search

EdOverflow / can-i-take-over-xyz

"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.
Creative Commons Attribution 4.0 International
4.87k stars 716 forks source link

subdomain takeover via ngrok service #92

Open PareshParmar opened 5 years ago

PareshParmar commented 5 years ago

Service name

ngrok this already mentioned in https://github.com/EdOverflow/can-i-take-over-xyz/issues/85 but few steps are missing there. and that won't work. when you run ./ngrok http 80 -subdomain cnameentry it will run ngrok on cname domain only , not subdomain, i set up ngrok on my own subdomain to test it.

Proof

if you visit vulnerable subdomain, error will be: Tunnel subdomain.example.com not found check cname entry of subdomain, it will be something like http://xxxxxxxx.cname.us.ngrok.io/

  1. set up account on https://ngrok.com/

  2. subdomain service for ngrok is only available on paid version. suggest you to purchase paid version: https://dashboard.ngrok.com/billing (15 days money return policy)

  3. once your account is done, set up ngrok to your local machine , follow these steps: https://dashboard.ngrok.com/get-started

  4. once you're done with set up locally. go to here: https://dashboard.ngrok.com/reserved Where you can reserve vulnerable subdomain. enter subdomain and click on reserve. Screenshot (2350)

  5. now go to your local machine and run this command to takeover subdomain: ngrok http -region=us -hostname=subdomain.example.com 80

Screenshot (2352) Screenshot (2353)

Documentation

https://ngrok.com/docs check Tunnels on custom domains (white label URLs)

tayyabqadir877 commented 4 years ago

@PareshParmar @EdOverflow

i found target with this error: Tunnel subdomain.example.com not found i lookup for it's cname and found cname like : http://abc.cname.us.ngrok.io

when i tried to reserved the subdomain.example.com it say's unavaliable

but when i tried to reserved the cname i successfully reserved that

I don't have access to subdomain.example.com but i have access of its Cname

What to do now ? Kindly help me out

Thanks

tayyabqadir877 commented 4 years ago

In My case for subomain.example.com:

victim has access to subomain.example.com and i have access to its Cname: http://example.cname.us.ngrok.io

But still the content of http://example.cname.us.ngrok.io is not showing up on subomain.example.com

tayyabqadir877 commented 4 years ago

Screenshot_2 Screenshot_4 But still

Screenshot_6

Kindly can any one tell the Reason ?

@PareshParmar @EdOverflow @codingo @random-robbie

PareshParmar commented 4 years ago

Hi,

You're doing steps wrong. 1 . Add vulnerable domain in your account's custom domain list not cname entry.

  1. Once you add that run this command ngrok http -region=us -hostname=vulnerable.subdomain.com 80

Here's the blog post of mine: https://blog.pareshparmar.com/subdomain-takeover-ngrok/
Let me know if you still face any issue.

tayyabqadir877 commented 4 years ago

Thanks for your reply, I still unable to takeover, Can you mention me the point on which i am wrong

1- I have also added custom domain ( eg. vulnerabledomain.com ) successfully owned

2- when i tried to add ( sudomain.vulnerabledomain.com ) it say's unavaliable

3- then i tried to run these commands in windows

3 (a).: CMD:

ngrok.exe http -region=us -hostname=sudomain.vulnerabledomain.com 1337

Result :

This domain is reserved for another account. Failed to bind the domain ' cx*.*****.**m ' for the account 'Tayyab Qadir'.

3 (b): CMD:

ngrok.exe http -region=us -hostname=vulnerabledomain.com 1337

Connection build Sucessfully
Screenshot_1

Can You send me message via Facebook to resolve this matter ? https://www.facebook.com/tqMr.EditOr Hope so problem will resolve quickly

Thanks

Best Wishes Tayyab Qadir

PareshParmar commented 4 years ago

Hi, As you mentioned in the second step it says unavailable , which means subdomain is added in another account.

but feel free to dm me, Ill check: https://twitter.com/Paresh_parmar1

OffensiveBugHunter commented 2 years ago

I have a sundomain which is pointing to {{random-string}}.cname.{{zone}}.ngrok.io , the cname is showing the error - "Tunnel {{rngrok-cname}} not found" but the subdomain pointing to it is showing some else response which is - "No webpage was found {{domain name}}- (404)", so do you think this can be taken over? and how do you think I can takeover it, because there's a random string in the cname, how can I as an attacker control that and takeover if there's a random string on some other takeovers of ngrok?

Some help will be very much appreciated :)

yassineaboukir commented 2 years ago

Hi,

I don't think this is vulnerable, at least not anymore. I've got this instance: xyz.ngrok.io which shows:

Tunnel xyz.ngrok.io not found

I subscribed for a basic plan and tried to take it over but it was unavailable in US, only xyz.eu.ngrok.io, for example, would be up for grabs.

ikarann commented 2 years ago

Not Vulnerable.

nin-ack commented 1 year ago

Another chiming in to say that ngrok no longer appears vulnerable.

vionde commented 1 year ago

I have Tunnel qqqq.wwww.com not found error and CNAME xxxxxxxx.cname.eu.ngrok.io

If i try to claim qqqq.wwww.com it says that domain is unavailable. fixed?

abd-4fg commented 1 year ago

Subdomain Takeover via Ngrok is not possible anymore !

Screenshot (39)

~ Confirmed from Ngrok Team.