How to Prevent Organisation Exfiltration using Ngrok on FortiGate NGFW (Next Generation Firewall)?

In my previous post I have explained how one can Exfiltrate the Organisation Data using Ngrok

Before we move on to this, I insist you to visit my previous post about Exfiltrating Organisation Data using Ngrok so you could have an idea about the severity of this hacktivity.

To access through below mentioned link

Link: https://saraswatirepository.com/how-to/how-to-exfiltrate-organisation-dlp-security-using-ngrok/

We need to understand the functioning or workflow of Ngrok tool in order to block it.

As per packet analysis on TShark (Command Line Tool of Wireshark), Ngrok tries to establishes tunnel with domain ‘tunnel.us.ngrok.com’. I have already captured the packets & saved as ngrok.cap file.

Analysed outut of ngrok.cap file using DNS & IP Filter is shown below

iamvsm@SaraswatiRepository:~$ tshark -r ngrok.cap -Y dns

25 5.681543266 192.168.1.11 → 8.8.8.8 DNS 79 Standard query 0x75a5 AAAA tunnel.us.ngrok.com

26 5.681730723 192.168.16.10 → 8.8.8.8 DNS 79 Standard query 0xbf9f A tunnel.us.ngrok.com

27 5.694975224 8.8.8.8 → 192.168.16.10 DNS 107 Standard query response 0x75a5 AAAA tunnel.us.ngrok.com AAAA 2600:1f16:d83:1201::6e74:1

28 5.694975405 8.8.8.8 → 192.168.16.10 DNS 95 Standard query response 0xbf9f A tunnel.us.ngrok.com A 3.12.62.205

——————————————————————————————

As we can see that, my System (192.168.1.11) has sent A Record DNS query to 8.8.8.8 for tunnel.us.ngrok.com

& We have successfully obtained IP Address from the A Record DNS Response with IP Address 3.12.62.205.

Note: AAAA Record Query are for IPv6

iamvsm@SaraswatiRepository:~$ tshark -r ngrok.cap -Y ip.addr==3.12.62.205

84 2.610375791 192.168.1.11 → 3.12.62.205 TCP 74 46124 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2064896385 TSecr=0 WS=1024

90 2.875315104 3.12.62.205 → 192.168.1.11 TCP 74 443 → 46124 [SYN, ACK] Seq=0 Ack=1 Win=26847 Len=0 MSS=1460 SACK_PERM=1 TSval=2827900271 TSecr=2064896385 WS=128

91 2.875439960 192.168.1.11 → 3.12.62.205 TCP 66 46124 → 443 [ACK] Seq=1 Ack=1 Win=64512 Len=0 TSval=2064896650 Tsecr=2827900271

92 2.875995504 192.168.1.11 → 3.12.62.205 TLSv1 285 Client Hello

96 3.140038007 3.12.62.205 → 192.168.1.11 TCP 66 443 → 46124 [ACK] Seq=1 Ack=220 Win=28032 Len=0 TSval=2827900535 Tsecr=2064896650

97 3.140408728 3.12.62.205 → 192.168.1.11 TLSv1.2 834 Server Hello, Certificate, Server Key Exchange, Server Hello Done

98 3.140511375 192.168.1.11 → 3.12.62.205 TCP 66 46124 → 443 [ACK] Seq=220 Ack=769 Win=64512 Len=0 TSval=2064896915 Tsecr=2827900536

99 3.165354972 192.168.1.11 → 3.12.62.205 TLSv1.2 183 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message

112 3.430215470 3.12.62.205 → 192.168.1.11 TLSv1.2 194 Change Cipher Spec, Encrypted Handshake Message, Application Data

113 3.430272923 192.168.1.11 → 3.12.62.205 TCP 66 46124 → 443 [ACK] Seq=337 Ack=897 Win=64512 Len=0 TSval=2064897205 Tsecr=2827900825

114 3.430215591 3.12.62.205 → 192.168.1.11 TLSv1.2 119 Application Data

115 3.430318214 192.168.1.11 → 3.12.62.205 TCP 66 46124 → 443 [ACK] Seq=337 Ack=950 Win=64512 Len=0 TSval=2064897205 Tsecr=2827900825

116 3.430701960 192.168.1.11 → 3.12.62.205 TLSv1.2 119 Application Data

117 3.430804771 192.168.1.11 → 3.12.62.205 TLSv1.2 172 Application Data, Application Data

118 3.431105101 192.168.1.11 → 3.12.62.205 TLSv1.2 119 Application Data

119 3.431174305 192.168.1.11 → 3.12.62.205 TLSv1.2 652 Application Data, Application Data

—————————————————————————————–

As, we can see that it does TCP & TLS Handshake with the Ngrok IP Address to establish the tunnel to our localhost.

In order to block this traffic is difficult because we cannot block TCP & TLS Traffic for all of the organisation, so we have to create Application Specific Signature to block it. Other option is to block DNS resolution for domain tunnel.us.ngrok.com.

In this tutorial I’m going to block this traffic on FortiGate NGFW. So we don’t have to go into Nitty-Gritty of creating Application Signature of this traffic pattern because FortiGate has it’s Research Centre FortiGuard which builds the Application Signature & send it to FortiGate having Application Control Signature Licensed using FortiGuard Updates.

Ngrok Application Signature is available in FortiGate, So we have to block this Application from Application Control in FortiGate to prevent exfiltration.

In order to Block Ngrok Application on FortiGate follow below mentioned steps

1. Open FortiGate Administration Console & Login to it.

2. Navigate to Security Profiles –> Application Control as shown in below Image

3. Open Application Control Profile on which you want to restrict this hacktivity. If you don’t have any Application Control Profile then create one.

In my case I’ll edit my existing Application Profile i.e., Vishal_AppFilter.

Edit Profile & Check whether “Proxy” Category is Blocked.

if (Yes)

{

No need to worry because Ngrok belongs to Proxy Category & you’ve already blocked that;

}

else

{

Set it to Monitor Mode instead of Allow;

Then Goto Application & Filter Overrides;

Click on Create New & Add Ngrok with Action Block;

Apply as shown in below Image;

}

Note: It is advisable to block Proxy Category rather than blocking particular Proxy Applications.

4. After creating Application Control Profile, Open the IPv4 Policy by navigating to Policies & Objects –> IPv4 Policy

Apply Application Control Profile on Existing Rule or Create New Rule & then apply as shown in below Image.

As we can see that we have applied Application Control Profile Vishal_AppFilter on Rule.

5. We’ll try to connect Ngrok Tunnel from my System to Verify the Rule is working or not as shown in below Image.

iamvsm@SaraswatiRepository:~$ ./ngrok http 80

As above image shows that it failed to establish the connection. Because FortiGate has Blocked this tunnel.

We’ll Also verify the same from FortiGate Logs.

6. Navigate to Log & Report –> Application Control, Add Filter Source=192.168.1.11 & Application Name=Ngrok as shown in below Image

As from above image we can see that FortiGate has successfully blocked Ngrok Application.

Hence, we have prevented Exfiltration using FortiGate.

It is recommend to Block Proxy Category instead of blocking specific proxy application. Because proxy application are only responsible for exfiltration.