subdomain takeover via ngrok service #92
Comments
EdOverflow
added
duplicate
|
i found target with this error: Tunnel subdomain.example.com not found when i tried to reserved the subdomain.example.com it say's unavaliable but when i tried to reserved the cname i successfully reserved that I don't have access to subdomain.example.com but i have access of its Cname What to do now ? Kindly help me out Thanks |
|
In My case for subomain.example.com: victim has access to subomain.example.com But still the content of http://example.cname.us.ngrok.io is not showing up on subomain.example.com |
|
Kindly can any one tell the Reason ? |
|
Hi, You're doing steps wrong. Here's the blog post of mine: https://blog.pareshparmar.com/subdomain-takeover-ngrok/ |
|
Thanks for your reply, I still unable to takeover, Can you mention me the point on which i am wrong 1- I have also added custom domain ( eg. vulnerabledomain.com ) successfully owned 2- when i tried to add ( sudomain.vulnerabledomain.com ) it say's unavaliable 3- then i tried to run these commands in windows 3 (a).: CMD: ngrok.exe http -region=us -hostname=sudomain.vulnerabledomain.com 1337 Result : This domain is reserved for another account. 3 (b): CMD: ngrok.exe http -region=us -hostname=vulnerabledomain.com 1337 Connection build Sucessfully Can You send me message via Facebook to resolve this matter ? Thanks Best Wishes |
|
Hi, As you mentioned in the second step it says but feel free to dm me, Ill check: https://twitter.com/Paresh_parmar1 |
|
I have a sundomain which is pointing to {{random-string}}.cname.{{zone}}.ngrok.io , the cname is showing the error - "Tunnel {{rngrok-cname}} not found" but the subdomain pointing to it is showing some else response which is - "No webpage was found {{domain name}}- (404)", so do you think this can be taken over? and how do you think I can takeover it, because there's a random string in the cname, how can I as an attacker control that and takeover if there's a random string on some other takeovers of ngrok? Some help will be very much appreciated :) |
|
Hi, I don't think this is vulnerable, at least not anymore. I've got this instance: I subscribed for a basic plan and tried to take it over but it was unavailable in US, only |
|
Not Vulnerable. |
|
Another chiming in to say that ngrok no longer appears vulnerable. |
|
I have If i try to claim |
|
Subdomain Takeover via Ngrok is not possible anymore !
~ Confirmed from Ngrok Team. |
Service name
ngrok
this already mentioned in #85
but few steps are missing there. and that won't work.
when you run
./ngrok http 80 -subdomain cnameentryit will run ngrok on cname domain only , not subdomain, i set up ngrok on my own subdomain to test it.Proof
if you visit vulnerable subdomain, error will be:
Tunnel subdomain.example.com not foundcheck cname entry of subdomain, it will be something like
http://xxxxxxxx.cname.us.ngrok.io/set up account on https://ngrok.com/
subdomain service for ngrok is only available on paid version.
suggest you to purchase paid version: https://dashboard.ngrok.com/billing (15 days money return policy)
once your account is done, set up ngrok to your local machine , follow these steps: https://dashboard.ngrok.com/get-started
once you're done with set up locally. go to here: https://dashboard.ngrok.com/reserved
Where you can reserve vulnerable subdomain. enter subdomain and click on reserve.
now go to your local machine and run this command to takeover subdomain:
ngrok http -region=us -hostname=subdomain.example.com 80Documentation
https://ngrok.com/docs
check Tunnels on custom domains (white label URLs)
The text was updated successfully, but these errors were encountered: