-
-
Notifications
You must be signed in to change notification settings - Fork 724
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
subdomain takeover via ngrok service #92
Comments
i found target with this error: Tunnel subdomain.example.com not found when i tried to reserved the subdomain.example.com it say's unavaliable but when i tried to reserved the cname i successfully reserved that I don't have access to subdomain.example.com but i have access of its Cname What to do now ? Kindly help me out Thanks |
In My case for subomain.example.com: victim has access to subomain.example.com But still the content of http://example.cname.us.ngrok.io is not showing up on subomain.example.com |
Kindly can any one tell the Reason ? |
Hi, You're doing steps wrong. Here's the blog post of mine: https://blog.pareshparmar.com/subdomain-takeover-ngrok/ |
Thanks for your reply, I still unable to takeover, Can you mention me the point on which i am wrong 1- I have also added custom domain ( eg. vulnerabledomain.com ) successfully owned 2- when i tried to add ( sudomain.vulnerabledomain.com ) it say's unavaliable 3- then i tried to run these commands in windows 3 (a).: CMD: ngrok.exe http -region=us -hostname=sudomain.vulnerabledomain.com 1337 Result : This domain is reserved for another account. 3 (b): CMD: ngrok.exe http -region=us -hostname=vulnerabledomain.com 1337 Can You send me message via Facebook to resolve this matter ? Thanks Best Wishes |
Hi, As you mentioned in the second step it says but feel free to dm me, Ill check: https://twitter.com/Paresh_parmar1 |
I have a sundomain which is pointing to {{random-string}}.cname.{{zone}}.ngrok.io , the cname is showing the error - "Tunnel {{rngrok-cname}} not found" but the subdomain pointing to it is showing some else response which is - "No webpage was found {{domain name}}- (404)", so do you think this can be taken over? and how do you think I can takeover it, because there's a random string in the cname, how can I as an attacker control that and takeover if there's a random string on some other takeovers of ngrok? Some help will be very much appreciated :) |
Hi, I don't think this is vulnerable, at least not anymore. I've got this instance:
I subscribed for a basic plan and tried to take it over but it was unavailable in US, only |
Not Vulnerable. |
Another chiming in to say that ngrok no longer appears vulnerable. |
I have If i try to claim |
Takeover is impossible according to the following instruction from the official document
|
Service name
ngrok
this already mentioned in #85
but few steps are missing there. and that won't work.
when you run
./ngrok http 80 -subdomain cnameentry
it will run ngrok on cname domain only , not subdomain, i set up ngrok on my own subdomain to test it.Proof
if you visit vulnerable subdomain, error will be:
Tunnel subdomain.example.com not found
check cname entry of subdomain, it will be something like
http://xxxxxxxx.cname.us.ngrok.io/
set up account on https://ngrok.com/
subdomain service for ngrok is only available on paid version.
suggest you to purchase paid version: https://dashboard.ngrok.com/billing (15 days money return policy)
once your account is done, set up ngrok to your local machine , follow these steps: https://dashboard.ngrok.com/get-started
once you're done with set up locally. go to here: https://dashboard.ngrok.com/reserved
Where you can reserve vulnerable subdomain. enter subdomain and click on reserve.
now go to your local machine and run this command to takeover subdomain:
ngrok http -region=us -hostname=subdomain.example.com 80
Documentation
https://ngrok.com/docs
check Tunnels on custom domains (white label URLs)
The text was updated successfully, but these errors were encountered: