Ligolo-ng, pivoting avanzado de la mano de Go

Ligolo-ng, advanced pivoting of the Go hand

Celia Catalán


Very good, during this installment we will talk about a tool that makes the topic of tunnels much easier. Don't get lost in it! .

Ligolo-ng is a simple, lightweight and fast tool that allows pentesters to establish tunnels from a reverse TCP/TLS connection using a virtual “tun” interface (no need for SOCKS). Unlike Chisel or other tools, with Ligolo-ng we do not need to use SOCKS, but rather through virtual interfaces we will create a tunnel (in true VPN style).

Thanks to this, we will be able to run tools like Nmap without having to use proxychains, so pivoting tasks become easier and faster, since one of the advantages of Ligolo-ng is a significant improvement in the performance of connections compared to to the use of SOCKS. We will have faster and more stable connections. 

Below, we detail how to use this tool correctly:

Get-ready

Agent – Victim machine

Proxy – Attacking machine

First of all, we will download the binaries that we will need to our working directory. We leave you the official Ligolo-ng repository: .
 
We have the possibility of downloading the source code or the already compiled binary. For convenience in this case, we will download both the agent binary and the proxy binary depending on the operating systems we are going to use (in our case Linux):

If you choose to download the source code (GO), we will use the following commands to compile it:

Linux:


Windows: 


Configure Ligolo-ng:

Ligolo-ng is based on a virtual interface through which a tunnel will be established between the victim machine and the attacker, which is why it will be necessary to first set up the “tun” interface on which Ligolo-ng relies:



We consult the options that the proxy offers us:




Where we are presented with the different TLS certificate options that we have:

  • Autocert: The proxy will automatically request a certificate using Lets encrypt. This option requires accessibility to port 80.
  • Certfile / -keyfile: If we want to use our own certificates.
  • Selfcert: Will automatically generate a self-signed certificate. This option is the least recommended in terms of security, but if we are working in an isolated laboratory or testing environment, it is a valid option.
  • Tun : In case you have chosen another name for the interface.
  • Laddr The default listening interface is 0.0.0.0:11601, to define another interface we will indicate it using this command.
We launch the proxy with the default configuration, using self-signed certificates to encrypt the connection

On the attacking machine:


On the victim machine:


We would already have the session created:


Now we select the session we just created on the proxy (attacking machine):


We will always have to indicate which session we want to work on. Once the session has ended we can carry out different actions:


From the proxy itself we can consult the network interfaces that are set up in the agent (victim) using the ifconfig command:


In order to reach this new network (192.168.1.0/24) we will have to tell our attacking machine to redirect traffic destined for 192.168.1.0/24 through the Ligolo tunnel that we just created. To do this, we add the following static route to the routing table of the attacking machine: 


And finally we start the tunnel: 



I show you in the following diagram what has been done so far:


And now we move on to verify that we reach the new subnet (192.168.1.0/24) through the victim's eth1 interface:


bridge link

The agents allow listening on pre-established ports, so that all incoming traffic to those ports is redirected directly to the attacking machine. 

From the proxy (attacker) and on the same session that we had established, we set up a listener on the agent (victim): 



Any incoming traffic on the victim machine destined for port 1234 will be redirected to the attacking machine at port 4321. This is very useful when we have to execute a reverse payload towards the attacking machine or download files on the victim from an HTTP server hosted on the attacking machine. 



We move forward looking like this, an example of a reverse shell would be this:


We can manage each of the listeners created using listener_list and listener_stop/start.


Pivoting between multiple machines

If we want to pivot between several machines, we can create as many sessions as we want using the listeners, in such a way that on each machine there is a listener listening on an established port that redirects us to the previous jump machine and so on, until we reach the port 11601 (default) from the attacking machine where proxy-ligolo is listening for requests from new agents (victims).

Example: from the 192.168.1.0/24 network (where the jumping machine is located) we raise the agent (victim 2) to the listener of the intermediate machine (victim 1) which will redirect us directly to the proxy-ligolo (attacker).

1. We configure the listener on the jumping machine (192.168.1.147) from the attacking machine:


2. On the new victim machine we launch the agent (victim 2) towards the listener of the intermediate jump machine (192.168.1.147:11601):


3. The connection will be redirected to the proxy-ligolo. A new session is established that will allow you to access new subnets:


Concluding with this practice we have carried out this exercise:

So far we have come! We hope it has been of interest and useful to everyone!
Let's fly, sorry, let's swing!!!! 

Alejandro Auñón, Offensive Security Senior Analyst atZerolynx.
return to blog

Leave a comment

Please note that comments must be approved before they are published.