siusiu (suite-suite harmonics) a suite used to manage the suite, designed to free penetration testing engineers from learning and using various security tools, reducing the time and effort spent by penetration testing engineers on installing tools, remembering how to use tools.

Overview

siusiu (suitesuite)

一个用来管理suite 的suite,志在将渗透测试工程师从各种安全工具的学习和使用中解脱出来,减少渗透测试工程师花在安装工具、记忆工具使用方法上的时间和精力。

Features

siusiu提供了一个shell控制台,通过该控制台,可以:

  • 查看第三方安全工具列表
  • 自动安装第三方安全工具
  • 运行第三方安全工具
  • 查看第三方安全工具的说明文档与使用样例(通过demos命令)

同时siusiu也支持非交互模式,便于siusiu被其他程序调用,例如:siusiu exec help

Usage:

siusiu > help

Commands:
  GitHack                    .git泄漏利用脚本
  Glass                      针对资产列表的快速指纹识别工具
  SecList                    各种字典、webshell合集
  TPscan                     一键ThinkPHP漏洞检测
  Vulcan                     资产扫描工具(红队)
  XMLmining                  从xlsx、pptx、docx 文件的metadata中挖掘有用信息的工具
  arp-spoofing               局域网内主机扫描,ARP投毒、中间人攻击、敏感信息嗅探,HTTP报文嗅探
  backup-dict                生成网站备份字典
  baidu                      baidu url采集
  c-segment-scan             c段弱点发现
  clear                      clear the screen
  cms-fingerprint            cms指纹识别
  demos                      获取工具的使用样例
  dir-collector              采集某个项目的所有目录名
  dirsearch                  目录扫描器
  ds_store_exp               macOS .DS_Store文件泄漏利用脚本
  dvcs-ripper                SVN 泄漏利用脚本
  exit                       exit the program
  help                       display help
  influx                     influx 配置疏忽漏洞利用
  nmap                       端口扫描器
  one-for-all                一款功能强大的子域名收集工具
  passwd-based-domain        基于域名生成若口令字典,常用于爆破网站后台密码
  passwd-based-userinfo      基于用户资料生成弱口令字典
  passwd-guess               弱口令爆破器,支持:ssh,ftp,mysql,redis,mssql,postgresql,mongodb
  pocsuite3-cli              poc框架(命令行模式)
  pocsuite3-console          poc框架(控制台模式)
  port-scan                  主动扫描端口
  proxy-collector            代理采集
  shiro-attack               shiro反序列化漏洞综合利用工具(GUI)
  shodan                     通过shodan被动扫描目标主机
  sqlmap                     自动化sql注入工具
  url-collector              搜索引擎URL采集器(goole,bing)
  vim-swp-exp                vim swp 文件泄漏利用工具
  vulhub                     漏洞靶场镜像库
  wafw00f                    waf指纹识别
  whois                      whois查询
  xray                       漏洞扫描器
  zenmap                     nmap-gui 版本,一个端口扫描器

Installation:

wget https://gitee.com/nothing-is-nothing/siusiu/raw/master/setup.sh
chmod +x setup.sh
./setup.sh
siusiu

Screenshots

如果用户未安装pocsuite3,则自动下载 pocsuite3,然后自动运行 avatar

在siusiu控制台中运行sqlmap和dirsearch avatar

Tested On

  • MacOS
  • CentOS7
  • Ubuntu

Develop

如果您有其他好的安全工具也想集成到siusiu中,可以按照如下步骤操作:
step1.在siusiu安装目录($HOME/src/siusiu)下创建对应的工具目录(建议以工具名命名,例如:dirsearch),并在该目录下创建该工具的shell脚本 run.sh,例如:

#!/bin/bash
base_path=$HOME/src
dirsearch_path=$base_path/dirsearch

function download {
    git clone https://github.com.cnpmjs.org/maurosoria/dirsearch.git $1
    cd $1
    pip3 install -r requirements.txt
}

#1.检查程序目录是否存在
if [ ! -d $dirsearch_path ]; then
    #2.如果不存在就下载
    echo "[*] download dirsearch..."
    download $dirsearch_path
fi
#运行dirsearch
python3 $dirsearch_path/dirsearch.py $*

step2. 在config.json 配置文件中添加对应工具,例如:

        {
            "Name": "dirsearch",
            "Help": "目录扫描器",
            "Run": "dirsearch/run.sh"
        },

其中name为工具名,help为工具描述,run为该工具的run.sh在myvendor目录下的相对路径

为工具编写demo文档

不知道你是否也曾有过这样的烦恼:每天疲于学习各种工具的使用方法,当真正需要使用某个工具的时候,却一时半会儿想不起某个工具怎么用,这时你翻开了你的笔记本,找呀找,终于找到了以前的笔记。
关于这个问题,siusiu提供一种解决方案:将工具的使用文档或者常用demo集成在shell控制台中,需要时直接通过命令:demos+工具名 查看即可。
你可以将你常用的一些命令demo,以markdown文档的方式写在 $HOME/src/siusiu/myvendor/demos 目录下,siusiu控制台会自动读取该目录。
例如为sqlmap编写常用demo文档:

# sqlmap demoes

```shell
# -m 批量扫描 —batch 全部采用默认行为,不向用户请求y/n,并且使用随机的user—agnet
sqlmap -m temp2.txt --batch --random-agent> result.txt

# 尝试获取所有数据库名
sqlmap -u url --dbs —-random-agent --batch

# 获取表名
sqlmap -u url --tables —-random-agent --batch

# 尝试获取所有用户:
sqlmap -u url --users --random-agent --batch

# 尝试获取账号密码:
sqlmap -u url --password --random-agent --batch

# 尝试获取当前用户:
sqlmap -u url --current-user --random-agent --batch

# 测试当前用户权限:
sqlmap -u url --is-dba --random-agent --batch

# 尝试写入木马,getshell
sqlmap -u url --os-shell --random-agent --batch

# 执行指定的sql语句
sqlmap.py -u url -v 1 --sql-query 'select top 20 * from City'

在siusiu控制台中通过 demos sqlmap.md 即可查看该文档。

QA

问:我喜欢作者怎么办?
答:⁄(⁄ ⁄•⁄ω⁄•⁄ ⁄)⁄

问:能不能一键日卫星?
答:不能,至少目前现阶段不可以。抱歉。么么哒 可以一键日卫星,我的小可爱。

问:How to build and install siusiu on raspberry pi ?
答:首先,请不要说英文,请用普通话。然后, I can not replay your question you just mentioned in mandarin excuse me. If you want to run it on embed platforms like raspberry pi 3 model b, you must need to know that these platforms have a ARM core, for example, pi 3b's cpu is Contex-A53 with a ARM v8 architecture, so, set GOOS=linux and GOARCH=aarch64 then run go build main.go in your shell, enjoyed it !

Releases(docker)
  • docker(Jan 31, 2022)

    siusiu:/ > help
    
    Commands:
      cewl                 爬去网站关键字以生成字典
      clear                clear the screen
      crawlergo            使用chrome headless模式进行URL收集的浏览器爬虫
      davtest              webdav利用工具
      dirsearch            目录爆破工具
      ds_store_exp         .DS_Store 文件泄漏利用脚本
      exit                 exit the program
      ffuf                 模糊测试工具
      firefox-decrypt      firefox浏览器密码提取工具
      gobuster             目录扫描工具(dirsearch拉跨时备用)
      gopherus             ssrf漏洞gopher协议payload生成工具
      help                 display help
      http3-client         支持http3的客户端
      hydra                弱口令爆破工具
      nmap                 主机发现、端口扫描、服务扫描、版本识别
      pocsuite3            poc测试框架
      searchsploit         exp/poc搜索工具
      smbmap               smb服务利用工具
      smtp-user-enum       SMTP用户名枚举工具
      sqlmap               SQL注入攻击工具
      steghide             隐写术工具
      stegseek             爆破隐写术密码
      svn-exp              svn-exp 文件泄漏利用脚本
      tool-helper          获取工具的帮助文档
      wfuzz                web应用fuzz工具
      whatweb              web指纹识别
      xray                 安全评估工具
    
    
    Source code(tar.gz)
    Source code(zip)
    siusiu.exe(3.23 MB)
    siusiu_darwin_amd64(2.71 MB)
    siusiu_linux_amd64(2.75 MB)
ctrsploit: A penetration toolkit for container environment

ctrsploit: A penetration toolkit for container environment

Lei Wang 6 Feb 22, 2022
:exclamation:Basic Assertion Library used along side native go testing, with building blocks for custom assertions

Package assert Package assert is a Basic Assertion library used along side native go testing Installation Use go get. go get github.com/go-playground/

Go Playgound 39 Apr 17, 2022
Vault mock - Mock of Hashicorp Vault used for unit testing

vault_mock Mock of Hashicorp Vault used for unit testing Notice This is a person

Elliot Rotenstein 0 Jan 19, 2022
Terminal application used for API testing

Easily create, manage and execute http requests from the terminal.

PierreKieffer 58 Jun 24, 2022
testtime provides time.Now for testing.

testtime provides time.Now for testing.

Takuya Ueda 84 Jun 17, 2022
Fundamental-Go - A comprehensive and FREE Online Go Development tutorial going step-by-step into the world of Go

FREE Reverse Engineering Self-Study Course HERE Fundamental Go The book and code

Kevin Thomas 10 Mar 18, 2022
A simple tool to fill random data into a file to overwrite the free space on a disk

random-fill random-fill is a simple tool to fill random data into a file to over

null 1 Dec 30, 2021
ScareCrow - Payload creation framework designed around EDR bypass.

ScareCrow More Information If you want to learn more about the techniques utlized in this framework please take a look at Part 1 and Part 2 Descriptio

Optiv Security 1.9k Jun 30, 2022
The test suite to demonstrate the chaos experiment behavior in different scenarios

Litmus-E2E The goal of litmus e2e is to provide the test suite to demonstrate the chaos experiment behavior in different scenarios. As the name sugges

Vedant Shrotria 0 Jan 4, 2022
Random is a package written in Go that implements pseudo-random number generators for various distributions.

Random This package implements pseudo-random number generators for various distributions. For integers, there is a function for random selection from

Anony 8 May 21, 2022
Learning go with tests! Also setting up automated versioning via SemVer.

learn-go-with-tests The purpose of this repo is to complete the learn-go-with-test course located here. I am also interested in learning how to automa

Derek Willingham 0 Nov 23, 2021
A yaml data-driven testing format together with golang testing library

Specimen Yaml-based data-driven testing Specimen is a yaml data format for data-driven testing. This enforces separation between feature being tested

Design it, Run it 0 Jan 31, 2022
Demo repository for Infrastructure as Code testing tools and frameworks.

Testing Infrastructure as Code Demo repository for Infrastructure as Code testing tools and frameworks. Maintainer M.-Leander Reimer (@lreimer), mario

M.-Leander Reimer 4 Jan 23, 2022
manage your mocks / run mockgen more quickly / mocks up-to-date checking

gomockhandler If you find any bugs or have feature requests, please feel free to create an issue. gomockhandler is handler of golang/mock, as the name

Kensei Nakada 66 Jun 14, 2022
Quick and easy expression matching for JSON schemas used in requests and responses

schema schema makes it easier to check if map/array structures match a certain schema. Great for testing JSON API's or validating the format of incomi

Jaap Groeneveld 17 May 12, 2022
A lightweight load balancer used to create big Selenium clusters

Go Grid Router Go Grid Router (aka Ggr) is a lightweight active load balancer used to create scalable and highly-available Selenium clusters. Articles

Aerokube 286 Jun 8, 2022
A simple `fs.FS` implementation to be used inside tests.

testfs A simple fs.FS which is contained in a test (using testing.TB's TempDir()) and with a few helper methods. PS: This lib only works on Go 1.16+.

Carlos Alexandro Becker 31 Mar 3, 2022
Plow is a high-performance HTTP benchmarking tool with real-time web UI and terminal displaying

Plow is a HTTP(S) benchmarking tool, written in Golang. It uses excellent fasthttp instead of Go's default net/http due to its lightning fast performance.

ddc 3k Jun 26, 2022
A test-friendly replacement for golang's time package

timex timex is a test-friendly replacement for the time package. Usage Just replace your time.Now() by a timex.Now() call, etc. Mocking Use timex.Over

Cabify 63 May 3, 2022