This program forwards network traffic from your local machine to a remote machine, but does so over a separate TCP connection that is initiated by the remote machine. This bypasses firewalls only blocking inbound connections and also makes the traffic appear to originate locally to the remote machine (so you can access ports remotely that are only listening for local connections). For a detailed video explanation of this concept, see here


Client side (your own machine):

PT.exe -p Port [-c TunnelPort]

Server side (the remote machine you want to access a port on):

PT.exe -s IpAddress -p Port [-c TunnelPort]


-p Port

In client mode (no -s option specified) this specifies the port on the local machine to listen for traffic on, which will then be forwarded to the remote server.
In server mode (-s option is specified) this is the port that will be opened up to receive traffic from the remote machine specified by the -s option

-s IpAddress

Enables server mode and specifies the IP address to connect to and receive forwarded traffic from (this should be the IP address of the machine running the client side command)

-c Port

The port to be used for tunnel communication. Defaults to 9966 if not specified. This is the port that the server will attempt initial outbound connection to the client on, so only needs to be changed from the default if firewalls are blocking outbound connections on the default port number (9966) on the server, or if inbound connections to the client on that port are being blocked.


In this example the port we are forwarding is the Powershell remoting port (port 5985), so you might need to stop the WinRM service on your own machine first to allow PT.exe to listen on that port.

On your own machine:

PT.exe -p 5985

Then on the remote machine you want to expose port 5985 from:

PT.exe -s -p 5985

This is assuming was the IP address of your own machine that you ran the previous command above on.

After running these two commands, any connections to port 5985 on your own machine will be forward on to the remote machine on port 5985 and will appear to originate locally to the remote machine. So now we can connect to a powershell session on our own machine like so, and it will actually connect us to the remote machine:

Enter-PsSession localhost