Use this tool to make penetration tests or any hacking CTF's more beginner-friendly. This tool should be used on applications/networks that you have permission to attack only. Any misuse or damage caused will be solely the users’ responsibility.
Karkinos is a light-weight 'Swiss Army Knife' for penetration testing and/or hacking CTF's. Currently, Karkinos offers the following:
- Encoding/Decoding characters
- Encrypting/Decrypting text or files
- Reverse shell handling
- Cracking and generating hashes
- Any server capable of hosting PHP
- Tested with PHP 7.4.9
- Tested with Python 3.8
Make sure it is in your path as:
Windows:python
Linux:python3
If it is not, please change the commands inincludes/pid.php. - Pip3
- Raspberry Pi Zero friendly :) (crack hashes at your own risk)
More information can be found in the Modules section.
This installation guide assumes you have all the dependencies. A Wiki page with troubleshooting steps can be found here.
git clone https://github.com/helich0pper/Karkinos.gitcd Karkinospip3 install -r requirements.txtcd wordlists && unzip passlist.zipYou can also unzip it manually using file explorer. Just make sure passlist.txt is in wordlists directory.Make sure you have write privilages for db/main.db- Enable
extension=mysqliin your php.ini file.
If you don't know where to find this, refer to the PHP docs. Note: MySQLi is only used to store statistics. - Thats it! Now just host it using your preferred web server or run:
php -S 127.0.0.1:8888in the Karkinos directory.
Important: using port 5555, 5556, or 5557 will conflict with the Modules
If you insist on using these ports, change thePORTvalue in:
/bin/Server/app.py Line 87/bin/Busting/app.py Line 155/bin/PortScan/app.py Line 128
git clone https://github.com/helich0pper/Karkinos.gitcd Karkinospip3 install -r requirements.txtcd wordlists && unzip passlist.zip
You can also unzip it manually using file explorer. Just make sure passlist.txt is in wordlists directory.Make sure you have write privilages for db/main.db- Enable
extension=mysqli.dllin your php.ini file.
If you don't know where to find this, refer to the PHP docs. Note: MySQLi is only used to store statistics - Thats it! Now just host it using your preferred web server or run:
php -S 127.0.0.1:8888in the Karkinos directory.
Important: using port 5555, 5556, or 5557 will conflict with the Modules
If you insist on using these ports, change thePORTvalue in:
/bin/Server/app.py Line 87/bin/Busting/app.py Line 155/bin/PortScan/app.py Line 128
Open screenshots in full screen for a better view
Landing page and quick access menu.
User stats are displayed here. Currently, the stats recorded are only the total hashes and hash types cracked successfully.
This page allows you to encode/decode in common formats (more may be added soon)
Encrypting and decrypting text or files is made easy and is fully trusted since it is done locally.
More modules will be added.
Reverse shells can be captured and interacted with on this page.
Karkinos can generate commonly used hashes such as:
- MD5
- SHA1
- SHA256
- SHA512
Karkinos offers the option to simultaneously crack hashes using a built-in wordlist consisting of over 15 million common and breached passwords. This list can easily be modified and/or completely replaced.
Pull requests and bug reports are always appreciated.
Below are features to be added/fixed:
- Creating a Wiki page to help customize Karkinos or troubleshoot common issues
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent