Ligolo-ng
Steps
1. Agent Acquisition
Download the correct Ligolo-ng agent binary for the compromised host's OS from the official GitHub releases.
Transfer the agent binary to the compromised host.
2. Proxy Initialization (Attacker Machine)
Create TUN Interface:
Start Ligolo-proxy:
Lab Environment (Self-Signed):
Production/Realistic Test (Trusted CA):
(Replace <cert.pem> and <key.pem> with your certificate and key file paths.)
3. Agent Connection (Compromised Host)
Execute Agent:
(Use -ignore-cert ONLY with self-signed certificates. Replace <Attacker_IP> with your attacker machine's IP.)
4. Tunnel Establishment (Attacker Machine)
Ligolo-proxy Session:
Use the Ligolo-proxy command-line interface to select the active agent session.
Routing Configuration:
(Replace <Target_Network_CIDR> with the target network's CIDR notation, e.g., 192.168.1.0/24.)
Start Tunnel:
Within the Ligolo-proxy session, type:
5. Verification and Usage (Attacker Machine)
Use tools like Nmap, Metasploit, or any other network tool to interact with the target network as if you were directly connected.
6. Advanced (Double Pivoting)
Second TUN:
Listener Forwarding:
Second Agent:
Execute the agent on the next compromised host, connecting to the first compromised host's forwarded port.
Second Route:
🔐 Key Considerations
Certificates: Use trusted certificates for real-world scenarios to avoid detection.
Listeners: Ensure proper listeners are set for reverse shells and file transfers.
Routing: Verify correct routing configurations to avoid connectivity issues.
Environment Variables: Using
$USERmakes the TUN interface creation more portable.CIDR Notation: Recommends using CIDR notation for network routes, which is standard practice.
Safety: Clearly explains when to use the
-ignore-certflag.
Last updated