STATE SERVICE
2222/tcp open  EtherNetIP-1

Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

Confirming Success

Let's connect to the port we just set up. This will tunnel the traffic through our jump host to the desired box.

ssh [email protected] -p2222    
The authenticity of host '[192.168.234.64]:2222 ([192.168.234.64]:2222)' can't be established.
ED25519 key fingerprint is SHA256:oPdvAJ7Txfp9xOUIqtVL/5lFO+4RY5XiHvVrZuisbfg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.234.64]:2222' (ED25519) to the list of known hosts.
[email protected]'s password: 

Cleaning up - Deleting Firewall rule

Once we're finishing using our pivot, we want to clean up the machine. Let's delete the firewall rules

C:\Users\Administrator>netsh advfirewall firewall delete rule name="port_forward_ssh_2222"

Deleted 1 rule(s).
Ok.

We can also do so with the following:

C:\Windows\Administrator> netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.64

C:\Windows\Administrator>

Last updated