
What is Karkinos?
Karkinos is a light-weight 'Swiss Army Knife' for penetration testing and/or hacking CTF's. Currently, Karkinos offers the following:
- Encoding/Decoding characters
- Encrypting/Decrypting text or files
- 3 Modules
- Cracking and generating hashes
Disclaimer
This tool should be used on applications/networks that you have permission to attack only. Any misuse or damage caused will be solely the users’ responsibility.
More: https://github.com/helich0pper/Karkinos
Dependencies
- Any server capable of hosting PHP; tested with Apache Server
- Tested with PHP 7.4.9
- Tested with Python 3.8
Make sure it is in your path as:
Windows:python
Linux:python3
If it is not, please change the commands inincludes/pid.php
- pip3
- Raspberry Pi Zero friendly :) (crack hashes at your own risk)
Installing
This installation guide assumes you have all the dependencies. A Wiki page with troubleshooting steps can be found here.
Linux/BSD
git clone https://github.com/helich0pper/Karkinos.git
cd Karkinos
pip3 install -r requirements.txt
cd wordlists && unzip passlist.zip
You can also unzip it manually using file explorer. Just make sure passlist.txt is in wordlists directory.Make sure you have write privileges for db/main.db
- Enable
extension=mysqli
in your php.ini file.
If you don't know where to find this, refer to the PHP docs. Note: MySQLi is only used to store statistics. - Thats it! Now just host it using your preferred web server or run:
php -S 127.0.0.1:8888
in the Karkinos directory.Important: using port 5555, 5556, or 5557 will conflict with the Modules
If you insist on using these ports, change thePORT
value in:
-
/bin/Server/app.py Line 87
/bin/Busting/app.py Line 155
/bin/PortScan/app.py Line 128
Windows
git clone https://github.com/helich0pper/Karkinos.git
cd Karkinos
pip3 install -r requirements.txt
cd wordlists && unzip passlist.zip
You can also unzip it manually using file explorer. Just make sure passlist.txt is in wordlists directory.Make sure you have write privileges for db/main.db
- Enable
extension=mysqli.dll
in your php.ini file.
If you don't know where to find this, refer to the PHP docs. Note: MySQLi is only used to store statistics - Thats it! Now just host it using your preferred web server or run:
php -S 127.0.0.1:8888
in the Karkinos directory.Important: using port 5555, 5556, or 5557 will conflict with the Modules
If you insist on using these ports, change thePORT
value in:
/bin/Server/app.py Line 87
/bin/Busting/app.py Line 155
/bin/PortScan/app.py Line 128
Home Menu
Landing page and quick access menu.
User stats are displayed here. Currently, the stats recorded are only the total hashes and hash types cracked successfully.
Encoding/Decoding
This page allows you to encode/decode in common formats (more may be added soon)
Encrypt/Decrypt
Encrypting and decrypting text or files is made easy and is fully trusted since it is done locally.
Reverse Shell Handling
Reverse shells can be captured and interacted with on this page.
Create a listener instance
Configure the listener
Start the listener and capture a shell
Full reverse shell handling demo:
Directory and File Busting
Create an instance
Configure it
Start scanning
Full Directory and File Busting demo:
Port Scanning
Launch the scanner
Configure it
Start scanning
Full Port Scanning Demo:
Generating Hashes
Karkinos can generate commonly used hashes such as:
- MD5
- SHA1
- SHA256
- SHA512
Cracking Hashes
Karkinos offers the option to simultaneously crack hashes using a built-in wordlist consisting of over 15 million common and breached passwords. This list can easily be modified and/or completely replaced.
Future Work
Pull requests and bug reports are always appreciated.
Below are features to be added/fixed:
- Creating a Wiki page to help customize Karkinos or troubleshoot common issues
Find me on
Author

- Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Latest Articles
Blog2022.12.13What are the Common Security Weaknesses of Cloud Based Networks?
Blog2022.10.12Vulnerability management with Wazuh open source XDR
Blog2022.08.29Deception Technologies: Improving Incident Detection and Response by Alex Vakulov
Blog2022.08.25Exploring the Heightened Importance of Cybersecurity in Mobile App Development by Jeff Kalwerisky