NAS Hosted Pwndrop – Self-Hosted File Hosting Service

Currently reading
NAS Hosted Pwndrop – Self-Hosted File Hosting Service

PWNdrop is A very basic file sharing service that focuses on link sharing utilizing HTTP, HTTPS and WebDAV.

Pwndrop is a self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV.

The video above is there for people who want to see how it’s done rather than reading the guide. If you prefer a quick reference guide, here it is below!

Alos, please note that the guide below is different than the video. By the time I wrote this, linuxserver.io had released their image of PWNdrop so I decided to use that image here.

Continue reading...
 
1,071
356
NAS
DS418play, DS213j, DS3621+, DSM 7.0.4-11091
Last edited:
The video above
Above what? No video in this thread for me.

But cool, as many requests for a drop point for files and while File Station somewhat has this capability, this is far more user friendly. Now I can send all my work files to my NAS... when I'm not "working from home".
 

Geeked

NAS Hosted
Subscriber
139
63
nashosted.com
NAS
DS918+, DS218+(2), RS820+
Operating system
  1. Linux
  2. macOS
  3. Windows
Mobile operating system
  1. iOS
Above what? No video in this thread for me.

But cool, as many requests for a drop point for files and while File Station somewhat has this capability, this is far more user friendly. Now I can send all my work files to my NAS... when I'm not "working from home".
It's in the blog article. Not sure RSS feeds can pull videos in.
 
1,071
356
NAS
DS418play, DS213j, DS3621+, DSM 7.0.4-11091
OK... Just FYI... the blog video walks through a different image that your write-up, with different ports, etc. Pretty interesting... I don't understand why the file names are encoded on the NAS. Why?
 
323
123
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
I think the filenames are encoded on the NAS so that you can "turn off" sharing for a particular file even after someone has gotten the URL for it through pwndrop previously.

That is, pwndrop generates an arbitrary file name, and a different arbitrary pointer URL and provides the latter to the client. The client then follows that pointer to get to the file. Under normal circumstances, once the client has the pointer, they could keep on using it, or sharing it with others, unless/until you change the filename or delete the file. But with pwndrop, you can cut off access to that file by that client by changing the path provided by (and understood by) pwndrop, without doing anything to the file itself.

If the client knew the actual path and filename, they could presumably keep accessing it as long as it was there.
 

Shadow

Subscriber
467
161
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
I think the filenames are encoded on the NAS so that you can "turn off" sharing for a particular file even after someone has gotten the URL for it through pwndrop previously.

That is, pwndrop generates an arbitrary file name, and a different arbitrary pointer URL and provides the latter to the client. The client then follows that pointer to get to the file. Under normal circumstances, once the client has the pointer, they could keep on using it, or sharing it with others, unless/until you change the filename or delete the file. But with pwndrop, you can cut off access to that file by that client by changing the path provided by (and understood by) pwndrop, without doing anything to the file itself.

If the client knew the actual path and filename, they could presumably keep accessing it as long as it was there.

So is this the only plus point this tool has over Synology Drive?
 
323
123
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Shadow, it's not at all like Synology Drive. The closest analogous Synology feature is the file sharing feature in File Station, which allows you to send an obfuscated link to someone who does not have any credentials on your Diskstation so that they can download the linked-to file.

The differences are many: pwndrop links will STREAM video and audio files, rather than download.
pwndrop enables you to easily put files up for downloading by dragging and dropping.
pwndrop enables webdav access to the files.
pwndrop has a number of features that are clearly intended primarily for use by malicious hackers: You can provide innocent looking links that disguise the true nature of the payload (by, e.g., linking to what appears to be a PDF when it's actually an EXE, etc.)
pwndrop allows you to "hide" the files that are "actually" at the links with decoy files until you're ready to "go live".
Etc.

I should mention, I'm not particularly endorsing this at all; I tried it out because I was curious, and so can share what I know....but I'm by no means an advocate.
 

Rusty

Moderator
NAS Support
2,380
705
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Im with @akahan on this one. It’s light fast and full of features but considering it’s name it’s obvious that usage was primarily targeted for hiding tracks and the ability to mask real intentions. Nice tool but not something I would personally use.
 

Geeked

NAS Hosted
Subscriber
139
63
nashosted.com
NAS
DS918+, DS218+(2), RS820+
Operating system
  1. Linux
  2. macOS
  3. Windows
Mobile operating system
  1. iOS
Im with @akahan on this one. It’s light fast and full of features but considering it’s name it’s obvious that usage was primarily targeted for hiding tracks and the ability to mask real intentions. Nice tool but not something I would personally use.
This exactly. I didn’t want to condone fishing with it hence why I didn’t cover that much about it.
 

Geeked

NAS Hosted
Subscriber
139
63
nashosted.com
NAS
DS918+, DS218+(2), RS820+
Operating system
  1. Linux
  2. macOS
  3. Windows
Mobile operating system
  1. iOS
... and yet the barn door has been unlocked and opened just a "crack".
It’s funny to prank friends by redirecting them to a rick roll or something like that. There’s a reason it’s called “pwndrop” lol.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top