Karkinos is a light-weight ‘Swiss Army Knife’ for penetration testing and/or hacking CTF’s.
Today you'll be able to download a collection of passwords and wordlist dictionaries for cracking in Kali Linux. A wordlist or a password dictionary is a collection of passwords stored in plain text.
Pass List To Dataframe
Currently Karkinos offers the following:
Passlist.txt - Free download as Text File (.txt), PDF File (.pdf) or read online for free. Thoerema pass dictionary. Ibrute / passlist.txt Go to file Go to file T; Go to line L; Copy path Cannot retrieve contributors at this time. 500 lines (500 sloc) 6.12 KB Raw Blame. Example: hydra -l user -P passlist.txt ftp://192.168.0.1 RainbowCrack Attackers often use rainbow tables to accelerate password cracking. It is possible to use a. Crunch 4 4 012345abcdef -o Documents/pass.txt # hydra -l root -P Documents/pass.txt 192.168.1.105 -t 4 ssh.
Encoding/Decoding characters
Encrypting/Decrypting text or files
Reverse shell handling
Cracking and generating hashes
Dependencies
Any server capable of hosting PHP; tested with Apache Server
Tested with PHP 7.4.9
Python3 Make sure it is in your path as: Windows: python Linux: python3 If it is not, please change the commands in includes/pid.php
pip3
Raspberry Pi Zero friendly (crack hashes at your own risk).
Installing
This installation guide assumes you have all the dependencies.
cd wordlists && tar -xf passlist.zip You can also unzip it manually using file explorer if tar is not installed. Just make sure passlist.txt is in wordlists directory.
Add extension=php_sqlite3.dll to your php.ini file. If you don’t know where to find this, refer to the PHP docs.
Thats it! Now just host it using your preferred web server or run: php -S 127.0.0.1:8888 in the Karkinos directory. Important: using port 5555 will conflict with the reverse shell handler server If you insist on using port 5555, change the reverse shell handler server PORT value in /bin/Server/app.py Line 87
cd wordlists && tar -xf passlist.zip You can also unzip it manually using file explorer if tar is not installed. Just make sure passlist.txt is in wordlists directory.
Add extension=php_sqlite3.dll to your php.ini file. If you don’t know where to find this, refer to the PHP docs.
Thats it! Now just host it using your preferred web server or run: php -S 127.0.0.1:8888 in the Karkinos directory. Important: using port 5555 will conflict with the reverse shell handler server If you insist on using port 5555, change the reverse shell handler server PORT value in /bin/Server/app.py Line 87
Encoding/Decoding
This page allows you to encode/decode in common formats (more may be added soon)
Encrypt/Decrypt
Encrypting and decrypting text or files is made easy and is fully trusted since it is done locally.
Reverse Shell Handling
Reverse shells can be captured and interacted with on this page.
Create a listener instance
Configure the listener
Start the listener and capture a shell
Full reverse shell handling demo:
Generating Hashes
Karkinos can generate commonly used hashes such as:
MD5
SHA1
SHA256
SHA512
Cracking Hashes
Karkinos offers the option to simultaneously crack hashes using a built-in wordlist consisting of over 15 million common and breached passwords. This list can easily be modified and/or completely replaced.
Disclaimer
By using Karkinos suite to make penetration tests or any hacking CTF’s more efficient. It should be used on applications that you have permission to attack only. Any misuse or damage caused will be solely the users’ responsibility.
For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel.
The tactic of brute-forcing a login, i.e., trying many passwords very quickly until the correct one is discovered, can be easy for services like SSH or Telnet. For something like a website login page, we must identify different elements of the page first. Thanks to a Python tool for brute-forcing websites called Hatch, this process has been simplified to the point that even a beginner can try it.
How Brute-Force Attacks Work
Brute-force attacks take advantage of automation to try many more passwords than a human could, breaking into a system through trial and error. More targeted brute-force attacks use a list of common passwords to speed this up, and using this technique to check for weak passwords is often the first attack a hacker will try against a system.
In a brute-forcing attack against a service like SSH, it can be done from the command line easily by tools like Sshtrix. In a single line in a terminal, it’s easy to launch a brute-force against a discovered SSH server using the built-in password list, making services with bad passwords extremely likely to be broken in to.
Don’t Miss: Use Beginner Python to Build a Brute-Force Tool for SHA-1 Hashes
The biggest downside to a brute-force attack is that if the password does not exist in the password list, the attack will fail. If the password used on a targeted is strong, brute-force attacks can quickly become too expensive in time and resources to use as we start having to try every possible combination of characters. Another downside is that many services now do some fashion of rate limiting, which detects too many failed login attempts and blocks further attempts for a period, which can substantially slow down a brute-force attack.
Why Brute-Force Attacks Are Harder on Websites
While it’s easy to attack a service that takes a username and password over the command line, there is a lot more going on in the code of a website. To design this attack, we need to think about what the script needs to know to do its job.
We want the script to find the correct password associated with a particular account by entering a guess into the fields of the login page and submitting it until we get a successful result. To do so, we must interact with the graphical user interface of the login page to input the information into the correct fields of both the login and password fields.
After we do this, we need to submit the guess by clicking on the “Login” button on the page. Finally, we need the script to know the difference between a failure and a success, so that we can stop the script and identify the correct password guess.
All of this is a lot more work and quite confusing for beginners, but after doing so, automating brute-force attacks against the login page of most websites can be done similar to brute-forcing an SSH service.
Hatch for Brute-Forcing Web Logins
Python is an ideal language for automating these kinds of attacks, and Hatch uses Python2 to automate the Chrome web browser to stage a brute-force attack against the login of any webpage with a visible login forum. While some websites with hidden login forums that require you to scroll or click to show can confuse the script, most websites are easy to target using this tool.
Upon launching Hatch, the script opens a Chrome window for you to inspect the elements of the page you are targeting. After telling the script what site you want to brute-force a login to, it will check to see if the page exists and is accessible. If it is, Hatch will ask what login you want to try to brute-force, and then request a list of passwords to try during the attack.
After Hatch has the information it needs, it will open a second Chrome window and begin automating the attack. You can sit back and watch the attack unfold either in the Chrome window or the terminal that is running the attack. In the terminal, you can watch each password attempt as the script progresses down the list. While this attack is powerful and useful against a wide range of targets, it can also be foiled by rate limiting and other methods of blocking excessive login attempts.
What You’ll Need
While Hatch is cross-platform, it was a little complicated to set up on some systems. We ended up getting Hatch working on a Windows system with a few modifications to the script, which we’ve included here.
To follow this guide, you’ll need a Windows system with Chrome and Python 2 installed. The current, modern version of Python is Python3, so you’ll need to make sure that you’re using the right version when you execute the script. If you run Hatch with Python3, it won’t work properly.
You’ll also need to install a few dependencies, including a driver to be able to interact with Chrome programmatically.
Step 1Check Your Version of Python
First, we’ll need to install a few dependencies. To take care of these, press the Windows key or click the Start menu, then type cmd. After opening a command prompt, make sure you have Python2 installed correctly by typing python2 into the terminal window. You should see a result like below.
If you don’t, you can download Python2. Once your Python2 is installed, type the following commands to install dependencies.
Step 2Install the Chrome Driver
Next, we’ll need to install the driver that allows us to control Chrome from the Python program. To do this, we will download a file from the Chrome Driver website, and then create a folder called webdrivers on your C drive. Move the downloaded file into this folder. While you can place it in another directory, you would need to modify the Python code.
Step 3Download Hatch & Install
To install Hatch, you can change directory into your C drive before cloning it to make sure you can find it, or change to another location that you’ll be able to find. Type cd .. to go to the C drive of your computer, if that’s where you want. You can then download a forked version of Hatch from the GitHub page by opening a terminal window and typing the following.
This forked version has been modified to work on Windows. Once this is done downloading, you can type cd Hatch to change directories into the download folder.
Step 4Run Hatch & Select Your Router Login
Now that we have Hatch on our system and all of the dependencies installed, it’s time to run Hatch and look at the way it works. First, let’s look at the help file by running the following from inside the Hatch folder.
You should see an output like below.
We can see the main options for Hatch here. To start, let’s pick a target on our local network to attack.
A good device on your local network to test this on would be something like a router, a printer, or some other device with a login page on the network. You can select this by running an Nmap scan on the network to find any IP addresses that have port 80 open. While port 80 is the most common page for web access, you can also search for ports 81, 8080, 8081, 443 to locate the login pages of various devices.
Next, we’ll need to find the subnet range so that we can scan the local network. To find this, you can use ipcalc to calculate your subnet range after finding your computer’s local IP address. If your computer, for example, has an IP address of 192.168.0.3, you can run ipcalc 192.168.0.3 to get the IP range for all possible IP addresses on that network. In this case, that would be 192.168.0.0/24.
Once you know the range, run the following Nmap scan on your network, with the iprange portion changed to add the IP range of your network.
When this scan returns, any service that lists the port as “open” should be hosting a website. Navigate to one like a printer or router that you have permission to log in to by entering the IP address followed by a colon and the port number we discovered in Nmap. You should see a login page like this:
Step 5Identify the Login Elements
Now, we can run Hatch, but we’ll still need some more information in order to pull off this attack. Run Hatch by typing the following command, after navigating to the folder you saved the program to earlier.
A Google Chrome window should open, allowing us to navigate to a website we want to attack and begin identifying the parts of the website we want to manipulate.
Index Of Passlist Txt Facebook
Enter the URL to the target website’s login page into the first prompt from Hatch. It will check to make sure the website exists and can be accessed. Next, we’ll need to identify the login and password elements of the website we’re attacking.
On our target login page, right-click on the “Username” element, then click on “Inspect.”
Next, click on the ellipsis (•••) to the left of the window, and a drop-down menu will appear. Click on “Copy,” and then “Copy selector” to copy what Hatch will need to select and interact with this element. It should look something like “#username.”
Enter the username selector into Hatch, and then repeat the process with the “Password” selector.
Finally, right-click on the “Login” button to get the selector information, and add that to Hatch as well.
Now that we have the elements selected, we’ll set the username that we’re trying to brute-force. In this case, we’ll just type admin. The final step will be to select the default list that comes with Hatch. This is “passlist.txt” by default, so we’ll use this list in our first attack.
Index Of Passlist Txt Paypal
This password list isn’t huge, but it does contain many common passwords. Press return, and Hatch will open a new window to begin brute-forcing the password. You can watch the progress either from the terminal window or by watching the Chrome window that Hatch is automating.
Step 6Update Your Wordlist & Run Against an External Website
Rdp Passlist.txt
If you’re not happy with the wordlist included in Hatch, you can add to it by opening it in a text editor like Nano or adding another wordlist from any repository of wordlists, such as those leaked from data breaches. After downloading a wordlist of your choice, you can add it to the “Hatch” folder, and select it instead of the default list.
Don’t Miss: Automate Brute-Force Attacks for Nmap Scans
Once you have a password list you’re happy with, let’s go ahead and test this on a common website. Create a throwaway account on Reddit.com or another site, and remember the login name. Set the password of the account to one that’s on one of the word lists.
After the dummy account is set up, run Hatch again and enter reddit.com/login (or the login page for the website you chose). Next, paste the selectors into the login, password, and button selector. Finally, enter the target username, and select the password list containing the right credentials. Press return, and the script should open a Chrome window and begin automating the attack.
Once the script detects a successful login, it will output the password that succeeded. While the original script tended to skip this and output the wrong password on Windows, my friend Nick modified the code to prevent this from happening in his forked version. If you get any weirdness from the forked version, you can always try the original Hatch version.
How to Defend Against Brute-Forcing
Websites have the best ability to defend against these attacks by making sure to implement common sense brute-forcing safeguards. Should a normal user be able to try to log in with the wrong password from a strange IP address 100 times? The answer is probably no. Be extra careful of websites that don’t take these sort of precautions, as they will be extra vulnerable to losing your account information.
On the user side, picking strong, random passwords and storing them in a password manager can help make sure your password never ends up in a brute-forcing list. In general, using two-factor authentication whenever possible is your best defense against these sorts of tactics, as you’ll be alerted of the login attempt. For important accounts, you should always have two-factor authentication enabled.