‘Dropbox for pen testers’ allows security pros to upload and share payloads using their own server
A new open source tool has streamlined the process of sharing payloads online without using a third-party server such as Dropbox or other hosting services.
PwnDrop, the self-deployable file hosting service, was created to enable pen testers to share files over HTTP, HTTPS, and WebDAV, using their own server.
Created by Polish hacker Kuba Gretzky, the tool was in development for two years before its release.
“You can think of it as your own personal Dropbox, where you control all the data and nothing is stored on servers which you do not own,” he told The Daily Swig.
“I wanted to solve an issue of having to spend too much time setting up a web service, on your private server, like NGINX or Apache, uploading files through an external tool and then generating download links by hand, based on the directory structure you put the file under.”
PwnDrop is similar to Python’s SimpleHTTPServer, Gretzky wrote in a blog post. However, it is written with an easier-to-use web interface and can be deployable with a single command – “saving everyone’s time”, as Gretzky puts it.
After originally writing the tool in Angular.js, he was inspired to rewrite in Vue.js, stripping back the npm and webpack “clutter” to simplify the user experience and reduce the amount of hard drive space needed.
Users can share files via the drag-and-drop function, make files available or unavailable at request, and set up custom download URLs.
PwnDrop in action
The tool can also set up automatic redirects to spoof the file’s extension in a shared link and set up facade files, which will be served instead of the original file.
Gretzky explained: “For example, you may want to share a link to a Word document with your custom macro payload, but you don’t want your macro to be analyzed by online scanners as soon as you paste the link.
“To protect your payload, you can upload a facade clean document file under your payload file.”
RECOMMENDED Latest hacking tools – Q1 2020
The PwnDrop project was originally intended for red teamers, but can also be used as a normal file sharing service.
In addition to password protection for files, Gretzky told The Daily Swig he is also planning to implement tracking and logging of requests for each file.
He said: “I’d like a full-blown panel where you can see in real-time who is downloading your files, from where and with what browser.
“I wanted to implement it on release, but later figured out that if I focus on too many features from the beginning, I may not be able to release the tool at all. It is a hobby after all.”
RELATED ParamSpider: New tool helps in the discovery of URL parameter vulnerabilities