ligolo-ng

ligolo-ng

Verified 3503 Stars

An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface.

nicocha30
Red-team
May 30, 2025
3503 stars
View on GitHub
Share on:
X LinkedIn Facebook WhatsApp Telegram Reddit Email
Category
Red-team
GitHub Stars
3503
Project Added On
May 30, 2025
Contributors
9

README.md

View on GitHub

Ligolo-ng : Tunneling like a VPN

Ligolo Logo

An advanced, yet simple, tunneling tool that uses TUN interfaces.

GPLv3
Go Report
GitHub Sponsors
GitHub Downloads (all assets, all releases)

📑 Ligolo-ng Documentation (Setup/Quickstart)

[!TIP]
Ligolo-ng 0.8 added a lot of new features, including:
- 🌐 API and a beautiful Web Interface thanks to L’ami du Raisin, allowing multiplayer!
- ⚙️ Simple configuration file, to keep your tunneling/proxy settings
- 🚦 Daemon mode, to run Ligolo-ng as a service
- 🔗 Auto-bind, to automatically configure tunneling whenever a specific agent connects
- 📶 Easy and automatic (autoroute) route and interface management on Windows, Linux, MacOS and BSD!
- 💀 Agent kill, to remotely terminate an agent

Please try it out!
Release: Ligolo-ng 0.8

Ligolo Web

Table of Contents

Introduction

Ligolo-ng is a simple, lightweight and fast tool that allows pentesters to establish
tunnels from a reverse TCP/TLS connection using a tun interface (without the need of SOCKS).

Features

  • Tun interface (No more SOCKS/Proxychains!)
  • Simple UI with agent selection and network information
  • Easy to use and setup
  • Automatic certificate configuration with Let’s Encrypt
  • Performant (Multiplexing)
  • Does not require privileges on the agent
  • Socket listening/binding on the agent
  • Multiple platforms supported for the agent
  • Can handle multiple tunnels
  • Reverse/Bind Connection
  • Automatic tunnel/listeners recovery (in case of network issues)
  • Websocket support

Demo

Ligolo-ng-demo.webm

How is this different from Ligolo/Chisel/Meterpreter… ?

Instead of using a SOCKS proxy or TCP/UDP forwarders, Ligolo-ng creates a userland network stack using Gvisor.

When running the relay/proxy server, a tun interface is used, packets sent to this interface are
translated, and then transmitted to the agent remote network.

As an example, for a TCP connection:

  • SYN are translated to connect() on remote
  • SYN-ACK is sent back if connect() succeed
  • RST is sent if ECONNRESET, ECONNABORTED or ECONNREFUSED syscall are returned after connect
  • Nothing is sent if timeout

This allows running tools like nmap without the use of proxychains (simpler and faster).

How to use - documentation - tutorial

You will find the documentation for Ligolo-ng, as well as the steps to follow to get it up and running on the Ligolo-ng Documentation

Does it require Administrator/root access ?

On the agent side, no! Everything can be performed without administrative access.

However, on your relay/proxy server, you need to be able to create a tun interface.

Supported protocols/packets

  • TCP
  • UDP
  • ICMP (echo requests)

Performance

You can easily hit more than 100 Mbits/sec. Here is a test using iperf from a 200Mbits/s server to a 200Mbits/s connection. 

$ iperf3 -c 10.10.0.1 -p 24483
Connecting to host 10.10.0.1, port 24483
[  5] local 10.10.0.224 port 50654 connected to 10.10.0.1 port 24483
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  12.5 MBytes   105 Mbits/sec    0    164 KBytes       
[  5]   1.00-2.00   sec  12.7 MBytes   107 Mbits/sec    0    263 KBytes       
[  5]   2.00-3.00   sec  12.4 MBytes   104 Mbits/sec    0    263 KBytes       
[  5]   3.00-4.00   sec  12.7 MBytes   106 Mbits/sec    0    263 KBytes       
[  5]   4.00-5.00   sec  13.1 MBytes   110 Mbits/sec    2    134 KBytes       
[  5]   5.00-6.00   sec  13.4 MBytes   113 Mbits/sec    0    147 KBytes       
[  5]   6.00-7.00   sec  12.6 MBytes   105 Mbits/sec    0    158 KBytes       
[  5]   7.00-8.00   sec  12.1 MBytes   101 Mbits/sec    0    173 KBytes       
[  5]   8.00-9.00   sec  12.7 MBytes   106 Mbits/sec    0    182 KBytes       
[  5]   9.00-10.00  sec  12.6 MBytes   106 Mbits/sec    0    188 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   127 MBytes   106 Mbits/sec    2             sender
[  5]   0.00-10.08  sec   125 MBytes   104 Mbits/sec                  receiver

Caveats

Because the agent is running without privileges, it’s not possible to forward raw packets.
When you perform a NMAP SYN-SCAN, a TCP connect() is performed on the agent.

When using nmap, you should use --unprivileged or -PE to avoid false positives.

Todo

  • Implement other ICMP error messages (this will speed up UDP scans) ;
  • Do not RST when receiving an ACK from an invalid TCP connection (nmap will report the host as up) ;
  • Add mTLS support.

Credits

  • Nicolas Chatelain
  • Jeremie Bedjai (Ligolo-ng-Web)

Tool Information

Author

nicocha30

Project Added On

May 30, 2025

License

Open Source

Tags

golang offensive-security pentest-tool pentesting pivoting post-exploitation redteam security tunneling
View on GitHub

Related Tools

NTDLLReflection

NTDLLReflection

Bypass Userland EDR hooks by Loading Reflective Ntdll in memory from a remote server based on Windows ReleaseID to avoid opening a handle to ntdll , and trigger exported APIs from the export table

Stable
kernel-exploit-factory

kernel-exploit-factory

Linux kernel CVE exploit analysis report and relative debug environment. You don't need to compile Linux kernel and configure your environment anymore.

Stable
NovaHypervisor

NovaHypervisor

NovaHypervisor is a defensive x64 Intel host based hypervisor. The goal of this project is to protect against kernel based attacks (either via Bring Your Own Vulnerable Driver (BYOVD) or other means) by safeguarding defense products (AntiVirus / Endpoint Protection) and kernel memory structures and preventing unauthorized access to kernel memory.

Stable
View more Red-team tools