stoQ is a automation framework that helps to simplify the more mundane and repetitive tasks an analyst is required to do. It allows analysts and DevSecOps teams the ability to quickly transition from different data sources, databases, decoders/encoders, and numerous other tasks. stoQ was designed to be enterprise ready and scalable, while also being lean enough for individual security researchers.
Want to learn more? Read some of the blog posts we've written to learn more.

stoQ currently has over 40 publicly available plugins. These plugins are available separately in the plugin repository

Installation and Documenation
Want to get started quickly? Check out the docker image.
stoQ requires a minimum of python 3.4. Installation on Debian based systems is as simple as running a script. For detailed instructions on how to install stoQ, to include the installation script, please visit stoQ's install documentation. If you're interested in learning more about stoQ, to include how to develop your own plugins, checkout the full documentation.

Pocsuite is an open-sourced remote vulnerability testing and proof-of-concept development framework developed by the Knownsec Security Team. It comes with a powerful proof-of-concept engine, many niche features for the ultimate penetration testers and security researchers.

How to use

Pocsuite with seebug PoC search and zoomeye dork

Pocsuite with seebug PoC and zoomeye dork

Pocsuite with zoomeye API

Pocsuite with seebug PoC API online


  • Python 2.6+
  • Works on Linux, Windows, Mac OSX, BSD

The quick way:

$ pip install pocsuite

Or click here to download the latest source zip package and extract

$ wget
$ unzip

The latest version of this software is available from:

Documentation is available in the english docs / chinese docs directory.


PA Toolkit is a collection of traffic analysis plugins to extend the functionality of Wireshark from a micro-analysis tool and protocol dissector to the macro analyzer and threat hunter. PA Toolkit contains plugins (both dissectors and taps) covering various scenarios for multiple protocols, including:

  • WiFi (WiFi network summary, Detecting beacon, deauth floods etc.)
  • HTTP (Listing all visited websites, downloaded files)
  • HTTPS (Listing all websites opened on HTTPS)
  • ARP (MAC-IP table, Detect MAC spoofing and ARP poisoning)
  • DNS (Listing DNS servers used and DNS resolution, Detecting DNS Tunnels)

The project is under active development and more plugins will be added in near future.
This material was created while working on “Traffic Analysis: TSHARK Unleashed” course. Those interested can check the course here:


  1. Copy the “plugins” directory to Wireshark plugins directory.
  2. Start wireshark. 🙂

One can get the location of wireshark plugins directory by checking Help > About Wireshark > Folders

Tool featured at


Under the guidance of Mr. Vivek Ramachandran, CEO, Pentester Academy

For more details refer to the “PA-Toolkit.pdf” PDF file. This file contains the slide deck used for presentations.

PA Toolkit after installation

List of websites visited over HTTP

Search functionality

Domain to IP mappings

Automatic SQL injection with Charles and sqlmapapi


  • Django
  • PostgreSQL
  • Celery
  • sqlmap
  • redis

Supported platforms

  • Linux
  • osx

Preferably, you can download SQLiScanner by cloning the Git repository:

git clone --depth 1

You can download sqlmap by cloning the Git repository:

git clone --depth 1

SQLiScanner works with Python version 3.x on Linux and osx.
Create virtualenv and install requirements

cd SQLiScanner/
virtualenv --python=/usr/local/bin/python3.5 venv
source venv/bin/activate
pip install -r requirements.txt


'default': {
'ENGINE': 'django.db.backends.postgresql',
'NAME': '',
'USER': '',
'HOST': '',
'PORT': '5432',

SendEmail Setting

# Email

EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
class SqlScanTask(object):
def __init__(self, sqli_obj):
self.api_url = ""
self.mail_from = ""
self.mail_to = [""]


python makemigrations scanner
python migrate

Create superuser

python createsuperuser


python -s -p 8775
python celery worker --loglevel=info
python runserver

Hatch is a brute force tool that is used to brute force most websites

Installation Instructions

git clone


pip2 install selenium
pip2 install pyvirtualdisplay
pip2 install requests
sudo apt-get install xserver-xephyr

chrome driver and chrome are also required! link to chrome driver: copy it to bin!

How to use (text)
1). Find a website with a login page
2). Inspect element to find the Selector of the username form
3). Do the same for the password field
4). The the login form
5). When Asked put in the username to brute force
6). Watch it go!

How to use (Video)


Automatically brute force all services running on a target

  • Open ports
  • Usernames
  • Passwords




brutex target 


docker build -t brutex .
docker run -it brutex target



Ransomware written in NodeJs.

Install and run

git clone
cd nodeCrypto && npm install

You must edit first variable in index.js
Once your configuration is complete, you can start the ransomware.

node index.js

The files at the root of the web server will encrypt and send to the server.

Install server
Upload all file of server/ folder on your webserver.
Create a sql database and import sql/nodeCrypto.sql
Edit server/libs/db.php and add your SQL ID.

SharpWeb is a .NET 2.0 CLR compliant project that can retrieve saved logins from Google Chrome, Firefox, Internet Explorer and Microsoft Edge. In the future, this project will be expanded upon to retrieve Cookies and History items from these browsers.


.SharpWeb.exe arg0 [arg1 arg2 ...]

all - Retrieve all Chrome, FireFox and IE/Edge credentials.
full - The same as 'all'
chrome - Fetch saved Chrome logins.
firefox - Fetch saved FireFox logins.
edge - Fetch saved Internet Explorer/Microsoft Edge logins.

Example: Retrieve Edge and Firefox Credentials

.SharpWeb.exe edge firefox

Example: Retrieve All Saved Browser Credentials

.SharpWeb.exe all

Standing on the Shoulders of Giants
This project uses the work of @plainprogrammer and his work on a compliant .NET 2.0 CLR compliant SQLite parser, which can be found here. In addition, @gourk created a wonderful ASN parser and cryptography helpers for decrypting and parsing the FireFox login files. It uses a revised version of his work (found here) to parse these logins out. Without their work this project would not have come together nearly as quickly as it did.

Ubuntu stealer, steal ubuntu information in local pc (nice with usb key)


  • G++
    sudo apt-get install g++
  • libsqlite3
    sudo apt-get install libsqlite3-dev

Go in Ustealer/ folder and run makefile


w3brute is an open source penetration testing tool that automates attacks directly to the website's login page. w3brute is also supported for carrying out brute force attacks on all websites.


  1. Scanner:

w3brute has a scanner feature that serves to support the bruteforce attack process. this is a list of available scanners:

  • automatically detects target authentication type.
  • admin page scanner.
  • SQL injection scanner vulnerability.
  1. Attack Method:

w3brute can attack using various methods of attack. this is a list of available attack methods:

  • SQL injection bypass authentication
  • mixed credentials (username + SQL injection queries)
  1. Support:
  • multiple target
  • google dorking
  • a list of supported web interface types to attack:
    • web shell
    • HTTP 401 UNAUTHORIZED (Basic and Digest)
  • create file results brute force attack. supported file format type:
    • CSV (default)
    • HTML
    • SQLITE3
  • custom credentials (username, password, domain) (supported zip file)
  • custom HTTP requests (User-Agent, timeout, etc)
  • and much more…

You can download the latest version of the tarball file here or zipball here. If you have installed the git package, you can clone the Git repository in a way, as below:

git clone

w3brute can be run with Python version 2.6.x or 2.7.x on all platforms.

To get all list of options on w3brute tool:

python -h


# basic usage
$ python -t
# look for the admin page
$ python -t --admin
# uses a password file zip list. (syntax => [:password])
$ python -t --admin -u admin -p /path/to/;filename.txt # (if the file is encrypted: /path/to/;filename.txt:password)
# slice the password from the list. (syntax => [:stop][:step])
$ python -t --admin -u admin -sP 20000