Hello 0x00SEC
** please NOTE that is COMPLETELY educational **
in a previous question I asked here ( named: python reverse shell 0 ) , I was asking about how do I cover my connection so that if the victim was smart and opened wireshark as example, he won’t be able to know my ip

A comment on this topic suggested using NGROK[1] and another comment suggested using it over TOR. Thus I went to TAILS OS such that I can hide my ip from NGROK servers, here is what did:

0- I tried it directly (Without anything, on windows, with my ip ) to check if I am using it the right way or not, and I was using it right

1- I next went to TAILS, made my adjustments for ngrok(connecting to my accout,…etc) then tried the following :
torify ./ngrok tcp 4000
torify means that the next script,…etc will be directed though TOR ,tcp is the tunnel connection type and 4000 is the port no. My code listens to

2- The problem was that NGROK didn’t connect

In theory, as I thought, NGROK will connect and connection from client will be directed through it to Tor exit node , through nodes , till reaches me
and if I torrified my server, the same but in opposite direction [2]
IS there anything wrong in my setup, theory or even anything I didn’t took it into considerations?

Thank’s in advance.

[1] NGROK : https://ngrok.com
[2] As I mentioned in no.0, I have tested this but away from TOR and tails with my partner in this project, what I am not sure of is the case when using TOR.

I don’t know how to help you with ngrok, but why not skip it entirely and set up a Tor Hidden Service? You won’t need to port forward (which I assume is why you are using ngrok) and you won’t have to expose your IP for your shell to connect to. Although, setting up a Tor proxy on the victim machine might be problematic.

Portmapping is not a problem for me
The problem is that I don’t want any direct connection to avoid having my ip uncovered, That’s why I put an effort in playing with Ngrok. The victim always connect to Ngrok server and Ngrok server sends to me this connection. But this way Ngrok can see my ip, So, my idea was forcing all connections to Tor ( using tails)
Thus the path is : Me <=> Tor nodes <=> Ngrokservers <=> victim

as you said, tor proxy on victim’s side is a pain.

I am not determined to use Ngrok, If there is a better solution Iam open to it ( away from tor proxy at victim as possible )

So a hidden service is exactly what you want to use to stay anonymous. All connections go through the Tor network so your victim won’t be able to tell where your shell is actually connecting.

Then How would I force victim to use Tor ?

That’s the hard part. You can compile a static, dependency-free tor executable which might be difficult. A quick google search yielded this, could be a good place to start. After you get that onto the victim system, you’ll have to execute it and not get caught by AV. Afterwards, connect through the SOCKS proxy it creates.

1. Buy a VPS (via TOR)
2. Get your shell from there

You <=> TOR <=> VPS <=> Victim

This solves my problem by makes another one
I mean , both Ngrok ( paid plan ) and Tor hidden service provide me a static ip that I can hard-code it in my backdoor to the victim.
Your solution requires the backdoor the get the ip I am working now on every time my server disconnects, which is not proper solution

UNLESS you have an idea to overcome this I will be happy

Hi there,

I don’t really understand the problem, so please elaborate. The VPS has a static ip which you should hardcode in the client. You only connect to the VPS via SSH and run the handler there.

Best, SmartOne

I’m slightly confused and here’s a quick thought… I remember somewhere that WannaCrypt used ToR in order to say anonymous… Is that what you’re trying to accomplish?

It seems I am wrong, I saw it VPN not VPS, sorry

You are right, but installing TOR at victim’s side is a pain.

I was trying to do something which gives the same result (anonymous link to the victim) but away from installing TOR at victim’s side

1- I buy a domain (using TOR) from NGROK
2- Hardcode it in the victim code
3- Run NGROK on my TailsOS so I will be anonymous from NGROK servers

Yo. I’ve done this many times before, tor and ngrok together is a dangerously cool combo, and it works really well too.

I used proxychains. And ran:

proxychains ngrok tcp 4444

It then gives me a ngrok service that I can connect to. Can you verify torify is working? Is tor available? Attempt this and tell me the result:

torify curl google.com

My idea for malware would be to request a bit.ly link which gets forwarded to a pastebin containing the updated ngrok server. That way you could dynamically change ngrok endpoints, and yet you could update it using bit.ly and pastebin.

I’m sure a framework is begging to be made here.

Finally, a one done it before you are the second one on the internet to mention this (after a one in reddit without having any answer )

First, my setting and setup :
I use tails on VM ( I know the drawbacks of this ) for testing the concept and get it working and till I buy another USB stick
I adjusted the bridges, and got tor working on them

Second, Torify :
I have tested torify with a simple python code that returns my public ip, and it returned ip of tor exit node not mine.
I also ran the token of ngrok with it and no problems, here is the response on torify (curl google.com )

Capture.PNG882x122 22.1 KB

I tried to use proxychains but it says (
command not found )

Finally , the error which appears on using torify to connect to ngrok
( reconnecting + rotating between the next 3 errors in red color)

reconnecting (dial tcp 18.216.22.45:443: getsockopt: connection refused) 
reconnecting (Get https://dns.google.com/resolve?cd=true&name=tunnel.us.ngrok.com&type=A: dial tcp 216.58.212.174:443: getsockopt: connection refused)                                                                                                                                                          
reconnecting ([write udp 10.0.2.16:60957->8.8.8.8:53: write: operation not permitted write udp 10.0.2.16:37447->8.8.4.4:53: write: operation not permitted])                                             

I hope this is can be solved

Psssst… I shall mention we have a IRC at irc.0x00sec.org port 6697. It’s great how I see people collaborating but just a thought for the future. ; )

This looks like a permission issue on the surface. Perhaps try sudo?

Also: if you’re using tails, isn’t everything routed through tor anyway? Or am I mistaken?

I tried it and every other combination between it and torify and sock5

That’s why I went to tails, It should be doing this by default.

I want to mention that I am using it live and no persistent volume (but the directory I am working in SHOULD be writable ( a usb stick ) )
Do you have any ideas ?

I hope also you explain me the setting(os,…etc) you used TOR-Ngrok combo on, I am not really attached to tails and ready to ignore ( as long as anonymity is kept from Ngrok , but I am leaving this as a final no way solution)

@BlackSteelCannon Did you try running ngrok without proxychains? Should work if tails automatically routes everything through tor.

As I mentioned, I used a simple python script to check, when I ran it without (torify) , connection was refused. using torify, Script returned IP of tor exit node ( Thus, I think it stops some connections unless torified)
Doing the same with ngrok ( i.e:using Torify) , I got the error I mentioned in my previous comment ( I ran it with torrify not proxychains, no command proxychanis is known in tails ).