implement local port redirect #15

nicocha30 · Dec 30, 2023 · f4d5e39 · f4d5e39
1 parent e74b23b
commit f4d5e39
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -32,7 +32,9 @@ You use Ligolo-ng for your penetration tests? Did it help you pass a certificati
     - [Using Let's Encrypt Autocert](#using-lets-encrypt-autocert)
     - [Using your own TLS certificates](#using-your-own-tls-certificates)
     - [Automatic self-signed certificates (NOT RECOMMENDED)](#automatic-self-signed-certificates-not-recommended)
+  - [Using Ligolo-ng](#using-ligolo-ng)
   - [Agent Binding/Listening](#agent-bindinglistening)
+  - [Access to agent's local ports (127.0.0.1)](#access-to-agents-local-ports-127001)
 - [Demo](#demo)
 - [Does it require Administrator/root access ?](#does-it-require-administratorroot-access-)
 - [Supported protocols/packets](#supported-protocolspackets)
@@ -256,6 +258,29 @@ You can view currently running listeners using the `listener_list` command and s
 INFO[1505] Listener closed.                             
 ```
 
+### Access to agent's local ports (127.0.0.1)
+
+If you need to access the local ports of the currently connected agent, there's a "magic" IP hardcoded in Ligolo-ng: *240.0.0.1* ( This IP address is part of an unused IPv4 subnet).
+If you query this IP address, Ligolo-ng will automatically redirect traffic to the agent's local IP address (127.0.0.1).
+
+Example:
+
+```
+$ sudo ip route add 240.0.0.1/32 dev ligolo
+$ nmap 240.0.0.1 -sV
+Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-30 22:17 CET
+Nmap scan report for 240.0.0.1
+Host is up (0.023s latency).
+Not shown: 998 closed tcp ports (conn-refused)
+PORT STATE SERVICE VERSION
+22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
+8000/tcp open http SimpleHTTPServer 0.6 (Python 3.9.2)
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 7.16 seconds
+```
+
 ## Demo
 
 

diff --git a/pkg/proxy/netstack/handlers.go b/pkg/proxy/netstack/handlers.go
@@ -93,6 +93,13 @@ func HandlePacket(nstack *stack.Stack, localConn TunConn, yamuxConn *yamux.Sessi
 
 	logrus.Debugf("Got packet source : %s - endpointID : %s:%d", endpointID.RemoteAddress, endpointID.LocalAddress, endpointID.LocalPort)
 
+	targetIp := endpointID.LocalAddress.String()
+	if endpointID.LocalAddress.String() == "240.0.0.1" {
+		logrus.Debug("MagicIP detected, redirecting to agent local machine")
+		// Magic IP detected
+		targetIp = "127.0.0.1"
+	}
+
 	yamuxConnectionSession, err := yamuxConn.Open()
 	if err != nil {
 		logrus.Error(err)
@@ -101,7 +108,7 @@ func HandlePacket(nstack *stack.Stack, localConn TunConn, yamuxConn *yamux.Sessi
 	connectPacket := protocol.ConnectRequestPacket{
 		Net:       protonet,
 		Transport: prototransport,
-		Address:   endpointID.LocalAddress.String(),
+		Address:   targetIp,
 		Port:      endpointID.LocalPort,
 	}