Post Exploitationtunnelingpivotingtunreversetcptls

ligolo-ng

Advanced tunneling and pivoting tool that uses a TUN interface. Establishes tunnels from a reverse TCP/TLS connection without needing SOCKS.

Description

Ligolo-ng is a simple, lightweight, and fast tool designed for pentesters to create tunnels using a TUN interface over reverse TCP or TLS connections. It eliminates the need for SOCKS proxies, making it efficient for network pivoting during penetration tests.

The tool consists of two main binaries: ligolo-agent and ligolo-proxy. The agent runs on the target to establish connections, while the proxy manages the tunnel on the attacker's side. This setup allows for seamless network access and traffic forwarding in compromised environments.

It supports TLS for secure connections and features like certificate fingerprint validation and autocert for Let's Encrypt, enhancing its usability in real-world scenarios.

How It Works

Ligolo-ng operates by deploying a ligolo-agent on the target system, which binds to an IP:port or connects to a proxy, establishing a reverse TCP/TLS connection. The ligolo-proxy on the attacker's machine listens and manages the tunnel via a TUN interface, enabling direct IP routing and pivoting without SOCKS. It supports TLS certificate handling, domain restrictions, and API access for control.

Installation

bash

sudo apt install ligolo-ng

Flags

-accept-fingerprintaccept certificates matching the following SHA256 fingerprint (hex format)

-bindbind to ip:port

-connectconnect to proxy (domain:port)

-ignore-certignore TLS certificate validation (dangerous), only for debug purposes

-allow-domainsautocert authorised domains, if empty, allow all domains, multiple domains should be comma-separated.

-api-laddrAPI server listening address (default: 127.0.0.1:8080)

-autocertautomatically request letsencrypt certificates, requires port 80 to be accessible

-certfileTLS server certificate (default "certs/cert.pem")

Examples

Display help for ligolo-agent flags

ligolo-agent -h

Display help for ligolo-proxy flags

ligolo-proxy -h

Bind ligolo-agent to all interfaces on port 11601 for reverse connections

ligolo-agent -bind 0.0.0.0:11601

Connect ligolo-agent to remote proxy server

ligolo-agent -connect proxy.example.com:11601

Start ligolo-proxy with API server on localhost port 8080

ligolo-proxy -api-laddr 127.0.0.1:8080

Start ligolo-proxy with autocert for specified domain

ligolo-proxy -autocert -allow-domains example.com

Run agent accepting specific certificate fingerprint

ligolo-agent -accept-fingerprint abc123...

Updated 2026-04-16kali.org ↗