Connect with us

Hi, what are you looking for?


Black Hat

Researcher Unveils CrackQ, a New Password Cracking Manager

Interface/Dashboard for CraqQ Password Cracker

CrackQ Password Cracking Manager is an Interface for Hashcat Served by a REST API and a JavaScript Web App

Interface/Dashboard for CraqQ Password Cracker

CrackQ Password Cracking Manager is an Interface for Hashcat Served by a REST API and a JavaScript Web App

Hashcat is billed as the world’s fastest password cracker. It uses the power of graphical processing units (GPUs) to compare guessed plaintext passwords with known password hashes at high speed — often at hundreds of billions of guesses per second — until a match is found. It has become an important tool for red teamers and pentesters analyzing the strength of customers’ passwords.

But like all such raw tools, users can benefit from additional features and improved operational management. At Black Hat Europe in London, UK, cybersecurity and managed security services provider Trustwave has announced the release of CrackQ (alpha version), available from GitHub. Developed over the last year by Trustwave principal security consultant Dan Turner, CrackQ, he says, is “an intuitive interface for Hashcat served by a REST API and a JavaScript front-end web application for ease of use.”

Never quite content with the cracking rigs he has used, Turner started to develop his own — initially just wanting something written in Python so that he could add additional features as required. But the project grew into CrackQ, a Hashcat password cracking manager. The ability to add additional features remains. Turner has “a multitude of useful features planned for future releases”, and also hopes the GitHub community will assist with future development.

It doesn’t use shell commands to interface with Hashcat but does so directly through the libhashcat library using PyHashcat C bindings. It uses SAML2 authentication allowing the use of MFA, and can alternatively use LDAP. But while the current version includes features not found elsewhere, other systems have options not yet available in CrackQ.

“For example,” says Turner, “it currently is not able to work as a distributed system, rather it’s a client-server setup. This is mainly because distributed cracking is not what we needed at this time, but it’s an API so this could be added quite easily in the future if I decide to go down that road.”

Turner has also created a password analysis library, called Pypal — so named as a hat-tip to the command line analysis tool Pipal developed by independent security consultant and researcher Robin Wood. It provides largely similar analyses but delivers graphical results, and will on demand generate a report from the results of a cracking job. The report will highlight insecure password choices, allowing security teams to eradicate weak passwords from among company staff. 

Advertisement. Scroll to continue reading.

Another useful feature is integration with Hashcat Brain which is automatically engaged when it is efficient to do so. Brain checks to see if a given password has already been checked, preventing repeated retries during different cracking runs, and improving efficiency for slower algorithms. “However,” explains Turner, “the brain becomes the bottleneck when cracking at higher speeds. It has a bottleneck of around 500kH/s so CrackQ will check the speed for the selected algorithm and engage the brain when it’s effective to do so.”

CrackQ can be considered a work in progress that is already usable. “For us,” says Turner, “every penetration test with a significant password store compromise will include a detailed report analyzing weak areas in a password policy. CrackQ will help to visualize that and perhaps help drive home the message about poor password choices.”

Related: Password Cracking Tool Hashcat Goes Open Source 

Related: New Method Discovered for Cracking WPA2 Wi-Fi Passwords 

Related: The Enduring Password Conundrum 

Related: UK’s NCSC Suggests Automatic Blocking of Common Passwords

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Black Hat

Black Hat 2019 recently wrapped in Las Vegas, where somewhere between 15,000 and 20,000 experts descended to experience the latest developments in the world...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...