Skip to content

Advanced Tunnel / Double Pivot

Read the docs!

Make sure you have read the "Basic Tunneling" or "Quickstart" part of the documentation before following this guide!

Sometimes it is necessary to install a tunnel with a pivot. This is the case when you want to bounce onto a restricted network from a machine that doesn't have direct access to the Internet or to the Ligolo-ng daemon, but that machine can contact a host you've already compromised.

Thanks to Ligolo-ng's listeners feature, you can listen to a port on a Ligolo-ng agent, then retransmit connections to the Ligolo-ng proxy.

This tutorial simply explains how to establish a Ligolo-ng connection through a pivot.

Advanced Tunnel Graph

Tutorial

On the Ligolo-ng Server

Start the Ligolo-ng server.

Start Ligolo

On Agent 1

Connect the Agent 1 to the Ligolo-ng server.

Connect Agent 1

Create a Listener using the listener_add command.

listener_add takes two mandatory parameters:

  • --addr: specifies which ip:port should be listening on the agent.
  • --to: specifies where the connection will be relayed.

Info

You can also use --tcp or --udp to specify which protocol to use. (Default is TCP)

If you run: listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:11601:

  • The agent will listen on 0.0.0.0:4444
  • Any connections on this ip:port will be relayed to the 11601 TCP local port of the Ligolo-ng daemon.

Add Listener

Info

11601 is the default Ligolo-ng daemon server port. Any connections to the agent IP on port 4444 will be relayed to the Ligolo-ng local port!

You can confirm that the listener is running on agent 1 by using the listener_list command:

Listener list

On Agent 2

After running the listener_add command on the first agent, you can execute the Ligolo-ng agent on the second server (which does not have Internet access).

Instead of specifying the IP:PORT of the Ligolo-ng daemon, you have to specify the IP of the first agent and the listening port used in listener_add (in our example, 4444).

$ ./ligolo-agent --connect 10.24.0.30:4444

Connect Agent 2

After that, you should have a new agent connected to Ligolo-ng:

Agent 2 connected

You can now setup the Ligolo-ng tunnel targeting the Agent 2 private network.

Agent 2 Setup

Once the tunnel is started, you can now access the private network resources!

Access to Agent 2 Resources