explaingit

nicocha30/ligolo-ng

4,541GoAudience · ops devopsComplexity · 3/5LicenseSetup · moderate

TLDR

A fast network tunneling tool for penetration testers that lets you reach internal networks through a compromised host by creating a virtual network interface, so standard tools work without SOCKS proxy configuration.

Mindmap

mindmap
  root((repo))
    What it does
      Internal network pivot
      Virtual tun interface
      No root on agent
    Components
      Relay server
      Agent binary
      Web UI
    Features
      Auto-bind reconnect
      Multi-tester sharing
      100 Mbps throughput
      Cross-platform
    Protocols
      TCP
      UDP
      ICMP
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Reach internal network machines from your attack box after compromising a single internal host during a pentest

USE CASE 2

Run standard scanning tools like nmap directly against an internal subnet without configuring SOCKS proxies

USE CASE 3

Set up a persistent reverse tunnel that automatically re-establishes when a specific agent reconnects during a long engagement

USE CASE 4

Share one relay server among multiple pentesters simultaneously through the built-in web interface

Tech stack

GoTLSLinuxWindowsmacOS

Getting it running

Difficulty · moderate Time to first run · 30min

Relay server requires permission to create a tun network interface on the operator machine, one-time system setup step.

Free to use and share, but any changes you distribute must also be released under the same GPLv3 license terms.

In plain English

Ligolo-ng is a network tunneling tool built for security professionals who need to reach internal networks during penetration tests. When a tester has compromised one machine inside a target network, they often need to communicate with other machines that are not directly reachable from the internet. Ligolo-ng solves this by creating what it calls a "tun" interface on the tester's machine, which acts like a virtual network card. Traffic sent through that interface gets forwarded through the compromised machine to the internal network, similar in concept to a VPN but designed for this specific testing scenario. The tool has two pieces: an agent that runs on the compromised machine, and a relay server that runs on the tester's side. A key design choice is that the agent does not need administrator or root privileges on the compromised system, which makes it usable in more restricted environments. The relay server does need permission to create a network interface on the tester's machine, but that is a one-time setup step. Compared to older approaches like SOCKS proxies or proxy chains, Ligolo-ng lets standard tools such as network scanners run directly without any special configuration. This is because the traffic appears to come from a real network interface rather than being funneled through an application-layer proxy. Performance in testing showed throughput above 100 Megabits per second. Version 0.8 added a web interface and API that allow multiple testers to share one relay setup, a daemon mode so the relay can run as a background service, and automatic route configuration across Windows, Linux, macOS, and BSD. It also added "auto-bind" so tunnels re-establish themselves automatically when a specific agent reconnects, which is useful during long engagements where connections may drop. The project is licensed under GPLv3. It supports TCP, UDP, and ICMP traffic. The README notes a few limitations around raw packet forwarding and recommends specific flags when using certain scanning tools to avoid misleading results.

Copy-paste prompts

Prompt 1
I compromised a Linux machine during a pentest and want to pivot into the internal 192.168.1.0/24 subnet using ligolo-ng. Give me the exact commands to start the relay, deploy the agent, and add the route.
Prompt 2
Using ligolo-ng, set up the tun interface on my Kali machine and configure routing so I can run nmap directly against a Windows host at 10.10.10.50 on the internal network.
Prompt 3
How do I run the ligolo-ng relay in daemon mode as a persistent service on my C2 server? Include the systemd unit file.
Prompt 4
My nmap scan through ligolo-ng is showing all hosts as up with false positives. What flags do I need to fix this behavior?
Prompt 5
Configure auto-bind in ligolo-ng so the tunnel to a specific agent automatically re-establishes if the compromised machine reboots mid-engagement.
Open on GitHub → Explain another repo

← nicocha30 on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.