ssh -L <local-port>:<target-ip>:<target-port <user>@<ssh-ip> -fN

Suppose we have SSH access to 172.16.0.5 & there is window server with ip 192.168.1.110 on port 445.

We can access using tools like netcat / smbclient on attacker local port by tunelling. -L for port forwarding -f background shell -N tell ssh not to execute any command

• On attacker machine, ssh -L 445:192.168.1.110:445 [email protected] -fN

• On attacker machine , if we use smbclient , it will be connected to 192.168.1.110 smbclient -L 127.0.0.1 -U Administrator

<aside> 👨‍💻 If window server is 2016 , then change smaba file configuration to sambav2 as 2016 not support v1 sudo nano /etc/samba/smb.conf then add this line , min protocol = SMB2 resatrt service, sudo /etc/init.d/smbd restart

</aside>