Creating an Internal Pen Test VM with Ngrok

Hello everyone. With the severity of the Covid-19 virus and people trying to work from home as much as possible we wanted to document how to build out an internal penetration testing VM that can be sent to clients. Hopefully this guide with help others do the same and will aid in pen testing firms working remotely.

What's neat is that we can use ngrok as a solution to serve up the virtual machine without the need of SSH port forwarding or a server intermediary! I'll go over some of the things you'll want to do to get your VM up and running and connecting to the ngrok servers right after startup (without having to log into the VM).

Set Up the VM with Ngrok Step by Step

  1. If you haven't already, you'll need to get a paid version of ngrok (https://dashboard.ngrok.com/get-started). This will allow us to reserve TCP addresses that always stay the same, ensuring that we'll always be able to connect to it if the VM has internet access.
  2. Next, reserve 2 TCP ports on the ngrok dashboard. We'll use one to forward SSH and the other to forward Nomachine (for GUI access if we ever need it). It should look something like the screenshot below.

tcp-ports-2

  1. Set SSH to start as a service on system boot. Be sure to add in your public SSH keys and disallow password authentication (guide: https://kb.iu.edu/d/aews)

update-rc.d ssh defaults
mkdir /etc/ssh/default_keys
mv /etc/ssh/ssh_host_* /etc/ssh/default_keys/
dpkg-reconfigure openssh-server
systemctl enable ssh.service

  1. Download ngrok on the system and, just in case, run the ngrok authorization command found on the dashboard.
  2. Create a config file called remote-pen-config.yml that looks similar to below and place it in /opt/remote/

config-file1-2

  1. Make sure everything is working by running the following command

./ngrok start -config /opt/remote/remote-pen-config.yml sshtunnel nomachinetunnel

  1. You should be able to SSH into the system by using the TCP reserved address in your ngrok dashboard. It'll look similar to:

ssh [email protected][1].tcp.ngrok.io -p [port given on ngrok dashboard]

  • Depending on what ngrok gives you on the dashboard, the first bracket value will be something like 1, 2, 3, etc.
  1. If that's working, set ngrok to start as a Cron job by running the first command to edit and then pasting the second command below in the editor. Of course you'll need to edit the second command to account for your own user/ngrok path.

crontab -e
@reboot sleep 60 && /home/user/Desktop/ngrok start -config /opt/remote/remote-pen-config.yml sshtunnel nomachinetunnel

  1. Next, install Nomachine if GUI access is desired (https://www.nomachine.com/download)
  2. Restart the system and ensure you can SSH in remotely without first logging into the VM.

With a lot of the workforce trying to work remote we here at FortyNorth hope this guide helps pen testing firms conduct tests remotely. Stay safe out there.