macOS support

nicocha30 · Jun 23, 2024 · a503a37 · a503a37
1 parent bbb00ed
commit a503a37
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 24 deletions.
diff --git a/README.md b/README.md
@@ -33,6 +33,9 @@ You use Ligolo-ng for your penetration tests? Did it help you pass a certificati
     - [Using your own TLS certificates](#using-your-own-tls-certificates)
     - [Automatic self-signed certificates](#automatic-self-signed-certificates)
   - [Using Ligolo-ng](#using-ligolo-ng)
+    - [Start the agent](#start-the-agent)
+    - [Start the tunneling](#start-the-tunneling)
+    - [Setup routing](#setup-routing)
   - [Agent Binding/Listening](#agent-bindinglistening)
   - [Access to agent's local ports (127.0.0.1)](#access-to-agents-local-ports-127001)
   - [Agent as server (Bind)](#agent-as-server-bind)
@@ -171,6 +174,7 @@ To ignore all security mechanisms, the `-ignore-cert` option can be used with th
 > Beware of man-in-the-middle attacks! This option should only be used in a test environment or for debugging purposes.
 ### Using Ligolo-ng
 
+#### Start the agent
 
 Start the *agent* on your target (victim) computer (no privileges are required!):
 
@@ -193,7 +197,19 @@ ligolo-ng » session
 ? Specify a session : 1 - nchatelain@nworkstation - XX.XX.XX.XX:38000
 ```
 
-Display the network configuration of the agent using the `ifconfig` command:
+#### Start the tunneling
+
+Start the tunnel on the proxy, using the `evil-cha` interface name.
+
+```
+[Agent : nchatelain@nworkstation] » tunnel_start --tun evil-cha
+[Agent : nchatelain@nworkstation] » INFO[0690] Starting tunnel to nchatelain@nworkstation   
+```
+> On macOS, you need to specify a utun[0-9] device, like utun4.
+
+#### Setup routing
+
+First, display the network configuration of the agent using the `ifconfig` command:
 
 ```
 [Agent : nchatelain@nworkstation] » ifconfig 
@@ -209,22 +225,21 @@ Display the network configuration of the agent using the `ifconfig` command:
 └──────────────┴──────────────────────────────┘
 ```
 
-Add a route on the *proxy/relay* server to the *192.168.0.0/24* *agent* network.
+Then setup routes accordingly.
 
-*Linux*:
+**Linux**:
 
-**Using the terminal:**
+*Using the terminal:*
 ```shell
 $ sudo ip route add 192.168.0.0/24 dev ligolo
 ```
-**Or using the Ligolo-ng (>= 0.6) cli:**
+*Or using the Ligolo-ng (>= 0.6) cli:*
 ```
 ligolo-ng » interface_add_route --name evil-cha --route 192.168.2.0/24
 INFO[3206] Route created.                               
 ```
 
-
-*Windows*:
+**Windows**:
 ```
 > netsh int ipv4 show interfaces
 
@@ -235,20 +250,12 @@ Idx     Mét         MTU          État                Nom
 > route add 192.168.0.0 mask 255.255.255.0 0.0.0.0 if [THE INTERFACE IDX]
 ```
 
-Start the tunnel on the proxy, using the default `ligolo` interface name:
+**macOS:**
 
 ```
-[Agent : nchatelain@nworkstation] » tunnel_start
-[Agent : nchatelain@nworkstation] » INFO[0690] Starting tunnel to nchatelain@nworkstation   
-```
-
-You can also specify a custom tuntap interface using the ``--tun iface`` option:
-
+$ sudo ifconfig utun4 alias [random_ip] 255.255.255.0
+$ sudo route add -net 192.168.2.0/24 interface utun4
 ```
-[Agent : nchatelain@nworkstation] » tunnel_start --tun mycustomtuntap
-[Agent : nchatelain@nworkstation] » INFO[0690] Starting tunnel to nchatelain@nworkstation   
-```
-
 
 You can now access the *192.168.0.0/24* *agent* network from the *proxy* server.
 

diff --git a/pkg/proxy/netstack/tun/wireguard_darwin.go b/pkg/proxy/netstack/tun/wireguard_darwin.go
@@ -0,0 +1,3 @@
+package tun
+
+const offset = 4
diff --git a/pkg/proxy/netstack/tun/wireguard_ep.go b/pkg/proxy/netstack/tun/wireguard_ep.go
@@ -53,25 +53,24 @@ func (m *RWEndpoint) Attach(dispatcher stack.NetworkDispatcher) {
 func (m *RWEndpoint) dispatchLoop() {
 	for {
 		packet := make([]byte, m.mtu)
-
-		n, err := m.wgdev.Read(packet, 0)
+		// Complying with macOS bullshit - I bought a Mac Mini to solve this nonsense. @phocean you lied, it sucks
+		n, err := m.wgdev.Read(packet, offset)
 		if err != nil {
 			break
 		}
 		if n > int(m.mtu) {
 			// Not sure why it happens, discard packet - https://github.com/nicocha30/ligolo-ng/issues/54
 			continue
 		}
-
 		if !m.IsAttached() {
 			continue
 		}
 
 		pkb := stack.NewPacketBuffer(stack.PacketBufferOptions{
-			Payload: buffer.MakeWithData(packet[:n]),
+			Payload: buffer.MakeWithData(packet[offset : n+offset]),
 		})
 
-		switch header.IPVersion(packet) {
+		switch header.IPVersion(packet[offset:]) {
 		case header.IPv4Version:
 			m.dispatcher.DeliverNetworkPacket(header.IPv4ProtocolNumber, pkb)
 		case header.IPv6Version:
@@ -103,7 +102,10 @@ func (m *RWEndpoint) WritePacket(pkt stack.PacketBufferPtr) tcpip.Error {
 	pktBuf := pkt.ToBuffer()
 	buf.Merge(&pktBuf)
 
-	if _, err := m.wgdev.Write(buf.Flatten(), 0); err != nil {
+	// Complying with macOS bullshit
+	offsetBuf := make([]byte, offset)
+
+	if _, err := m.wgdev.Write(append(offsetBuf, buf.Flatten()...), offset); err != nil {
 		return &tcpip.ErrInvalidEndpointState{}
 	}
 	return nil

diff --git a/pkg/proxy/netstack/tun/wireguard_windows.go b/pkg/proxy/netstack/tun/wireguard_windows.go
@@ -0,0 +1,3 @@
+package tun
+
+const offset = 0