# Introduction
- [Plink](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html), short for PuTTY Link, is a Windows command-line SSH tool that comes as a part of the PuTTY package when installed. Similar to SSH, Plink can also be used to create dynamic port forwards and SOCKS proxies
- When on a penetration test, if we encounter a locked down Windows host that we want to use as a pivot and we cannot download our tools to it without being exposed, simply live off the land for pivoting
- If the host is older and PuTTY is present (or we can find a copy on a file share), Plink can be our path to creating a stable pivot
![[images/Pasted image 20251022162050.png]]
# Using `plink.exe`
- First, start a `plink.exe` process on Windows attack host that is directed to pivot host
```cmd
plink -ssh -D 9050 ubuntu@<external_ip_pivot_host>
```
- Second, use `Proxifier` to start a SOCKS tunnel via the plink ssh session
- Windows-based tool that cerates a tunneled network for desktop client apps thorugh a SOCKS or HTTPS proxy
- Configure SOCKS server for 127.0.0.1 and port 9050 (similar to `/etc/proxychains4.conf` file)![[images/Pasted image 20251022190142.png]]
- Finally, we can we can directly use `mstsc.exe` to start an RDP session with the downstream Windows target