subdomain takeover via ngrok service

Question

subdomain takeover via ngrok service

PareshParmar opened this issue 6 years ago · 13 comments

Service name

ngrok
this already mentioned in #85
but few steps are missing there. and that won't work.
when you run ./ngrok http 80 -subdomain cnameentry it will run ngrok on cname domain only , not subdomain, i set up ngrok on my own subdomain to test it.

Proof

if you visit vulnerable subdomain, error will be: Tunnel subdomain.example.com not found
check cname entry of subdomain, it will be something like http://xxxxxxxx.cname.us.ngrok.io/

set up account on https://ngrok.com/
subdomain service for ngrok is only available on paid version.
suggest you to purchase paid version: https://dashboard.ngrok.com/billing (15 days money return policy)
once your account is done, set up ngrok to your local machine , follow these steps: https://dashboard.ngrok.com/get-started
once you're done with set up locally. go to here: https://dashboard.ngrok.com/reserved
Where you can reserve vulnerable subdomain. enter subdomain and click on reserve.
now go to your local machine and run this command to takeover subdomain:
ngrok http -region=us -hostname=subdomain.example.com 80

Documentation

https://ngrok.com/docs
check Tunnels on custom domains (white label URLs)

Answer 1 · 2020-10-31T14:32:59.000Z

@PareshParmar @EdOverflow

i found target with this error: Tunnel subdomain.example.com not found
i lookup for it's cname and found cname like : http://abc.cname.us.ngrok.io

when i tried to reserved the subdomain.example.com it say's unavaliable

but when i tried to reserved the cname i successfully reserved that

I don't have access to subdomain.example.com but i have access of its Cname

What to do now ? Kindly help me out

Thanks

Answer 2 · 2020-10-31T16:20:19.000Z

In My case for subomain.example.com:

victim has access to subomain.example.com
and i have access to its Cname: http://example.cname.us.ngrok.io

But still the content of http://example.cname.us.ngrok.io is not showing up on subomain.example.com

Answer 3 · 2020-11-01T04:45:31.000Z

But still

Kindly can any one tell the Reason ?

@PareshParmar @EdOverflow @codingo @random-robbie

Answer 4 · 2020-11-01T17:25:01.000Z

Hi,

You're doing steps wrong.
1 . Add vulnerable domain in your account's custom domain list not cname entry.
2. Once you add that run this command
ngrok http -region=us -hostname=vulnerable.subdomain.com 80

Here's the blog post of mine: https://blog.pareshparmar.com/subdomain-takeover-ngrok/
Let me know if you still face any issue.

Answer 5 · 2020-11-01T19:42:26.000Z

Thanks for your reply, I still unable to takeover, Can you mention me the point on which i am wrong

1- I have also added custom domain ( eg. vulnerabledomain.com ) successfully owned

2- when i tried to add ( sudomain.vulnerabledomain.com ) it say's unavaliable

3- then i tried to run these commands in windows

3 (a).: CMD:

ngrok.exe http -region=us -hostname=sudomain.vulnerabledomain.com 1337

Result :

This domain is reserved for another account.
Failed to bind the domain ' cx***.*******.**m ' for the account 'Tayyab Qadir'.

3 (b): CMD:

ngrok.exe http -region=us -hostname=vulnerabledomain.com 1337

Connection build Sucessfully

Can You send me message via Facebook to resolve this matter ?
https://www.facebook.com/tqMr.EditOr Hope so problem will resolve quickly

Thanks

Best Wishes
Tayyab Qadir

Answer 6 · 2020-11-01T22:20:57.000Z

Hi, As you mentioned in the second step it says unavailable , which means subdomain is added in another account.

but feel free to dm me, Ill check: https://twitter.com/Paresh_parmar1

Answer 7 · 2022-02-24T11:16:11.000Z

I have a sundomain which is pointing to {{random-string}}.cname.{{zone}}.ngrok.io , the cname is showing the error - "Tunnel {{rngrok-cname}} not found" but the subdomain pointing to it is showing some else response which is - "No webpage was found {{domain name}}- (404)", so do you think this can be taken over? and how do you think I can takeover it, because there's a random string in the cname, how can I as an attacker control that and takeover if there's a random string on some other takeovers of ngrok?

Some help will be very much appreciated :)

Answer 8 · 2022-04-06T17:11:59.000Z

Hi,

I don't think this is vulnerable, at least not anymore. I've got this instance: xyz.ngrok.io which shows:

Tunnel xyz.ngrok.io not found

I subscribed for a basic plan and tried to take it over but it was unavailable in US, only xyz.eu.ngrok.io, for example, would be up for grabs.

Answer 9 · 2022-04-22T11:54:33.000Z

Not Vulnerable.

Answer 10 · 2022-11-29T18:40:56.000Z

Another chiming in to say that ngrok no longer appears vulnerable.

Answer 11 · 2023-01-15T16:29:54.000Z

I have Tunnel qqqq.wwww.com not found error and CNAME xxxxxxxx.cname.eu.ngrok.io

If i try to claim qqqq.wwww.com it says that domain is unavailable. fixed?

Answer 12 · 2023-01-15T18:52:42.000Z

Subdomain Takeover via Ngrok is not possible anymore !

~ Confirmed from Ngrok Team.

Answer 13 · 2024-11-28T11:55:35.000Z

Takeover is impossible according to the following instruction from the official document

After adding your domain you should see instructions along with the CNAME value to be used when creating the CNAME record. Copy the value of your newly-added domain's CNAME target hostname, which will be something like random-string.random-string.ngrok-cname.com.