double pivot issue

[komradz86]

following several write ups including this https://arth0s.medium.com/ligolo-ng-pivoting-reverse-shells-and-file-transfers-6bfb54593fa5 testing double pivot causing issue.

for example, when I pivot, one machine works , when I go to the 2 nd machine to do the double pivot, I receive a connection to ligolo, when I hit session - start I get an error that the tunnel is already used instead of asking me to switch to the other connect where you press Y and allow the 2nd pivot to work.

I looked all around the internet to see if anyone faced such issue. you are asked to specify another tunnel with --tun, while I am trying to have the same as double pivot using --tun ligolo.

[komradz86]

anyone

[n3rada]

Same problem here. It worked perfectly before, as the tutorials confirm:

• https://4pfsec.com/ligolo
• https://arth0s.medium.com/ligolo-ng-pivoting-reverse-shells-and-file-transfers-6bfb54593fa5

Now I have to implement a new interface:

sudo ip tuntap add user $(whoami) mode tun ligolo-dev
sudo ip link set ligolo-dev up

And to use the second pivot session:

tunnel_start --tun ligolo-dev

And because my targeted IP range is in the same subnet for the second pivot, I cannot add-it to the second interface. (In my particular case, I need this second pivot to spoof the targeted domain).

Before (i.e., release v.0.4.4), the tunnel switch from one session to another:

[Agent : root@appserver05] » start
? Tunnel already running, switch from NT AUTHORITY\SYSTEM@web05 to root@appserver05? Yes
[Agent : root@appserver05] » INFO[0209] Closing tunnel to root@appserver05...
INFO[0209] Starting tunnel to root@appserver05

With the v0.4.4 this behavior worked well tho'. Why having changed that @nicocha30?

[nicocha30]

@n3rada you can still stop the tunnel, and start another one, it's exactly what's done with the old behavior. I'm not seeing any issues here. If the targeted IP range is in the same subnet, then just change your routing table.

[n3rada]

Thanks for the answer @nicocha30! That's a good point, but it's not enough. Because I need my first tunnel to carry my traffic. Then I need to set up another pivot in a machine that can only be reached by the first pivot.

What's your recommendation for multiple pivots with the new implementation? Clearly, it's not as simple as before, with the need to create other interfaces manually and so on. I think a quick tutorial in README.md might be useful, don't you think?

[deadloot]

when double pivoting through the first tunnel forwarding ligolo 11601 from the agent to the proxy, I cannot stop the first tunnel. obviously killing the tunnel kills my route and session on my internal target i want to continue pivoting from.

the simplicity of the previous implementation is key. you could easily switch between sessions. now, one needs to create multiple tuntap devices, setting the links up, and creating specific routes to each tuntap device instead of having it all managed with the single ligolo tunnel

[komradz86]

I actually solved it and forgot about this question, I added a new tuntap and started the second connection to that tuntap and worked very well

[n3rada]

Of course, that's the workaround @komradz86. But it's not very user-friendly and we're polluting our interfaces. Also, as #60 suggests, it would be nice if it was totally behind the scenes and not something the user has to do.

[nicocha30]

The old Ligolo-ng version never handled multiple tunnels. I don't know why you say that obviously killing the tunnel kills my route and session on my internal target i want to continue pivoting from. as this is the old behavior.

The new versions of Ligolo-ng allows you to use multiple tunnels, and to do that, it use multiple interfaces.

The old behavior is kill the tunnel, then start the new one. If you want the same behavior as the old Ligolo-ng, use tunnel_stop then tunnel_start, that's all.

I will change the error message to say "Either stop the current tunnel or use another tun interface" and implement #60.

You're complaining that tutorials using older versions of Ligolo-ng don't reflect the newer versions. What should I do? Eliminate the ability to manage several tunnels at once?

This is not an issue here. Tutorials/writeups needs to be updated, or use the Ligolo-ng version showcased on the tutorial.

[n3rada]

For me, you've explained well the things.

My primary concern stems from the lack of comprehensive documentation outlining these new changes. Users, including myself, often rely on available write-ups and tutorials to understand and implement double pivoting with your tool. When significant changes occur, it can lead to confusion and hinder effective usage.

The implementation of issue #60 will undoubtedly simplify the process, but I believe that providing a detailed Wiki or an updated README.md tutorial would greatly benefit the community. Clear instructions and examples on handling multiple tunnels and interfaces would help users adapt to the new functionalities seamlessly.

[nicocha30]

Fyi, @n3rada , I implemented #60

[n3rada]

@nicocha30, you are the best! That was my true request. Btw, why not closing this issue since this is clearly not an issue as we have discussed?

[komradz86]

thats great! Thanks @nicocha30