• Stars
    star
    164
  • Rank 230,032 (Top 5 %)
  • Language
    Python
  • Created almost 8 years ago
  • Updated about 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Wavestone's web interface for password cracking with hashcat

Wavecrack

Description

A user-friendly Web interface to share an hashcat cracking box among multiple users with some pre-defined options.

Screenshots

  • The homepage The homepage
  • Adding an hash to crack Adding an hash to crack
  • Seeing the results and some stats Seeing the results and some stats

Outline

  • This Web application can be used to launch asynchronous password cracks with hashcat.
  • The interface tries to be as user-friendly as possible and facilitates the password cracking method choice and to automate the succession of various attack modes.
  • It also displays statistics regarding the cracked passwords and allows to export the cracked password list in CSV.
  • The application is designed to be used in a multi-user environment with a strict segregation between the cracking results of different users: the user authentication can be done through an LDAP directory or basic auth.

Usage

Wavecrack can be used to do the following:

  • Add new password hashes, choose the attack mode and the crack duration
  • View the past and current cracks for your user with statistics and graphs
  • View the overall load of the platform
  • Upload a password-protected file and extract its hash

The attack modes are followed in the order they are displayed on the hash submit form.
It is also possible to stop a crack. However, every cancelation is final.
A limit to the amount of concurrent cracks can be defined in the settings in order not to reduce the current cracks performance.

Requirements

  • hashcat: follow these instructions for CPU only usage on a Kali linux host
  • flask (>=0.10.1)
  • celery (>=3.1.18)
  • SQLite (>=3.8.7.4)
  • rabbitmq-server (>= 3.4.3)
  • Rules for hashcat (examples)
  • Wordlists (examples)

Installation

  • Install the RabbitMQ server and python-ldap requirements
$ apt-get install libsasl2-dev libldap2-dev libssl-dev rabbitmq-server
$ pip install -r requirements.txt
  • Create a cracker/app_settings.py configuration file from the cracker/app_settings.py.example file and notably edit the Mandatory settings section:

    • The path of hashcat
    • The RabbitMQ connection string: by default, the guest/guest account is used. Be sure to harden your installation
    • The path of the SQLite database
    • The path of the hashcat rules
    • The path of the wordlists
    • The LDAP parameters:
      • IP address
      • port
      • LDAP database for the users
      • Base DN
  • Initialize the local database linked in the cracker/app_settings.py configuration file

$ sqlite3 base.db < base_schema.sql
  • Start the RabbitMQ server
$ sudo service rabbitmq-server start
  • Start Celery from the application folder
$ celery worker -A cracker.celery

Finally, if you don't want to setup your own VM, you can use the Docker-based process described in the docker folder.

Copyright and license

All product names, logos, and brands are property of their respective owners.
All resources published in wavecrack are free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. See the GNU General Public License for more details.

Contact

  • Cyprien Oger < cyprien.oger at wavestone d0t com >
  • CERT-W < cert at wavestone d0t com >

More Repositories

1

EDRSandblast

C
1,441
star
2

abaddon

Python
333
star
3

hadoop-attack-library

A collection of pentest tools and resources targeting Hadoop environments
Python
254
star
4

dyode

A low-cost, DIY data diode for ICS
Python
176
star
5

AD-security-workshop

Resources for our Active Directory security workshops
139
star
6

powerpxe

Powershell script to extract information from boot PXE
PowerShell
130
star
7

DEFCON-CICD-pipelines-workshop

HCL
92
star
8

Invoke-CleverSpray

Password Spraying Script detecting current and previous passwords of Active Directory User
PowerShell
63
star
9

opcua-scan

Tooling for discovery & information gathering from OPC-UA servers
Python
17
star
10

1-2-3-Cyber

17
star
11

mainframe-attack-library

Collection of scripts to p*wn mainframes
Python
14
star
12

s7-get

Tools to interact with Siemens PLCs
Python
11
star
13

fun-with-modbus-0x5a

Material from ICS Village talk at DEFCON 25
Ruby
10
star
14

bhasia23-opcuhack

Slides & content for our Arsenal lab session at BlackHat Asia 2023
10
star
15

plc-code-security

Experiments with the Top 20 Secure PLC Coding Practices
7
star
16

MISC-AD-trusts-relationships

Lab files & scripts for our articles in MISC regarding Active Directory trusts relationships
PowerShell
7
star
17

bheu22-capture-the-train

Slides and code snippets for the Arsenal demo lab session at BlackHat Europe 2022
6
star
18

Malware-Development-On-Secured-Environment

C
4
star
19

dc32-securing-ics-101

3
star
20

jumping-from-cloud-to-on-premises-and-the-other-way-around

2
star
21

dc32-hack-the-connected-plant

Slides from our workshop at DEFCON 32 on "Hacking the connected plant"
2
star