ligolo-ng

ligolo-ng

Verified 3503 Stars

An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface.

nicocha30
Red-team
May 30, 2025
3503 stars
View on GitHub
Share on:
X LinkedIn Facebook WhatsApp Telegram Reddit Email
Category
Red-team
GitHub Stars
3503
Project Added On
May 30, 2025
Contributors
9

README.md

View on GitHub

Ligolo-ng : Tunneling like a VPN

Ligolo Logo

An advanced, yet simple, tunneling tool that uses TUN interfaces.

GPLv3
Go Report
GitHub Sponsors
GitHub Downloads (all assets, all releases)

📑 Ligolo-ng Documentation (Setup/Quickstart)

[!TIP]
Ligolo-ng 0.8 added a lot of new features, including:
- 🌐 API and a beautiful Web Interface thanks to L’ami du Raisin, allowing multiplayer!
- ⚙️ Simple configuration file, to keep your tunneling/proxy settings
- 🚦 Daemon mode, to run Ligolo-ng as a service
- 🔗 Auto-bind, to automatically configure tunneling whenever a specific agent connects
- 📶 Easy and automatic (autoroute) route and interface management on Windows, Linux, MacOS and BSD!
- 💀 Agent kill, to remotely terminate an agent

Please try it out!
Release: Ligolo-ng 0.8

Ligolo Web

Table of Contents

Introduction

Ligolo-ng is a simple, lightweight and fast tool that allows pentesters to establish
tunnels from a reverse TCP/TLS connection using a tun interface (without the need of SOCKS).

Features

  • Tun interface (No more SOCKS/Proxychains!)
  • Simple UI with agent selection and network information
  • Easy to use and setup
  • Automatic certificate configuration with Let’s Encrypt
  • Performant (Multiplexing)
  • Does not require privileges on the agent
  • Socket listening/binding on the agent
  • Multiple platforms supported for the agent
  • Can handle multiple tunnels
  • Reverse/Bind Connection
  • Automatic tunnel/listeners recovery (in case of network issues)
  • Websocket support

Demo

Ligolo-ng-demo.webm

How is this different from Ligolo/Chisel/Meterpreter… ?

Instead of using a SOCKS proxy or TCP/UDP forwarders, Ligolo-ng creates a userland network stack using Gvisor.

When running the relay/proxy server, a tun interface is used, packets sent to this interface are
translated, and then transmitted to the agent remote network.

As an example, for a TCP connection:

  • SYN are translated to connect() on remote
  • SYN-ACK is sent back if connect() succeed
  • RST is sent if ECONNRESET, ECONNABORTED or ECONNREFUSED syscall are returned after connect
  • Nothing is sent if timeout

This allows running tools like nmap without the use of proxychains (simpler and faster).

How to use - documentation - tutorial

You will find the documentation for Ligolo-ng, as well as the steps to follow to get it up and running on the Ligolo-ng Documentation

Does it require Administrator/root access ?

On the agent side, no! Everything can be performed without administrative access.

However, on your relay/proxy server, you need to be able to create a tun interface.

Supported protocols/packets

  • TCP
  • UDP
  • ICMP (echo requests)

Performance

You can easily hit more than 100 Mbits/sec. Here is a test using iperf from a 200Mbits/s server to a 200Mbits/s connection. 

$ iperf3 -c 10.10.0.1 -p 24483
Connecting to host 10.10.0.1, port 24483
[  5] local 10.10.0.224 port 50654 connected to 10.10.0.1 port 24483
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  12.5 MBytes   105 Mbits/sec    0    164 KBytes       
[  5]   1.00-2.00   sec  12.7 MBytes   107 Mbits/sec    0    263 KBytes       
[  5]   2.00-3.00   sec  12.4 MBytes   104 Mbits/sec    0    263 KBytes       
[  5]   3.00-4.00   sec  12.7 MBytes   106 Mbits/sec    0    263 KBytes       
[  5]   4.00-5.00   sec  13.1 MBytes   110 Mbits/sec    2    134 KBytes       
[  5]   5.00-6.00   sec  13.4 MBytes   113 Mbits/sec    0    147 KBytes       
[  5]   6.00-7.00   sec  12.6 MBytes   105 Mbits/sec    0    158 KBytes       
[  5]   7.00-8.00   sec  12.1 MBytes   101 Mbits/sec    0    173 KBytes       
[  5]   8.00-9.00   sec  12.7 MBytes   106 Mbits/sec    0    182 KBytes       
[  5]   9.00-10.00  sec  12.6 MBytes   106 Mbits/sec    0    188 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   127 MBytes   106 Mbits/sec    2             sender
[  5]   0.00-10.08  sec   125 MBytes   104 Mbits/sec                  receiver

Caveats

Because the agent is running without privileges, it’s not possible to forward raw packets.
When you perform a NMAP SYN-SCAN, a TCP connect() is performed on the agent.

When using nmap, you should use --unprivileged or -PE to avoid false positives.

Todo

  • Implement other ICMP error messages (this will speed up UDP scans) ;
  • Do not RST when receiving an ACK from an invalid TCP connection (nmap will report the host as up) ;
  • Add mTLS support.

Credits

  • Nicolas Chatelain
  • Jeremie Bedjai (Ligolo-ng-Web)

Tool Information

Author

nicocha30

Project Added On

May 30, 2025

License

Open Source

Tags

golang offensive-security pentest-tool pentesting pivoting post-exploitation redteam security tunneling
View on GitHub

Related Tools

RedCloud-OS

RedCloud-OS

RedCloudOS is a Cloud Adversary Simulation Operating System for Red Teams to assess the Cloud Security of Leading Cloud Service Providers (CSPs)

Stable
atomic-red-team

atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK.

Stable
evilginx2

evilginx2

Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication

Stable
View more Red-team tools