PhpDev.App
helich0pper/Karkinos

helich0pper/Karkinos

Stars: 369

Forks: 86

Pull Requests: 7

Issues: 0

Watchers: 16

Last Updated: 2023-05-11 17:06:31

Penetration Testing and Hacking CTF's Swiss Army Knife with: Reverse Shell Handling - Encoding/Decoding - Encryption/Decryption - Cracking Hashes / Hashing

License: Other

Languages: CSS, JavaScript, Python, HTML, PHP, Dockerfile

Disclaimer

This tool should be used on applications/networks that you have permission to attack only. Any misuse or damage caused will be solely the users’ responsibility.

What is Karkinos?

Karkinos is a light-weight 'Swiss Army Knife' for penetration testing and/or hacking CTF's. Karkinos was made for a university Web Development project; feel free to add any features :)

Currently, Karkinos offers the following:

  • Encoding/Decoding characters
  • Encrypting/Decrypting text or files
  • 3 Modules
  • Cracking and generating hashes

Dependencies

  • Any server capable of hosting PHP
  • Tested with PHP 7.4.9
  • Tested with Python 3.8
    Make sure it is in your path as:
    Windows: python
    Linux: python3
    If it is not, change the commands in includes/pid.php.
  • Pip3
  • Raspberry Pi Zero friendly :) (crack hashes at your own risk)

Newest Feature

New Module

Port Scanning Demo

More information can be found in the Modules section.

Port Scanning Demo

Installing

This installation guide assumes you have all the dependencies. A Wiki page with troubleshooting steps can be found here.

Linux/BSD

A video going through these steps can be found here

  1. git clone https://github.com/helich0pper/Karkinos.git
  2. cd Karkinos
  3. pip3 install -r requirements.txt
  4. cd wordlists && unzip passlist.zip You can also unzip it manually using file explorer. Just make sure passlist.txt is in wordlists directory.
  5. Make sure you have write privileges for db/main.db
  6. Enable extension=sqlite3 in your php.ini file. You will also need to install it using sudo apt-get install php7.0-sqlite3. Replace "7.0" with your PHP version! php --version
    Note: MySQLi is used to store statistics such as the total number of cracked hashes.
  7. Thats it! Now just host it using your preferred web server that supports multithreading eg. Apache Server or Nginx.
    Warning: Using the built in web server php -S 127.0.0.1:8888 in the Karkinos directory uses a single thread. You will only be able to use 1 module at a time! (it may stall until the task is complete)

    Important: using port 5555, 5556, or 5557 will conflict with the Modules
    If you insist on using these ports, change the PORT value in:
  • /bin/Server/app.py Line 87
  • /bin/Busting/app.py Line 155
  • /bin/PortScan/app.py Line 128

Windows

  1. git clone https://github.com/helich0pper/Karkinos.git
  2. cd Karkinos
  3. pip3 install -r requirements.txt
  4. cd wordlists && unzip passlist.zip
    You can also unzip it manually using file explorer. Just make sure passlist.txt is in wordlists directory.
  5. Make sure you have write privileges for db/main.db
  6. Enable extension=php_sqlite3.dll in your php.ini file. Refer to the installation page here.
    Note: MySQLi is used to store statistics such as the total number of cracked hashes.
  7. Thats it! Now just host it using your preferred web server that supports multithreading eg. Apache Server or Nginx.
    Warning: Using the built in web server php -S 127.0.0.1:8888 in the Karkinos directory uses a single thread. You will not be able to multitask modules! (it may stall until the task is complete)

    Important: using port 5555, 5556, or 5557 will conflict with the Modules
    If you insist on using these ports, change the PORT value in:
  • /bin/Server/app.py Line 87
  • /bin/Busting/app.py Line 155
  • /bin/PortScan/app.py Line 128

Demo

Open screenshots in full screen for a better view

Home Menu

Landing page and quick access menu.

Home 1

User stats are displayed here. Currently, the stats recorded are only the total hashes and hash types cracked successfully.

Home 2

Encoding/Decoding

This page allows you to encode/decode in common formats (more may be added soon)

Encode and Decode

Encrypt/Decrypt

Encrypting and decrypting text or files is made easy and is fully trusted since it is done locally.

Encrypt and Decrypt

Modules

More modules will be added.
Modules

Reverse Shell Handling

Reverse shells can be captured and interacted with on this page.

Create a listener instance

Listener 1

Configure the listener

Listener 2

Start the listener and capture a shell

Listener 3

Full reverse shell handling demo:

Reverse Shell Handling Demo

Directory and File Busting

Create an instance

Bust 1

Configure it

Bust 2

Start scanning

Bust 2

Full Directory and File Busting demo:

Directory and File Busting Demo

Port Scanning

Launch the scanner

Port Scanning 1

Configure it

Port Scanning 2

Start scanning

Port Scanning 3

Full Port Scanning Demo:

Port Scanning Demo

Generating Hashes

Karkinos can generate commonly used hashes such as:

  • MD5
  • SHA1
  • SHA256
  • SHA512

    Generating Hashes

Cracking Hashes

Karkinos offers the option to simultaneously crack hashes using a built-in wordlist consisting of over 15 million common and breached passwords. This list can easily be modified and/or completely replaced.

Cracking Hashes

Future Work

Pull requests and bug reports are always appreciated.
Below are features to be added/fixed:

  • Creating a Wiki page to help customize Karkinos or troubleshoot common issues

Find me on

Twitter

Kinnnda broke...

Donate

OPEN ISSUES

See all

RELEASES

See all