Ligolo-ng

Ligolo-ng is a tunneling and pivoting tool to access internal networks through reverse TCP/TLS connections. Unlike SOCKS proxies, it uses a TUN interface to route traffic within compromised environments. This is very useful for security professionals to do penetration tests as it allows for efficient lateral movement and network exploration.

Key Insights

Ligolo-ng has several features that makes it useful for security assessments. It has a simple UI with agent selection and network info display, so it’s easy to use for both noobs and pros. It supports automatic certificate config with Let’s Encrypt so you don’t have to manage certificates manually. It also has multiplexing capabilities so you can have multiple connections over a single tunnel and doesn’t require elevated privs to work. The agent is compatible with multiple platforms so it’s versatile in different network environments.

Use in Offensive Security

In offensive security scenarios Ligolo-ng is used to establish tunnels from compromised machines back to the attacker’s infrastructure. This allows the attacker to pivot into internal networks, do reconnaissance and exploit additional systems. It can create a userland network stack using gVisor so you can run Nmap without proxychains and simplify/accelerate the assessment.

Detection and Mitigation Challenges

Although used in legitimate penetration testing, Ligolo-ng can be used by malicious actors so detection challenges. The use of TLS and legitimate looking traffic patterns makes it hard for traditional security solutions to detect unauthorized usage. Security teams must use advanced monitoring techniques like anomaly based detection and behavioral analysis to detect and mitigate Ligolo-ng abuse.

Known Variants

No specific variants of Ligolo-ng are documented. Since it’s open source, it can be modified, and security professionals should be aware of customized versions that may have different behavior.

Mitigation Strategies

Implement advanced network monitoring to detect tunneling traffic.
Use endpoint protection solutions that can detect and block Ligolo-ng.
Do regular threat hunting to find potential misuse of legitimate tools in your environment.
Educate users about phishing and social engineering risks that can lead to the deployment of such tools.

Targeted Industries or Sectors

Ligolo-ng itself is a tool and doesn’t target industries. But when used by threat actors it can be used across different sectors. For example there was an instance where Ligolo-ng was used in a campaign that targeted organizations by impersonating Y Combinator brand to establish credibility and deceive victims.

Associated Threat Actors

Although Ligolo-ng is a legitimate tool for security assessments, it has been used by threat actors. In one instance it was used with Sliver C2 framework in an operation that targeted entities by impersonating Y Combinator brand. So, monitor for unauthorized use of such tools in your network.