A user-friendly Web interface to share an hashcat cracking box among multiple users with some predefined options.

Screenshots

The homepage

Wavecrack - Web Interface For Password Cracking With Hashcat

Adding an hash to crack

Wavecrack - Web Interface For Password Cracking With Hashcat

Seeing the results and some stats

Wavecrack - Web Interface For Password Cracking With Hashcat

Outline

  • This Web application can be used to launch asynchronous password cracks with hashcat.
  • The interface tries to be as user-friendly as possible and facilitates the password cracking method choice and to automate the succession of various attack modes.
  • It also displays statistics regarding the cracked passwords and allows to export the cracked password list in CSV.
  • The application is designed to be used in a multi-user environment with a strict segregation between the cracking results of different users: the user authentication can be done through an LDAP directory or basic auth.

Usage

Wavecrack can be used to do the following:

  • Add new password hashes, choose the attack mode and the crack duration
  • View the past and current cracks for your user with statistics and graphs
  • View the overall load of the platform
  • Upload a password-protected file and extract its hash

The attack modes are followed in the order they are displayed on the hash submit form.
It is also possible to stop a crack. However, every cancelation is final.
A limit to the amount of concurrent cracks can be defined in the settings in order not to reduce the current cracks performance.

Requirements

  • hashcat: follow these instructions for CPU only usage on a Kali linux host
  • flask (>=0.10.1)
  • celery (>=3.1.18)
  • SQLite (>=3.8.7.4)
  • rabbitmq-server (>= 3.4.3)
  • Rules for hashcat (examples)
  • Wordlists (examples)

Installation

> Install the RabbitMQ server and python-ldap requirements

> Install the python requirements

Create a cracker/app_settings.py configuration file from the cracker/app_settings.py.example file and notably edit the Mandatory settings section:

  • The path of hashcat
  • The RabbitMQ connection string: by default, the guest/guest account is used. Be sure to harden your installation
  • The path of the SQLite database
  • The path of the hashcat rules
  • The path of the wordlists

The LDAP parameters:

  • IP address
  • port
  • LDAP database for the users
  • Base DN

Initialize the local database linked in the cracker/app_settings.py configuration file

Start the RabbitMQ server

Start Celery from the application folder

Launch the Flask Web server
> Directly from the server.py file: this mode is not suitable for production purpose

  • With a wsgi script: an example of app.wsgi.example is provided
  • Similarly, supervisorctl can be used to manage celery with a configuration file example in supervisorcelery.conf.example
  • In order to stop the cracks after a certain amount of time, you can use the provided cron script.
  • If you want to update the list of hashes supported, you can use the dedicated script which will parse hashcat’s wiki and generate an updated hashcat_hashes.py. To do so, you need to have BeautifulSoup installed on your system.
  • Finally, if you don’t want to setup your own VM, you can use the Docker-based process described in the docker folder.

Download Wavecrack