pip install red-specter-ghoul
Hashcat and John the Ripper are powerful — but they're compiled C binaries with GPU dependencies, complex build chains, and no native integration with Python security toolkits. GHOUL is a pure Python password cracking framework designed for integration, not isolation.
Hashcat requires GPU drivers, OpenCL runtimes, and compiled binaries. John needs autoconf, make, and platform-specific compilation. GHOUL needs pip install and nothing else.
Traditional crackers produce text output that needs manual parsing. GHOUL produces structured JSON that feeds directly into REAPER for lateral movement and NEMESIS for attack chaining.
Most crackers require you to know the hash type. GHOUL identifies the hash for you — 30+ types with confidence scoring, automatic shadow/SAM/NTDS format detection.
You extract hashes with one tool and crack them with another. GHOUL imports REAPER harvest files natively — shadow, SAM, NTDS.dit — zero manual conversion.
Eight modules. Each one built from scratch in pure Python. No hashcat wrappers. No John integration. Every hash algorithm implemented natively. Every mutation engine hand-built. Every attack mode purpose-engineered. 1,408 tests. 30+ hash types. 26 mutation rules.
Hash identification engine with confidence scoring. Analyses hash length, character set, prefix, and structure. Auto-detects shadow, SAM, and NTDS.dit formats. Identifies MD5, SHA, NTLM, bcrypt, scrypt, argon2, and 20+ more.
Dictionary attack engine with wordlist loading, case mutations, and batch hashing. Ships with 1,000 built-in passwords. Supports custom wordlists of any size. Streaming mode for memory-efficient processing of massive wordlists.
Rule-based mutation engine with 26 rules including capitalise, reverse, l33t, append digits, prepend symbols, toggle case, duplicate, rotate, and strip. Rule chaining with frequency-ordered application for optimal crack rates.
Brute force engine with charset selection, mask attacks (?u?l?d?s patterns), and incremental mode. Supports custom charsets and hybrid dictionary+mask attacks. Configurable length ranges and resume capability.
Markov chain candidate generation using password frequency statistics. Probability-ordered output for highest crack rates first. Trained on leaked password datasets. Configurable chain length and threshold.
Core cracking engine with pure Python hash implementations. MD5, SHA-1, SHA-256, SHA-512, NTLM, bcrypt, scrypt, argon2 — all implemented natively. Multi-threaded with configurable worker count. Progress reporting and ETA calculation.
Rainbow table generation and lookup for fast cracking of unsalted hashes. Configurable chain length and table size. Pre-computed tables for common hash types. Reduction function optimisation for minimal collision rates.
REAPER integration module for seamless hash import. Parses REAPER harvest JSON, shadow files, SAM databases, and NTDS.dit extractions. Auto-identifies hash types from import context. Zero manual conversion required.
Import REAPER harvest, identify hashes, crack everything:
Every hash algorithm implemented natively. No hashcat. No John. No compiled binaries. No GPU dependencies. Pure Python engineering.
Feed GHOUL a hash and it identifies the type. 30+ algorithms recognised. Confidence scoring. No guesswork. No manual mode selection.
Import REAPER harvest files directly. Shadow, SAM, NTDS.dit — parsed and cracked automatically. Cracked credentials feed back for lateral movement.
Dictionary, rules, Markov, brute force, rainbow — chained automatically. Each pass builds on the last. Optimal crack rates without manual orchestration.
Every hash algorithm implemented from scratch in Python. No ctypes bindings. No compiled extensions. When GHOUL hashes a candidate, every byte operation is Python code that Red Specter wrote.
Standard mode runs dictionary attacks with the built-in wordlist and basic rules. UNLEASHED removes all limits. Full brute force ranges. All 26 mutation rules chained. Markov generation with maximum depth. Rainbow table generation at scale. Ed25519 key gate required. Two flags must be passed. This is not accidental.
| Capability | Standard | Unleashed |
|---|---|---|
| Dictionary size | 1,000 built-in | Unlimited custom wordlists |
| Mutation rules | Basic 5 rules | All 26 rules, full chaining |
| Brute force | 4 characters max | Unlimited length, full charset |
| Markov depth | Order 2, 6 chars | Order 4, unlimited length |
| Rainbow tables | Lookup only | Generate + lookup, full scale |
| Thread count | 4 workers | Unlimited, CPU-saturating |
| Hash types | Fast hashes only | All 30+ types including KDFs |
UNLEASHED mode requires an Ed25519 private key at ~/.redspecter/override_private.pem and the --override --confirm-destroy flags. Without both, GHOUL operates in standard mode — cracking weak passwords with basic attacks. The gate is cryptographic. There is no bypass. One key. One operator. Founder's machine only.
GHOUL is not a standalone tool. It's the credential engine in a five-stage kill chain. WRAITH finds the infrastructure. REAPER exploits it and harvests the hashes. GHOUL cracks them. REAPER uses the cracked credentials for lateral movement. The chain is seamless. The integration is native.
WRAITH discovers open ports, running services, and vulnerable configurations. It maps the attack surface that REAPER will exploit. Infrastructure enumeration feeds target selection.
REAPER exploits discovered vulnerabilities and harvests credential stores. Shadow files, SAM databases, NTDS.dit extractions — every hash is captured in structured JSON format.
GHOUL imports REAPER harvest files, identifies hash types automatically, and chains dictionary, rules, Markov, and brute force attacks. Cracked credentials are output in structured format.
Cracked credentials feed back into REAPER for lateral movement. SSH, RDP, WinRM, SMB — valid credentials enable access to additional systems across the network.
NEMESIS orchestrates the full chain. Traditional infrastructure compromise through WRAITH, credential harvesting through REAPER, password cracking through GHOUL — all coordinated by the Supreme Commander.
Most password cracking tools are compiled C binaries that require GPU drivers, OpenCL runtimes, and platform-specific builds. GHOUL is actual engineering. Every hash algorithm, every mutation rule, every attack mode written from scratch in pure Python. stdlib only. No compiled extensions. No ctypes. No GPU required.
GHOUL is Tool 14 in the Red Specter offensive pipeline. It cracks the credentials that REAPER harvests, completing the credential lifecycle from discovery to lateral movement.
Pure Python password cracking with native REAPER integration. 30+ hash types. 26 mutation rules. 8 modules. Zero compiled dependencies.