Maraud: Dockerized Data Exfiltration

What is it?

A python command line script to quickly bring up/destroy smb/http(s)/sftp/reqdump file server containers using docker. All credit to @rflathers for the idea and for creating the docker containers. He wrote a fantastic article on docker for pentesters here. All code reference in this post can be found here.

Why?

This script was written with pentesting in mind. It enables a pentester to quickly spin up file servers for data transfers/exfiltration on the command line without the overhead of spinning up/running the server on your host operating system. Even if you aren’t a pentester it is still massively convenient if you want to spin up a quick server and host it locally or on the internet. Another great thing about utilizing docker is if you happen to switch machines you can easily pull the containers and be right back where you started.

Requirements

  • Docker
  • The following Docker Images:
    • rflathers/nginxserve
    • rflathers/reqdump
    • rflathers/impacket
    • atmoz/sftp
  • Linux/OSX (Tested on Ubuntu 18.04)
  • Python3

Usage

python3 maraud.py -h
optional arguments:
-h, --help show this help message and exit
-s, --smb Start a SMB Server (rflathers/impacket)
-w, --http Start a Nginx http(s) server (rflathers/nginxserve)
-r, --reqdump Start a Reqdump server to dump http requests
(rflathers/reqdump)
-f, --sftp Start a sftp server (atmoz/sftp)
-k, --kill Kill the docker containers

Starting a Server

You can pull all of the required docker images at once using the following command:

$ docker pull rflathers/nginxserve && docker pull rflathers/reqdump && docker pull rflathers/impacket && docker pull atmoz/sftp

Regardless of which server you start, it will always mount and serve the current working directory. This script also assumes that you are in the docker group and can execute it without sudo. For example, to start a http(s) server run the following:

python3 maraud.py -w

This will start an Nginx server, bind to ports 80/443 on your local machine, and serve the current working directory. According to @rflathers the Nginx container ‘generates a new random key and self-signed certificate in the correct location for Nginx and then starts the server:’.

You can start more than one server at time like so:

python3 maraud.py -w -s -f -r

This will start reqdump, sftp, smb, and http(s) servers in the current directory all at once. (Note, the smb default login is empty and sftp (port 2222) is foo:pass per atmoz/sftp. The reqdump server (port 3000) will write all of the requests it receives to a file named reqdumplogs in the current working directory.)

Killing the Servers

To kill the servers run the following command:

python3 maraud.py -k

Files that were transferred during execution will persist after the container has been destroyed to prevent data loss. You can verify the container(s) status with docker:

$ docker ps

Internet Forwarding

Want to forward your web server to the internet? Use ngrok. According to their page, ngrok ‘Instantly create a public HTTPS URL for a web site running locally on your development machine’. Spinning up a disposable public facing web server has never been simpler. Just run the following command:

python3 maraud.py -w && ngrok http 80

#Press ctrl+c to close ngrok and python3 maraud.py -k to kill the server

This will use use ngrok to serve up your current directory under a random domain name with trusted TLS certificate! Also the basic version of ngrok is free! (@rflathers has a great example with pictures here)

Troubleshooting

  • If you happen to get a ‘HTTP 403 Forbidden’ when spinning up the web server, check the permissions of the folder you are trying to serve. Generally speaking /tmp, /var/tmp, and /dev/shm are good places to make a folder for transferring files.
  • If you want to run the script from anywhere on your machine, move the script to a folder in your $PATH (such as /usr/local/bin). You can also make the script executable and run it without specifying python3 every time:
$ chmod +x maraud.py
#Now just run it
$ maraud.py -h
  • To add yourself to the docker group on Linux run the following:
sudo usermod -aG docker ${USER}

Leave a Reply

Your email address will not be published. Required fields are marked *