stoQ is a automation framework that helps to simplify the more mundane and repetitive tasks an analyst is required to do. It allows analysts and DevSecOps teams the ability to quickly transition from different data sources, databases, decoders/encoders, and numerous other tasks. stoQ was designed to be enterprise ready and scalable, while also being lean enough for individual security researchers.
Want to learn more? Read some of the blog posts we've written to learn more.


Plugins
stoQ currently has over 40 publicly available plugins. These plugins are available separately in the plugin repository

Installation and Documenation
Want to get started quickly? Check out the docker image.
stoQ requires a minimum of python 3.4. Installation on Debian based systems is as simple as running a script. For detailed instructions on how to install stoQ, to include the installation script, please visit stoQ's install documentation. If you're interested in learning more about stoQ, to include how to develop your own plugins, checkout the full documentation.

Pocsuite is an open-sourced remote vulnerability testing and proof-of-concept development framework developed by the Knownsec Security Team. It comes with a powerful proof-of-concept engine, many niche features for the ultimate penetration testers and security researchers.


How to use

Pocsuite with seebug PoC search and zoomeye dork

Pocsuite with seebug PoC and zoomeye dork

Pocsuite with zoomeye API

Pocsuite with seebug PoC API online

Requirements

  • Python 2.6+
  • Works on Linux, Windows, Mac OSX, BSD

Installation
The quick way:

$ pip install pocsuite

Or click here to download the latest source zip package and extract

$ wget https://github.com/knownsec/Pocsuite/archive/master.zip
$ unzip master.zip

The latest version of this software is available from: http://pocsuite.org

Documentation
Documentation is available in the english docs / chinese docs directory.

Links

PA Toolkit is a collection of traffic analysis plugins to extend the functionality of Wireshark from a micro-analysis tool and protocol dissector to the macro analyzer and threat hunter. PA Toolkit contains plugins (both dissectors and taps) covering various scenarios for multiple protocols, including:

  • WiFi (WiFi network summary, Detecting beacon, deauth floods etc.)
  • HTTP (Listing all visited websites, downloaded files)
  • HTTPS (Listing all websites opened on HTTPS)
  • ARP (MAC-IP table, Detect MAC spoofing and ARP poisoning)
  • DNS (Listing DNS servers used and DNS resolution, Detecting DNS Tunnels)

The project is under active development and more plugins will be added in near future.
This material was created while working on “Traffic Analysis: TSHARK Unleashed” course. Those interested can check the course here: https://www.pentesteracademy.com/course?id=42

Installation
Steps:

  1. Copy the “plugins” directory to Wireshark plugins directory.
  2. Start wireshark. 🙂

One can get the location of wireshark plugins directory by checking Help > About Wireshark > Folders


Tool featured at


Author

Under the guidance of Mr. Vivek Ramachandran, CEO, Pentester Academy


Documentation
For more details refer to the “PA-Toolkit.pdf” PDF file. This file contains the slide deck used for presentations.


Screenshots
PA Toolkit after installation

List of websites visited over HTTP

Search functionality

Domain to IP mappings

Automatic SQL injection with Charles and sqlmapapi

Dependencies

  • Django
  • PostgreSQL
  • Celery
  • sqlmap
  • redis

Supported platforms

  • Linux
  • osx


Installation
Preferably, you can download SQLiScanner by cloning the Git repository:

git clone https://github.com/0xbug/SQLiScanner.git --depth 1

You can download sqlmap by cloning the Git repository:

git clone https://github.com/sqlmapproject/sqlmap.git --depth 1

SQLiScanner works with Python version 3.x on Linux and osx.
Create virtualenv and install requirements

cd SQLiScanner/
virtualenv --python=/usr/local/bin/python3.5 venv
source venv/bin/activate
pip install -r requirements.txt

Setting
DATABASES Setting

SQLiScanner/settings.py:85
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql',
'NAME': '',
'USER': '',
'PASSWORD': '',
'HOST': '127.0.0.1',
'PORT': '5432',
}
}

SendEmail Setting

SQLiScanner/settings.py:158
# Email

EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
EMAIL_USE_TLS = False
EMAIL_HOST = ''
EMAIL_PORT = 25
EMAIL_HOST_USER = ''
EMAIL_HOST_PASSWORD = ''
DEFAULT_FROM_EMAIL = ''
scanner/tasks.py:14
class SqlScanTask(object):
def __init__(self, sqli_obj):
self.api_url = "http://127.0.0.1:8775"
self.mail_from = ""
self.mail_to = [""]

Syncdb

python manage.py makemigrations scanner
python manage.py migrate

Create superuser

python manage.py createsuperuser

Run

redis-server
python sqlmapapi.py -s -p 8775
python manage.py celery worker --loglevel=info
python manage.py runserver

Hatch is a brute force tool that is used to brute force most websites

Installation Instructions

git clone https://github.com/MetaChar/Hatch
python2 main.py


Requirements

pip2 install selenium
pip2 install pyvirtualdisplay
pip2 install requests
sudo apt-get install xserver-xephyr

chrome driver and chrome are also required! link to chrome driver: http://chromedriver.chromium.org/downloads copy it to bin!

How to use (text)
1). Find a website with a login page
2). Inspect element to find the Selector of the username form
3). Do the same for the password field
4). The the login form
5). When Asked put in the username to brute force
6). Watch it go!

How to use (Video)

[youtube https://www.youtube.com/watch?v=Hd_kQVnajxk]

Automatically brute force all services running on a target

  • Open ports
  • Usernames
  • Passwords


INSTALL:

./install.sh

USAGE:

brutex target 

DOCKER:

docker build -t brutex .
docker run -it brutex target

DEMO VIDEO:

[youtube https://www.youtube.com/watch?v=7QCBh9Enl2M]

Ransomware written in NodeJs.

Install and run

git clone https://github.com/atmoner/nodeCrypto.git
cd nodeCrypto && npm install

You must edit first variable in index.js
Once your configuration is complete, you can start the ransomware.

node index.js

The files at the root of the web server will encrypt and send to the server.

Install server
Upload all file of server/ folder on your webserver.
Create a sql database and import sql/nodeCrypto.sql
Edit server/libs/db.php and add your SQL ID.

SharpWeb is a .NET 2.0 CLR compliant project that can retrieve saved logins from Google Chrome, Firefox, Internet Explorer and Microsoft Edge. In the future, this project will be expanded upon to retrieve Cookies and History items from these browsers.


Usage

Usage:
.SharpWeb.exe arg0 [arg1 arg2 ...]

Arguments:
all - Retrieve all Chrome, FireFox and IE/Edge credentials.
full - The same as 'all'
chrome - Fetch saved Chrome logins.
firefox - Fetch saved FireFox logins.
edge - Fetch saved Internet Explorer/Microsoft Edge logins.

Example: Retrieve Edge and Firefox Credentials

.SharpWeb.exe edge firefox

Example: Retrieve All Saved Browser Credentials

.SharpWeb.exe all

Standing on the Shoulders of Giants
This project uses the work of @plainprogrammer and his work on a compliant .NET 2.0 CLR compliant SQLite parser, which can be found here. In addition, @gourk created a wonderful ASN parser and cryptography helpers for decrypting and parsing the FireFox login files. It uses a revised version of his work (found here) to parse these logins out. Without their work this project would not have come together nearly as quickly as it did.

Ubuntu stealer, steal ubuntu information in local pc (nice with usb key)

Require

  • G++
    sudo apt-get install g++
  • libsqlite3
    sudo apt-get install libsqlite3-dev


Compilation
Go in Ustealer/ folder and run makefile
make

Use
./ustealer

w3brute is an open source penetration testing tool that automates attacks directly to the website's login page. w3brute is also supported for carrying out brute force attacks on all websites.


Features

  1. Scanner:

w3brute has a scanner feature that serves to support the bruteforce attack process. this is a list of available scanners:

  • automatically detects target authentication type.
  • admin page scanner.
  • SQL injection scanner vulnerability.
  1. Attack Method:

w3brute can attack using various methods of attack. this is a list of available attack methods:

  • SQL injection bypass authentication
  • mixed credentials (username + SQL injection queries)
  1. Support:
  • multiple target
  • google dorking
  • a list of supported web interface types to attack:
    • web shell
    • HTTP 401 UNAUTHORIZED (Basic and Digest)
  • create file results brute force attack. supported file format type:
    • CSV (default)
    • HTML
    • SQLITE3
  • custom credentials (username, password, domain) (supported zip file)
  • custom HTTP requests (User-Agent, timeout, etc)
  • and much more…

Installation
You can download the latest version of the tarball file here or zipball here. If you have installed the git package, you can clone the Git repository in a way, as below:

git clone https://github.com/aprilahijriyan/w3brute.git

w3brute can be run with Python version 2.6.x or 2.7.x on all platforms.

Usage
To get all list of options on w3brute tool:

python w3brute.py -h

Examples:

# basic usage
$ python w3brute.py -t http://www.example.com/admin/login.php
# look for the admin page
$ python w3brute.py -t http://www.example.com/ --admin
# uses a password file zip list. (syntax => [:password])
$ python w3brute.py -t http://www.example.com/ --admin -u admin -p /path/to/file.zip;filename.txt # (if the file is encrypted: /path/to/file.zip;filename.txt:password)
# slice the password from the list. (syntax => [:stop][:step])
$ python w3brute.py -t http://www.example.com/ --admin -u admin -sP 20000

Video

[youtube https://www.youtube.com/watch?v=u4mi-cfRfGA&w=560&h=315]

Links