Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

subdomain takeover via ngrok service #92

Open
PareshParmar opened this issue Apr 19, 2019 · 12 comments
Open

subdomain takeover via ngrok service #92

PareshParmar opened this issue Apr 19, 2019 · 12 comments
Labels
duplicate This issue or pull request already exists vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service.

Comments

@PareshParmar
Copy link

PareshParmar commented Apr 19, 2019

Service name

ngrok
this already mentioned in #85
but few steps are missing there. and that won't work.
when you run ./ngrok http 80 -subdomain cnameentry it will run ngrok on cname domain only , not subdomain, i set up ngrok on my own subdomain to test it.

Proof

if you visit vulnerable subdomain, error will be: Tunnel subdomain.example.com not found
check cname entry of subdomain, it will be something like http://xxxxxxxx.cname.us.ngrok.io/

  1. set up account on https://ngrok.com/

  2. subdomain service for ngrok is only available on paid version.
    suggest you to purchase paid version: https://dashboard.ngrok.com/billing (15 days money return policy)

  3. once your account is done, set up ngrok to your local machine , follow these steps: https://dashboard.ngrok.com/get-started

  4. once you're done with set up locally. go to here: https://dashboard.ngrok.com/reserved
    Where you can reserve vulnerable subdomain. enter subdomain and click on reserve.
    Screenshot (2350)

  5. now go to your local machine and run this command to takeover subdomain:
    ngrok http -region=us -hostname=subdomain.example.com 80

Screenshot (2352)
Screenshot (2353)

Documentation

https://ngrok.com/docs
check Tunnels on custom domains (white label URLs)

@EdOverflow EdOverflow added duplicate This issue or pull request already exists vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service. labels Jun 20, 2019
@tayyabqadir877
Copy link

@PareshParmar @EdOverflow

i found target with this error: Tunnel subdomain.example.com not found
i lookup for it's cname and found cname like : http://abc.cname.us.ngrok.io

when i tried to reserved the subdomain.example.com it say's unavaliable

but when i tried to reserved the cname i successfully reserved that

I don't have access to subdomain.example.com but i have access of its Cname

What to do now ? Kindly help me out

Thanks

@tayyabqadir877
Copy link

In My case for subomain.example.com:

victim has access to subomain.example.com
and i have access to its Cname: http://example.cname.us.ngrok.io

But still the content of http://example.cname.us.ngrok.io is not showing up on subomain.example.com

@tayyabqadir877
Copy link

tayyabqadir877 commented Nov 1, 2020

Screenshot_2
Screenshot_4
But still

Screenshot_6

Kindly can any one tell the Reason ?

@PareshParmar @EdOverflow @codingo @random-robbie

@PareshParmar
Copy link
Author

PareshParmar commented Nov 1, 2020

Hi,

You're doing steps wrong.
1 . Add vulnerable domain in your account's custom domain list not cname entry.
2. Once you add that run this command
ngrok http -region=us -hostname=vulnerable.subdomain.com 80

Here's the blog post of mine: https://blog.pareshparmar.com/subdomain-takeover-ngrok/
Let me know if you still face any issue.

@tayyabqadir877
Copy link

Thanks for your reply, I still unable to takeover, Can you mention me the point on which i am wrong

1- I have also added custom domain ( eg. vulnerabledomain.com ) successfully owned

2- when i tried to add ( sudomain.vulnerabledomain.com ) it say's unavaliable

3- then i tried to run these commands in windows

3 (a).: CMD:

ngrok.exe http -region=us -hostname=sudomain.vulnerabledomain.com 1337

Result :

This domain is reserved for another account.
Failed to bind the domain ' cx***.*******.**m ' for the account 'Tayyab Qadir'.

3 (b): CMD:

ngrok.exe http -region=us -hostname=vulnerabledomain.com 1337

Connection build Sucessfully
Screenshot_1

Can You send me message via Facebook to resolve this matter ?
https://www.facebook.com/tqMr.EditOr Hope so problem will resolve quickly

Thanks

Best Wishes
Tayyab Qadir

@PareshParmar
Copy link
Author

Hi, As you mentioned in the second step it says unavailable , which means subdomain is added in another account.

but feel free to dm me, Ill check: https://twitter.com/Paresh_parmar1

@OffensiveBugHunter
Copy link

I have a sundomain which is pointing to {{random-string}}.cname.{{zone}}.ngrok.io , the cname is showing the error - "Tunnel {{rngrok-cname}} not found" but the subdomain pointing to it is showing some else response which is - "No webpage was found {{domain name}}- (404)", so do you think this can be taken over? and how do you think I can takeover it, because there's a random string in the cname, how can I as an attacker control that and takeover if there's a random string on some other takeovers of ngrok?

Some help will be very much appreciated :)

@yassineaboukir
Copy link

Hi,

I don't think this is vulnerable, at least not anymore. I've got this instance: xyz.ngrok.io which shows:

Tunnel xyz.ngrok.io not found

I subscribed for a basic plan and tried to take it over but it was unavailable in US, only xyz.eu.ngrok.io, for example, would be up for grabs.

@ikarann
Copy link

ikarann commented Apr 22, 2022

Not Vulnerable.

@nin-ack
Copy link

nin-ack commented Nov 29, 2022

Another chiming in to say that ngrok no longer appears vulnerable.

@vionde
Copy link

vionde commented Jan 15, 2023

I have Tunnel qqqq.wwww.com not found error and CNAME xxxxxxxx.cname.eu.ngrok.io

If i try to claim qqqq.wwww.com it says that domain is unavailable. fixed?

@abd-4fg
Copy link

abd-4fg commented Jan 15, 2023

Subdomain Takeover via Ngrok is not possible anymore !

Screenshot (39)

~ Confirmed from Ngrok Team.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
duplicate This issue or pull request already exists vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service.
Projects
None yet
Development

No branches or pull requests

9 participants