Serverless Toolkit for Pentesters
This repository is a collection of serverless functions I have developed over the past few months doing bug bounties and penetration tests. I found myself constantly spinning up disposable VPSs to run tiny snippets of code or host some static resources and I got sick of wasting resources and managing that infrastructure to just run a simple command.
All of these examples were written to make use of Zeit's awesome now.sh. While I've used other providers like AWS Lambda and Google Cloud Functions (including the really cool serverless toolkit), I found that now.sh was the most straightforward and allowed custom Dockerfiles to be executed. Zeit recently rolled out Now 2.0 which actually breaks a lot of these, so the version is pinned to 1.0 for each of these deployments.
For more information and background, see the related blogpost: https://blog.ropnop.com/serverless-toolkit-for-pentesters/
Since the initial release of this toolkit, Now V2 is now the default and V1 is no longer supported for new accounts. I have updated all the functions to support NowV2, but unfortunately
webshell no longer work with the new builders in NowV2.
List of Functions
Each function contains more information on how to install and use. The following functions are included:
This function takes a redirect URL as an environment variable and simply redirects any incoming request to it. Useful for some edge cases when testing for SSRF
Similar to above, this function redirects to the Gopher protocol. It reads raw data from a file and constructs a Gopher URL. This can be used to redirect a GET request to a POST request including data.
This function simply dumps the incoming request to a JSON response. Useful for when you want to see what a request entails without having to capture it in Burp
This function dumps incoming requests to a Slack webhook. Very useful for when testing SSRF or Blind XSS. It's possible to embed this URL in various places and be automatically notified if/when any server makes a request to it via Slack
Slack Data Dumper
This function takes any raw binary POSTed to it and uploads it via the Slack API, then alerts a channel with the new file. The filename is derived from whatever path you POST to. This is really useful for quick data exfiltration during post-exploitation, as you can just use curl with
-data-binary on a file to your serverless function and get the file contents in your Slack workspace.
This function spins up a server to help with XXE OOB exfiltration. It's inspired by my other project, xxetimes. The server listens on
/dtd and serves up a custom DTD file with nested entities to exfiltrate data over HTTP back to itself. It accepts a
filename parameter to generate a specific file entity (otherwise it has be specified elswhere in the XML). When the server gets data back, it dumps it to Slack.
There are also options when targeting PHP to base64 encode/decode the data.
This example function shows how it's possible to run arbitrary binaries in Docker containers with serverless functions by capturing stdout with Express. This function simply runs an nmap scan with the
-F -Pn -sT options against a target. It can be useful to quickly see if a port is open from an external or different IP address than where you are testing.
Similar to the nmap example, this runs massdns in a serverless Docker container. It accepts a newline separated list of domains in the POST body and runs massdns agaisnt them, returning results in JSON.
Someteimes you just want a shell. This uses gotty ontop of an Alpine base image with a few other extra pentester tools (nmap, ncat, etc). You can specify credentials in
username:password format with the
GOTTY_CREDENTIALS environment variable if you want.
As I continue to play with serverless more I'll keep this updated. PR's and suggestions welcome!
With Zeit's move to Now 2.0, I fear that some of these may not be possible in the nearish future, so eventually I'll look at migrating to AWS or Google Cloud and seeing what's possible there