Port Forwarding with Windows: Netsh

Posted Jun 22, 2025 Updated Jun 22, 2025

By saramazal

2 min read

🕵️‍♂️ Port Forwarding with Windows: Netsh

In internal network engagements, gaining access to a user workstation—like a Windows-based IT admin’s machine—can be an excellent pivot point for further exploration. One powerful built-in tool that enables this is netsh.exe.

This post covers how to use netsh to forward ports from a compromised Windows host to an internal target, enabling you to connect to internal services like RDP via the pivot.

🔧 Scenario Setup

We’ve compromised an IT admin’s Windows 10 workstation using phishing or social engineering. The machine has two IPs:

External IP (reachable by attacker): 10.129.xx.xx
Internal IP (inside network): 172.16.xx.xx

🖥️ Host Overview

Role	Variable	Example Value
Attacker Host	`$ATTACKER_HOST`	Your Kali box
Pivot Host (Win)	`$PIVOT_WIN_HOST`	10.129.xx.xx.
Target Host (Win)	`$TARGET_WIN_HOST`	172.16.xx.xx
Pivot Credentials	`$PIVOT_USER:$PIVOT_PASS`	e.g. admin:pass123
Target Credentials	`$TARGET_USER:$TARGET_PASS`	e.g. user:pass456

🪜 Step-by-Step Port Forwarding with Netsh

1. RDP into the Pivot Host

From your attacker machine:

        
      
xfreerdp /u:$PIVOT_USER /p:$PIVOT_PASS /v:$PIVOT_WIN_HOST

2. Set Up Port Forwarding on the Pivot

Run the following command on the pivot host to forward traffic from external port 8080 to internal RDP port 3389 on the target:

netsh interface portproxy add v4tov4 listenport=8080 listenaddress=$PIVOT_WIN_HOST connectport=3389 connectaddress=$TARGET_WIN_HOST

🔧 This makes the pivot listen on 10.129.xx.xx:8080 and forward it to 172.16.xx.xx:3389.

3. Verify the Port Proxy Rule

Run:

netsh interface portproxy show v4tov4

You should see:

Listen on ipv4:             Connect to ipv4:
Address         Port        Address         Port
--------------- ----------  --------------- ----------
10.129.xx.xx   8080        172.16.xx.xx     3389

4. RDP to the Internal Target via the Forward

From your attacker machine, use the following command to connect to the internal target through the pivot:

        
      
xfreerdp /u:$TARGET_USER /p:$TARGET_PASS /v:$PIVOT_WIN_HOST:8080

🔄 Netsh on the pivot host will forward this traffic to the internal host’s RDP port.

📉 Diagram: Network Traffic Flow

           [ Attacker Host ]
         (Kali / Linux Box)
                |
                | RDP via 8080
                v
    =======================================
    |  Pivot Host: Windows Workstation    |
    |  External: 10.129.xx.xx             |
    |  Internal: 172.16.xx.xx             |
    |  netsh Portproxy Configured:        |
    |  10.129.xx.xx:8080 --->  x          |
    |                         172.16.xx.xx:3389
    =======================================
                |
                | Internal Network
                v
       [ Internal Target Windows Host ]
            (RDP Enabled - Port 3389)

🧽 Cleanup

After the operation, remove the rule:

netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=$PIVOT_WIN_HOST

~ Maz4l 🤺

Port Forwarding

pivoting tunelling netsh rce xfreerdp ssh sshpass scp python server win10 linux

This post is licensed under CC BY 4.0 by the author.