ligolo-ng icon indicating copy to clipboard operation
ligolo-ng copied to clipboard

Published 20 hours ago verified publisher icon nicocha30

Adding websockets protocol + additional features

Open virusvfv opened this issue 1 year ago • 4 comments

Hi again ) I re-coded my websocket branch according your December commits:

  • Mainly added websocket support. This is very useful when you trying to hide C2 server behind CDN (such as Cloudflare of AWS Cloudfront)
  • Added auto-start agent feature
  • Added httpproxy support. username and password field moved to proxy Url. ex: socks://admin:[email protected]:1080 or http://admin:[email protected]:8080
  • Added agent sname param to covering you C2 domain by google.com or microsoft.com ))

Please review commits and merge it.. Regards

virusvfv avatar Jan 21 '24 15:01 virusvfv

Hey @virusvfv! Thanks for the PR! I will review this ASAP

nicocha30 avatar Jan 22 '24 10:01 nicocha30

@nicocha30 do you have an estimation when you ll be able to merge this? It is an excellent work by @virusvfv which adds some MUST HAVE features!

georak avatar Mar 15 '24 10:03 georak

EDIT: Got this working after getting some added info from @virusvfv Here is what is required for others to see:

Kali: ./proxy -selfcert -laddr https://0.0.0.0:443 Win10: agent.exe -v -connect https://mydomain.com -ignore-cert

On Cloudflare with noTLSVerify enabled, so no TLS checks (no other settings changed): mydomain.com tunelling to ---> https://0.0.0.0.0:443

Definitely a brilliant feature for ligolo now I have used it.

========================================= Original Post:

Maybe this is the best place to put this. I have been testing this Websockets PR today and the auto start works really well and is a nice little addition. Good job.

For the life of me, I couldn't get it connecting to ligolo over Cloudflare either using autocert or selfcert. After downloading the Websockets branch my settings are:

Kali: proxy -selfcert Win10: agent.exe -v -connect https://mydomain.com -ignore-cert

On Cloudflare with noTLSVerify enabled, so no TLS checks (no other settings changed): mydomain.com tunelling to ---> tcp://mylocalIP:11601

Errors here: image image

Any thoughts would be very welcome as I would like to use Cloudflare on an upcoming engagement. Thanks

Cyb3rC3lt avatar Mar 26 '24 14:03 Cyb3rC3lt

I have continued to test this heavily and it is great for Cloudflare. I did notice 1 issue. When the autostart flag is used it struggles to receive a 2nd conection and won't open a second session. If I remove the autostart flag the 2nd session arrives without any problems. This is what I eventually see on session 2 when it is struggling:

image

Cyb3rC3lt avatar Apr 12 '24 17:04 Cyb3rC3lt

@nicocha30 do you have an estimation when you'll be able to merge this? It is an excellent work by @virusvfv which adds some MUST HAVE features!

Yes this is really amazing, would be great to use it with your recent fixes around listeners please.

Cyb3rC3lt avatar Jul 02 '24 15:07 Cyb3rC3lt

This PR will require significant work. The Ligolo-ng API has changed, and therefore some features in this PR will not work.

nicocha30 avatar Jul 02 '24 15:07 nicocha30

Hi all! I'll try to do this work at the weekend.

virusvfv avatar Jul 02 '24 20:07 virusvfv

Great job @virusvfv. I've done a recent blogpost in regards using your pull request if interested. It has been great for our team:

https://www.linkedin.com/posts/max-c-25571a191_putting-the-c2-in-c2loudflare-jumpsec-labs-activity-7212383613361754112-qvDE

Cyb3rC3lt avatar Jul 02 '24 20:07 Cyb3rC3lt

@virusvfv please make one PR per feature, it will be easier for me to review.

nicocha30 avatar Jul 02 '24 21:07 nicocha30

Added new PR with new branch with same name: Websockets

virusvfv avatar Jul 09 '24 11:07 virusvfv