Anatomy of a Pentest Dropbox: How Remote Internal Assessments Actually Work
The Core Idea
A dropbox is a small computer that lives, temporarily, inside the target's network. The client plugs it into an Ethernet port and power; from there it becomes the tester's foothold on the inside. This lets an internal assessment - the scenario where we simulate an attacker who is already past the perimeter - happen without a person physically on-site for the entire engagement window.
The hardware is deliberately unremarkable: a Raspberry Pi for a cheap, disposable unit; an Intel NUC when the work needs real horsepower; or a purpose-built commercial appliance. Whatever the form factor, it runs a standard offensive toolkit and does its work quietly.
The Clever Part: It Calls You
The instinct is to imagine connecting into the dropbox. In practice, the client's firewall blocks inbound connections - that is its job. So the dropbox does the opposite: it makes an outbound connection to a server the tester controls, and the tester rides that tunnel back in.
This works because firewalls are strict about traffic coming in and permissive about traffic going out. Employees browse the web all day, so outbound connections look normal. A well-built dropbox blends into that traffic - a tunnel over a common port, or wrapped in ordinary-looking protocols - and re-establishes itself automatically if it reboots or the link drops. That persistence matters; a power blip should not end the engagement.
If this "phone home to my server" pattern sounds familiar, it should. It is the authorised, physical cousin of the command-and-control technique that real intrusions rely on. The difference is entirely one of permission.
Where the Actual Work Happens
A common misconception is that the dropbox is just a doorway. It is better thought of as the workstation. Because it sits inside the network, it is the right place to run the scanning and enumeration - traffic stays local and fast, rather than crawling back and forth through a tunnel. The tester connects in to drive it, but the tooling executes where the targets are. Design the device as the machine that does the job, not merely a relay.
Why Clients Like It
Remote internal assessments cut travel cost and scheduling overhead, and - this is the part that matters most - they are a more honest simulation. A real attacker does not stand in your server room. They establish a foothold and operate remotely, patiently, over an encrypted channel. A dropbox mirrors that threat model precisely, which makes the findings more representative of an actual breach.
The Part That Comes Before the Cable
None of this begins until the paperwork is signed. A dropbox is inert without a Rules of Engagement document that:
- Names the exact IP ranges, hosts, and time windows in scope
- States what is explicitly off-limits
- Lists an emergency contact
That authorisation is not bureaucratic friction; it is the line between a professional assessment and a crime, and it is also what tells you which segments of the network you are even permitted to touch.
The Defender's Takeaway
If you protect a network, the dropbox is a useful lens. It thrives on two assumptions: that anything already inside is trusted, and that outbound traffic is benign. Both are worth challenging.
- Network segmentation limits how far a foothold reaches.
- Egress filtering and monitoring for anomalous outbound connections - beaconing to unfamiliar hosts, tunnels over odd ports - turn the dropbox's quietest advantage into its loudest tell.
The same visibility that would catch an authorised tester's device is exactly what catches the real thing.
Comments
No comments yet. Start the discussion.