architecture - ttpreport/ligolo-mp GitHub Wiki

General idea

An operator connects to Ligolo-MP server using the client binary. Next, on a compromised machine, operator runs an agent - generated binary implant, which establishes a session with the server. This is immediately visible on the dashboard. Then you want to configure routes that will be the way operators address the target network or machine. Finally, to enable the pivot, operator starts a relay - a network connection between Ligolo-mp server and an agent. Operator can also create redirectors to, for example, chain connections through agents in cases where target machine can't directly reach the server.

Singleplayer setup

Singleplayer mode basically combines the client and the team server capabilities on the same machine, but all of that is seamless: you just need to run the Ligolo-MP binary and use it exactly the same way you would in multiplayer mode.

Why do you need a separate client binary then? This is only due to the fact that the server currently supports Linux only and having separate client binary that supports more operating systems helps avoiding confusion. It will converge into single binary if I decide to implement server functionality for other architectures.

Multiplayer setup

While you can just run everything on your laptop, one of the main benefits of this solution is multiplayer. In that case, it's expected that the engagement is operated via attack infrastructure (i.e. C2 servers, phishing infrastructure, etc) and operators share all the pivots via a specialized attack machine. The way operators tunnel their traffic to this attack machine is out of scope of Ligolo-MP - you can use your wireguard, openvpn or even just sshuttle tunnel, whatever your team sees fit. This type of setup is depicted on the diagram below:

Architecture Diagram

In this example, all the operators end up with effectively flat target network: they can address both 192.168.15.0/26 and 10.10.10.0/24 as if they are on the same network as all of them. Furthermore, additional loopback route allows to address machine 192.168.15.100 as if they are on that machine itself (e.g. accessing services that listen on 127.0.0.1).

Next steps

To get an idea of why you might want all this complexity, please continue to Quality of Life features overview. Or jump straight into server setup or client setup.