How to create a HTTPS server with one-liner command

Yicong
3 min readSep 28, 2021

--

Photo credits: www.gollahalli.com

During a pen-test engagement, we are all guilty of using this one-liner command python -m SimpleHTTPServer 80 to host and share our files. At a glance, this method seems efficient, as we are able to serve our content easily to other host with one line of code. However, you are actually transferring the content in clear text.

So anyone (especially from Security Operation Centre) could sniff the network traffic and read your content easily. This lowers your pen-testing effectiveness, as your every action can be monitored.

To demonstrate this, I will use wire-shark to monitor the network traffic.

Network Setup

Client retrieving a HTTP file from the Kali machine.

Client retrieved an important.txt file with a secret text

By monitoring the network traffic with wireshark, we are able to see the transferred content in clear text.

“this is my secret text” can be identified in the blue box

So if your pen-test engagement requires you to deploy certain public exploits, it will be flagged by Intrusion Detection System (IDS) easily due to its prominent signature. This gives your client a false sense of security that their IDS engine is effective in detecting malware.

To enhance your pen-test engagement, use a HTTPS server to host your files instead, which uses the Secure Socket Layer (SSL) protocol to encrypt your communication channel.

To setup, you will need to generate a self-signed certificate and do some socket programming. This may sound daunting but I have created a python script to automate this for you :)

Steps to deploy HTTPS server

  1. Change directory to your web folder (cd)
  2. Change to root (sudo su)
  3. Copy and paste one-liner command:
wget https://gist.githubusercontent.com/ohyicong/789662fc9c677b9dd30c8c5bad8bfa8c/raw/ad8c3a7b0e9d9fcea974ce35f076776e661b5d22/SimpleHTTPSServer.py -O SimpleHTTPSServer.py && python3 SimpleHTTPSServer.py 443

So with this one-liner command, you are able to serve your content securely. Let’s use wire shark to monitor the HTTPS traffic.

The red box highlights the encrypted message

Conclusion

It is funny how a simple trick can be so hard to find on the internet. Nevertheless, I hope that this helps in your pen-testing journey. Cheers :)

--

--