Pwndrop – Self-Hosted File Hosting Service

Currently reading
Pwndrop – Self-Hosted File Hosting Service

PWNdrop is A very basic file sharing service that focuses on link sharing utilizing HTTP, HTTPS and WebDAV.

Pwndrop is a self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV.

The video above is there for people who want to see how it’s done rather than reading the guide. If you prefer a quick reference guide, here it is below!

Alos, please note that the guide below is different than the video. By the time I wrote this, linuxserver.io had released their image of PWNdrop so I decided to use that image here.

Continue reading...
 
Last edited:
The video above
Above what? No video in this thread for me.

But cool, as many requests for a drop point for files and while File Station somewhat has this capability, this is far more user friendly. Now I can send all my work files to my NAS... when I'm not "working from home".
 
Above what? No video in this thread for me.

But cool, as many requests for a drop point for files and while File Station somewhat has this capability, this is far more user friendly. Now I can send all my work files to my NAS... when I'm not "working from home".
It's in the blog article. Not sure RSS feeds can pull videos in.
 
OK... Just FYI... the blog video walks through a different image that your write-up, with different ports, etc. Pretty interesting... I don't understand why the file names are encoded on the NAS. Why?
 
I think the filenames are encoded on the NAS so that you can "turn off" sharing for a particular file even after someone has gotten the URL for it through pwndrop previously.

That is, pwndrop generates an arbitrary file name, and a different arbitrary pointer URL and provides the latter to the client. The client then follows that pointer to get to the file. Under normal circumstances, once the client has the pointer, they could keep on using it, or sharing it with others, unless/until you change the filename or delete the file. But with pwndrop, you can cut off access to that file by that client by changing the path provided by (and understood by) pwndrop, without doing anything to the file itself.

If the client knew the actual path and filename, they could presumably keep accessing it as long as it was there.
 
I think the filenames are encoded on the NAS so that you can "turn off" sharing for a particular file even after someone has gotten the URL for it through pwndrop previously.

That is, pwndrop generates an arbitrary file name, and a different arbitrary pointer URL and provides the latter to the client. The client then follows that pointer to get to the file. Under normal circumstances, once the client has the pointer, they could keep on using it, or sharing it with others, unless/until you change the filename or delete the file. But with pwndrop, you can cut off access to that file by that client by changing the path provided by (and understood by) pwndrop, without doing anything to the file itself.

If the client knew the actual path and filename, they could presumably keep accessing it as long as it was there.

So is this the only plus point this tool has over Synology Drive?
 
Shadow, it's not at all like Synology Drive. The closest analogous Synology feature is the file sharing feature in File Station, which allows you to send an obfuscated link to someone who does not have any credentials on your Diskstation so that they can download the linked-to file.

The differences are many: pwndrop links will STREAM video and audio files, rather than download.
pwndrop enables you to easily put files up for downloading by dragging and dropping.
pwndrop enables webdav access to the files.
pwndrop has a number of features that are clearly intended primarily for use by malicious hackers: You can provide innocent looking links that disguise the true nature of the payload (by, e.g., linking to what appears to be a PDF when it's actually an EXE, etc.)
pwndrop allows you to "hide" the files that are "actually" at the links with decoy files until you're ready to "go live".
Etc.

I should mention, I'm not particularly endorsing this at all; I tried it out because I was curious, and so can share what I know....but I'm by no means an advocate.
 
Im with @akahan on this one. It’s light fast and full of features but considering it’s name it’s obvious that usage was primarily targeted for hiding tracks and the ability to mask real intentions. Nice tool but not something I would personally use.
This exactly. I didn’t want to condone fishing with it hence why I didn’t cover that much about it.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Replies
2
Views
2,331
  • Article
In case you are on the hunt for some self-hosted web analytics platform and refuse to use Google...
Replies
0
Views
1,435
  • Article
Just a quick update. Managed to get it running a stack using the new repo. The existing web app works as...
Replies
76
Views
12,971
  • Article
Interesting concept! Having a self-hosted YouTube video downloader like YouTubeDL Material provides...
Replies
17
Views
9,373
  • Article
Haven't noticed but will keep an eye on it.
Replies
10
Views
5,378
  • Article
- - - Check out FREE NAS advice section on nascompares.com
Replies
0
Views
731
  • Article
It can also give yourself some kind of 'training' as you familiarize yourself with restore procedures.
Replies
4
Views
2,841

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top