# Introduction - [Plink](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html), short for PuTTY Link, is a Windows command-line SSH tool that comes as a part of the PuTTY package when installed. Similar to SSH, Plink can also be used to create dynamic port forwards and SOCKS proxies - When on a penetration test, if we encounter a locked down Windows host that we want to use as a pivot and we cannot download our tools to it without being exposed, simply live off the land for pivoting - If the host is older and PuTTY is present (or we can find a copy on a file share), Plink can be our path to creating a stable pivot ![[images/Pasted image 20251022162050.png]] # Using `plink.exe` - First, start a `plink.exe` process on Windows attack host that is directed to pivot host ```cmd plink -ssh -D 9050 ubuntu@<external_ip_pivot_host> ``` - Second, use `Proxifier` to start a SOCKS tunnel via the plink ssh session - Windows-based tool that cerates a tunneled network for desktop client apps thorugh a SOCKS or HTTPS proxy - Configure SOCKS server for 127.0.0.1 and port 9050 (similar to `/etc/proxychains4.conf` file)![[images/Pasted image 20251022190142.png]] - Finally, we can we can directly use `mstsc.exe` to start an RDP session with the downstream Windows target