subdomain takeover via ngrok service

[PareshParmar]

Service name

ngrok
this already mentioned in #85
but few steps are missing there. and that won't work.
when you run ./ngrok http 80 -subdomain cnameentry it will run ngrok on cname domain only , not subdomain, i set up ngrok on my own subdomain to test it.

Proof

if you visit vulnerable subdomain, error will be: Tunnel subdomain.example.com not found
check cname entry of subdomain, it will be something like http://xxxxxxxx.cname.us.ngrok.io/

1. set up account on https://ngrok.com/

2. subdomain service for ngrok is only available on paid version.
   suggest you to purchase paid version: https://dashboard.ngrok.com/billing (15 days money return policy)

3. once your account is done, set up ngrok to your local machine , follow these steps: https://dashboard.ngrok.com/get-started

4. once you're done with set up locally. go to here: https://dashboard.ngrok.com/reserved
   Where you can reserve vulnerable subdomain. enter subdomain and click on reserve.
   

5. now go to your local machine and run this command to takeover subdomain:
   ngrok http -region=us -hostname=subdomain.example.com 80

Documentation

https://ngrok.com/docs
check Tunnels on custom domains (white label URLs)

[tayyabqadir877]

@PareshParmar @EdOverflow

i found target with this error: Tunnel subdomain.example.com not found
i lookup for it's cname and found cname like : http://abc.cname.us.ngrok.io

when i tried to reserved the subdomain.example.com it say's unavaliable

but when i tried to reserved the cname i successfully reserved that

I don't have access to subdomain.example.com but i have access of its Cname

What to do now ? Kindly help me out

Thanks

[tayyabqadir877]

In My case for subomain.example.com:

victim has access to subomain.example.com
and i have access to its Cname: http://example.cname.us.ngrok.io

But still the content of http://example.cname.us.ngrok.io is not showing up on subomain.example.com

[tayyabqadir877]

But still

Kindly can any one tell the Reason ?

@PareshParmar @EdOverflow @codingo @random-robbie

[PareshParmar]

Hi,

You're doing steps wrong.
1 . Add vulnerable domain in your account's custom domain list not cname entry.
2. Once you add that run this command
ngrok http -region=us -hostname=vulnerable.subdomain.com 80

Here's the blog post of mine: https://blog.pareshparmar.com/subdomain-takeover-ngrok/
Let me know if you still face any issue.

[tayyabqadir877]

Thanks for your reply, I still unable to takeover, Can you mention me the point on which i am wrong

1- I have also added custom domain ( eg. vulnerabledomain.com ) successfully owned

2- when i tried to add ( sudomain.vulnerabledomain.com ) it say's unavaliable

3- then i tried to run these commands in windows

3 (a).: CMD:

ngrok.exe http -region=us -hostname=sudomain.vulnerabledomain.com 1337

Result :

This domain is reserved for another account.
Failed to bind the domain ' cx***.*******.**m ' for the account 'Tayyab Qadir'.

3 (b): CMD:

ngrok.exe http -region=us -hostname=vulnerabledomain.com 1337

Connection build Sucessfully

Can You send me message via Facebook to resolve this matter ?
https://www.facebook.com/tqMr.EditOr Hope so problem will resolve quickly

Thanks

Best Wishes
Tayyab Qadir

[PareshParmar]

Hi, As you mentioned in the second step it says unavailable , which means subdomain is added in another account.

but feel free to dm me, Ill check: https://twitter.com/Paresh_parmar1

[OffensiveBugHunter]

I have a sundomain which is pointing to {{random-string}}.cname.{{zone}}.ngrok.io , the cname is showing the error - "Tunnel {{rngrok-cname}} not found" but the subdomain pointing to it is showing some else response which is - "No webpage was found {{domain name}}- (404)", so do you think this can be taken over? and how do you think I can takeover it, because there's a random string in the cname, how can I as an attacker control that and takeover if there's a random string on some other takeovers of ngrok?

Some help will be very much appreciated :)

[yassineaboukir]

Hi,

I don't think this is vulnerable, at least not anymore. I've got this instance: xyz.ngrok.io which shows:

Tunnel xyz.ngrok.io not found

I subscribed for a basic plan and tried to take it over but it was unavailable in US, only xyz.eu.ngrok.io, for example, would be up for grabs.

[ikarann]

Not Vulnerable.

[nin-ack]

Another chiming in to say that ngrok no longer appears vulnerable.