Skip to content
Wavestone's web interface for password cracking with hashcat
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
Docker Initial commit Feb 24, 2017
cracker Fix of a previously broken commit saving the hashes in lower case for… Oct 12, 2018
.gitignore The list of hashes supported by hashcat moved to a separate file with… Mar 2, 2017 Initial commit Feb 24, 2017



A user-friendly Web interface to share an hashcat cracking box among multiple users with some pre-defined options.


  • The homepage The homepage
  • Adding an hash to crack Adding an hash to crack
  • Seeing the results and some stats Seeing the results and some stats


  • This Web application can be used to launch asynchronous password cracks with hashcat.
  • The interface tries to be as user-friendly as possible and facilitates the password cracking method choice and to automate the succession of various attack modes.
  • It also displays statistics regarding the cracked passwords and allows to export the cracked password list in CSV.
  • The application is designed to be used in a multi-user environment with a strict segregation between the cracking results of different users: the user authentication can be done through an LDAP directory or basic auth.


Wavecrack can be used to do the following:

  • Add new password hashes, choose the attack mode and the crack duration
  • View the past and current cracks for your user with statistics and graphs
  • View the overall load of the platform
  • Upload a password-protected file and extract its hash

The attack modes are followed in the order they are displayed on the hash submit form.
It is also possible to stop a crack. However, every cancelation is final.
A limit to the amount of concurrent cracks can be defined in the settings in order not to reduce the current cracks performance.


  • hashcat: follow these instructions for CPU only usage on a Kali linux host
  • flask (>=0.10.1)
  • celery (>=3.1.18)
  • SQLite (>=
  • rabbitmq-server (>= 3.4.3)
  • Rules for hashcat (examples)
  • Wordlists (examples)


  • Install the RabbitMQ server and python-ldap requirements
$ apt-get install libsasl2-dev libldap2-dev libssl-dev rabbitmq-server
$ pip install -r requirements.txt
  • Create a cracker/ configuration file from the cracker/ file and notably edit the Mandatory settings section:

    • The path of hashcat
    • The RabbitMQ connection string: by default, the guest/guest account is used. Be sure to harden your installation
    • The path of the SQLite database
    • The path of the hashcat rules
    • The path of the wordlists
    • The LDAP parameters:
      • IP address
      • port
      • LDAP database for the users
      • Base DN
  • Initialize the local database linked in the cracker/ configuration file

$ sqlite3 base.db < base_schema.sql
  • Start the RabbitMQ server
$ sudo service rabbitmq-server start
  • Start Celery from the application folder
$ celery worker -A cracker.celery

Finally, if you don't want to setup your own VM, you can use the Docker-based process described in the docker folder.

Copyright and license

All product names, logos, and brands are property of their respective owners.
All resources published in wavecrack are free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. See the GNU General Public License for more details.


  • Cyprien Oger < cyprien.oger at wavestone d0t com >
  • CERT-W < cert at wavestone d0t com >
You can’t perform that action at this time.