How to make a local web server accessible from the Internet without a white IP

Performing social engineering attacks requires a web server on which a site or a page is served that tries to outwit the user and make him enter certain data or perform some action.

This phishing web server must be accessible from the Internet, and this requires a public IP. Many clients of Internet service providers access the Internet through NAT, which means that they cannot make their web server public.

Possible options:

  • rent hosting
  • rent an external IP from your ISP

In this article I will show how to use the ngrok program to expose servers without an external IP address.

The ngrok program works as follows:

  • you need to run it on your computer where the web server is installed and specify the port to which it should redirect traffic (for example, port 80)
  • ngrok contacts the cloud service and generates a third level subdomain for you
  • when a connection to this subdomain arrives, the program redirects traffic to your local computer, for example, to your local web server
  • To make it clear, let's see how ngrok works on a specific example:

I have a web server installed on my Windows computer. By the way, ngrok runs on Windows, Linux, Linux ARM, and some other operating systems. My computer is located at least on one NAT – in my router port forwarding to the computer is not configured. But most likely, my ISP also uses NAT so that a large number of users can access the Internet through 1 IP address at once. In such circumstances, I can’t make my web server public, even if I configure port forwarding on the router.

So, in such a hopeless situation, ngrok will help. To make my web server accessible from the Internet, I just need to run the following command:

.\ngrok http 80

The screen displays the following information:

The data that interests me is in the lines:

Forwarding                    http://4b348924.ngrok.io -> http://localhost:80
Forwarding                    https://4b348924.ngrok.io -> http://localhost:80

It means that the connection to http://4b348924.ngrok.io and https://4b348924.ngrok.io (HTTP and HTTPS protocols respectively) will be redirected to http://localhost:80. Let’s check it: from another computer (Linux), I will open the link https://4b348924.ngrok.io. The list of files in the root directory of the Windows web server is displayed:

I will open the i.php file (for me it is the https://4b348924.ngrok.io/i.php address):

As you can see, the file was executed on the local server and the results of its work are shown.

We will return to the Windows computer where ngrok and the web server are running:

After “HTTP Requests”, the lines requested by the remote user are shown. More detailed information can be viewed at the link http://127.0.0.1:4040 on which the ngrok web interface is running. There you can analyze individual queries:

Or view the status of ngrok in general:

How to install ngrok

How to install ngrok Kali Linux and any other Linux distribution

wget `curl -s https://ngrok.com/download | grep -o -E 'https://bin.equinox.io/c/[A-Za-z0-9]{4,}/ngrok-stable-linux-amd64.zip'`
unzip ngrok-stable-linux-amd64.zip
chmod +x ./ngrok
./ngrok -h

How to install ngrok on BlackArch

sudo pacman -S ngrok

How to install ngrok on Windows

Go to the official website page and download ngrok for Windows: https://ngrok.com/download

Unzip the downloaded archive, open the command line and go to the folder with the executable file using cd, for example, my program is placed in the folder C:\Users\MiAl\Downloads\:

cd C:\Users\MiAl\Downloads\

To check, display help with the command:

.\ngrok -h

How to get ngrok authentication token (authtoken)

The ngrok program is free, but provides for paid tariffs. There can be two free states:

  • without registration
  • with registration

Without registration, you can use ngrok immediately after downloading the executable file. Without registration, you can perform only the simplest actions, for example, as described above – create a tunnel from a third-level domain to your local server. In fact, for many of us this is enough.

With registration, additional opportunities open up, for example, you can redirect traffic to port 443 (used by the HTTPS protocol) of a local or remote server.

To register, go to https://dashboard.ngrok.com/signup

After registering at https://dashboard.ngrok.com/auth you will find your authentication token. This token can be specified each time ngrok is started, but it is much more convenient to save it in the system with a command of the form:

./ngrok authtoken YOUR_AUTHTOKEN

After that, the ngrok token will be saved in a file, and ngrok will automatically read it from there every time it starts.

How to reveal someone else's IP

As a demonstration of the use of ngrok, consider a couple of examples. Suppose I need to know the IP address of the user with whom I communicate, for example, via chat or via email. For this, it’s enough for me to make the user come any page of my web server.

On the web server, I am doing the following preparation:

1. I create a hacked-accounts folder (for example, the pretext is a link on the Internet to a database of leaked credentials).

2. I create an index.php file with approximately the following contents:

<?php

$string = '';

foreach ($_SERVER as $key => $value){
        $string = $string . "$key: $value\r\n";
}
file_put_contents (time(), $string);

die ('Connection dropped. Please try later.');

// Another option: redirect to any web site.
// header ('Location: https://google.com');

The essence of the script is very simple – all the values of the $ _SERVER array are taken and saved to a file with the generated name. The $ _SERVER array contains the HTTP headers and IP of the client who made the request.

3. Next, I just send the link https://4b348924.ngrok.io/hacked-accounts/, you can add different parameter values https://4b348924.ngrok.io/hacked-accounts/?users=admin&sort=newest (these ‘switches’ do not affect anything).

When you open this link, the user will see something like this:

But with each attempt to open a link, on the web server new files with information will be created:

Example file contents:

Of particular interest are the following lines:

  • HTTP_USER_AGENT (User Agent, the program with which the link was opened)
  • HTTP_REFERER (from which page the user came from)
  • HTTP_ACCEPT_LANGUAGE (languages preferred by the user agent)
  • HTTP_X_FORWARDED_FOR (IP address is here!)
  • QUERY_STRING (query string – you can specify different values for different people to distinguish between incoming requests)

As for REMOTE_ADDR, the value there will always be “::1”. REMOTE_ADDR contains the IP address of the program that made the request, in this case the request was made by the ngrok program, which is running on the same computer, so its IP address is loopback.

How to send a file without file hosting and mail

Suppose you want to send a file to another user, but do not use file sharing, mail, or similar services. This can be done with ngrok.

Now the situation is as follows: I really need to quickly transfer another file to the user without file hosting. To do this, you do not even need a web server on the local computer – ngrok itself will perform the functions of a simple web server.

To accomplish this, I need to provide access to the hacked-accounts-real folder located on the C:\Server\data\htdocs\hacked-accounts-real\ path, then just run the following command:

.\ngrok http file:///C:\Server\data\htdocs\hacked-accounts-real\

Please note that before the folder is the “file:///” string.

When you open a newly generated link, you will get access to all files in the specified folder:

Proxies with ngrok

ngrok can create tunnels not only to local network services, but to any other addresses on the Internet. This results in a proxy.

Example:

ngrok http https://157.245.118.66

I want to create a tunnel to a website, if there are many sites running on the same IP address, then I need to replace the sent header with the correct one, this can be done with the -host-header option. In the following example, a link will be created, upon following to which the HackWare.ru website will open:

ngrok http https://hackware.ru -host-header=hackware.ru

Ngrok Commands and Options

Ngrok has many other use cases, including the free package. You will find more information about commands and options at https://en.kali.tools/?p=1091.

Conclusion

So, ngrok can be used as a replacement for hosting for one-time tasks. For example, if a remote code execution vulnerability was discovered on a remote server and it is possible to run a command to download a shell, then this shell needs to be placed somewhere on an accessible public server. As a very quick solution, you can use ngrok + OS configured to work through Tor.

The next article will show a more interesting example of using ngrok in social engineering.

Recommended for you:

Leave a Reply

Your email address will not be published. Required fields are marked *