Packages and Binaries:

ligolo-ng

Advanced, yet simple, tunneling/pivoting tool that uses a TUN interface
Ligolo-ng is a simple, lightweight and fast tool that allows pentesters to establish tunnels from a reverse TCP/TLS connection using a tun interface (without the need of SOCKS).

Installed size: 25.74 MB
How to install: sudo apt install ligolo-ng

Dependencies:
  • libc6
ligolo-agent
root@kali:~# ligolo-agent -h
  -accept-fingerprint string
    	accept certificates matching the following SHA256 fingerprint (hex format)
  -bind string
    	bind to ip:port
  -connect string
    	connect to proxy (domain:port)
  -ignore-cert
    	ignore TLS certificate validation (dangerous), only for debug purposes
  -proxy string
    	proxy URL address (http://admin:[email protected]:8080) or socks://admin:[email protected]:8080
  -reconnect
    	auto-reconnect after established connection is lost (default true)
  -reconnect-delay int
    	reconnection delay in seconds (default: 20) (default 20)
  -reconnect-timeout int
    	total reconnection timeout in seconds (default: 300 = 5 minutes) (default 300)
  -retry
    	auto-retry on initial connection error
  -retry-delay int
    	retry delay in seconds for initial connection (default: 5) (default 5)
  -ua string
    	HTTP User-Agent (default "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36")
  -v	enable verbose mode
  -version
    	show the current version
ligolo-proxy
root@kali:~# ligolo-proxy -h
  -allow-domains string
    	autocert authorised domains, if empty, allow all domains, multiple domains should be comma-separated.
  -api-laddr string
    	API server listening address (default: 127.0.0.1:8080)
  -autocert
    	automatically request letsencrypt certificates, requires port 80 to be accessible
  -certfile string
    	TLS server certificate (default "certs/cert.pem")
  -config string
    	the config file to use
  -cpuprofile file
    	write cpu profile to file
  -daemon
    	run as daemon mode (no CLI)
  -keyfile string
    	TLS server key (default "certs/key.pem")
  -laddr string
    	listening address (prefix with http(s):// for websocket) (default "0.0.0.0:11601")
  -memprofile file
    	write memory profile to file
  -nobanner
    	don't show banner on startup
  -selfcert
    	dynamically generate self-signed certificates
  -selfcert-domain string
    	The selfcert TLS domain to use (default "ligolo")
  -v	enable verbose mode
  -version
    	show the current version


Learn more with OffSec

Want to learn more about ligolo-ng? get access to in-depth training and hands-on labs:



Updated on: 2026-Mar-02