can-i-take-over-xyz icon indicating copy to clipboard operation
can-i-take-over-xyz copied to clipboard

Published 20 hours ago verified publisher icon EdOverflow

subdomain takeover via ngrok service

Open PareshParmar opened this issue 6 years ago • 13 comments
trafficstars

Service name

ngrok this already mentioned in https://github.com/EdOverflow/can-i-take-over-xyz/issues/85 but few steps are missing there. and that won't work. when you run ./ngrok http 80 -subdomain cnameentry it will run ngrok on cname domain only , not subdomain, i set up ngrok on my own subdomain to test it.

Proof

if you visit vulnerable subdomain, error will be: Tunnel subdomain.example.com not found check cname entry of subdomain, it will be something like http://xxxxxxxx.cname.us.ngrok.io/

  1. set up account on https://ngrok.com/

  2. subdomain service for ngrok is only available on paid version. suggest you to purchase paid version: https://dashboard.ngrok.com/billing (15 days money return policy)

  3. once your account is done, set up ngrok to your local machine , follow these steps: https://dashboard.ngrok.com/get-started

  4. once you're done with set up locally. go to here: https://dashboard.ngrok.com/reserved Where you can reserve vulnerable subdomain. enter subdomain and click on reserve. Screenshot (2350)

  5. now go to your local machine and run this command to takeover subdomain: ngrok http -region=us -hostname=subdomain.example.com 80

Screenshot (2352) Screenshot (2353)

Documentation

https://ngrok.com/docs check Tunnels on custom domains (white label URLs)

PareshParmar avatar Apr 19 '19 09:04 PareshParmar

@PareshParmar @EdOverflow

i found target with this error: Tunnel subdomain.example.com not found i lookup for it's cname and found cname like : http://abc.cname.us.ngrok.io

when i tried to reserved the subdomain.example.com it say's unavaliable

but when i tried to reserved the cname i successfully reserved that

I don't have access to subdomain.example.com but i have access of its Cname

What to do now ? Kindly help me out

Thanks

tayyabqadir877 avatar Oct 31 '20 14:10 tayyabqadir877

In My case for subomain.example.com:

victim has access to subomain.example.com and i have access to its Cname: http://example.cname.us.ngrok.io

But still the content of http://example.cname.us.ngrok.io is not showing up on subomain.example.com

tayyabqadir877 avatar Oct 31 '20 16:10 tayyabqadir877

Screenshot_2 Screenshot_4 But still

Screenshot_6

Kindly can any one tell the Reason ?

@PareshParmar @EdOverflow @codingo @random-robbie

tayyabqadir877 avatar Nov 01 '20 04:11 tayyabqadir877

Hi,

You're doing steps wrong. 1 . Add vulnerable domain in your account's custom domain list not cname entry. 2. Once you add that run this command ngrok http -region=us -hostname=vulnerable.subdomain.com 80

Here's the blog post of mine: https://blog.pareshparmar.com/subdomain-takeover-ngrok/
Let me know if you still face any issue.

PareshParmar avatar Nov 01 '20 17:11 PareshParmar

Thanks for your reply, I still unable to takeover, Can you mention me the point on which i am wrong

1- I have also added custom domain ( eg. vulnerabledomain.com ) successfully owned

2- when i tried to add ( sudomain.vulnerabledomain.com ) it say's unavaliable

3- then i tried to run these commands in windows

3 (a).: CMD:

ngrok.exe http -region=us -hostname=sudomain.vulnerabledomain.com 1337

Result :

This domain is reserved for another account. Failed to bind the domain ' cx***.*******.**m ' for the account 'Tayyab Qadir'.

3 (b): CMD:

ngrok.exe http -region=us -hostname=vulnerabledomain.com 1337

Connection build Sucessfully
Screenshot_1

Can You send me message via Facebook to resolve this matter ? https://www.facebook.com/tqMr.EditOr Hope so problem will resolve quickly

Thanks

Best Wishes Tayyab Qadir

tayyabqadir877 avatar Nov 01 '20 19:11 tayyabqadir877

Hi, As you mentioned in the second step it says unavailable , which means subdomain is added in another account.

but feel free to dm me, Ill check: https://twitter.com/Paresh_parmar1

PareshParmar avatar Nov 01 '20 22:11 PareshParmar

I have a sundomain which is pointing to {{random-string}}.cname.{{zone}}.ngrok.io , the cname is showing the error - "Tunnel {{rngrok-cname}} not found" but the subdomain pointing to it is showing some else response which is - "No webpage was found {{domain name}}- (404)", so do you think this can be taken over? and how do you think I can takeover it, because there's a random string in the cname, how can I as an attacker control that and takeover if there's a random string on some other takeovers of ngrok?

Some help will be very much appreciated :)

OffensiveBugHunter avatar Feb 24 '22 11:02 OffensiveBugHunter

Hi,

I don't think this is vulnerable, at least not anymore. I've got this instance: xyz.ngrok.io which shows:

Tunnel xyz.ngrok.io not found

I subscribed for a basic plan and tried to take it over but it was unavailable in US, only xyz.eu.ngrok.io, for example, would be up for grabs.

yassineaboukir avatar Apr 06 '22 17:04 yassineaboukir

Not Vulnerable.

ikarann avatar Apr 22 '22 11:04 ikarann

Another chiming in to say that ngrok no longer appears vulnerable.

nin-ack avatar Nov 29 '22 18:11 nin-ack

I have Tunnel qqqq.wwww.com not found error and CNAME xxxxxxxx.cname.eu.ngrok.io

If i try to claim qqqq.wwww.com it says that domain is unavailable. fixed?

vionde avatar Jan 15 '23 16:01 vionde

Subdomain Takeover via Ngrok is not possible anymore !

Screenshot (39)

~ Confirmed from Ngrok Team.

abd-4fg avatar Jan 15 '23 18:01 abd-4fg