Red Specter GHOUL

Pure Python Password Cracking Framework — 8 modules. 1,408 tests. 30+ hash types. Zero compiled dependencies.

v1.0.0

Contents

Overview Installation Quick Start IDENTIFY — Hash Identification DICTIONARY — Wordlist Attacks RULES — Mutation Engine BRUTE — Brute Force & Mask Attacks MARKOV — Statistical Attacks CRACK — Core Engine RAINBOW — Table Generation & Lookup REAPER_IMPORT — Harvest Integration UNLEASHED Mode CLI Reference Kill Chain Integration API Reference Disclaimer

Overview

GHOUL is a pure Python password cracking framework. Zero compiled dependencies. Every hash algorithm implemented natively using Python's hashlib, struct, and hmac modules. No hashcat. No John the Ripper. No GPU drivers. No OpenCL runtimes. Pure engineering.

Eight modules. 1,408 tests. GHOUL identifies hash types automatically, runs multi-stage attacks (dictionary, rules, Markov, brute force, rainbow), and integrates natively with REAPER for seamless hash import and credential reuse.

Pure Python Zero compiled dependencies. hashlib + struct + hmac only.

8 Modules Identify, Dictionary, Rules, Brute, Markov, Crack, Rainbow, Import.

1,408 Tests Full test coverage across every module.

30+ Hash Types MD5, SHA, NTLM, bcrypt, scrypt, argon2, crypt variants.

Installation

$ pip install red-specter-ghoul

Also available as .deb and PKGBUILD (BlackArch).

Or from source:

$ git clone <repo>
$ cd red-specter-ghoul
$ pip install -e ".[dev]"
    

Quick Start

# Identify a hash
$ ghoul identify "5f4dcc3b5aa765d61d8327deb882cf99"

# Dictionary attack
$ ghoul dictionary --hash "5f4dcc3b5aa765d61d8327deb882cf99" --type md5

# Import REAPER harvest and crack
$ ghoul import --harvest reaper_output.json --crack

# Full pipeline: dictionary + rules + markov + brute
$ ghoul crack --hash "5f4dcc3b5aa765d61d8327deb882cf99" --type md5 --full

# Benchmark hash speeds
$ ghoul benchmark

# UNLEASHED mode
$ ghoul crack --hashfile hashes.txt --full --override --confirm-destroy
    

IDENTIFY — Hash Identification

Automatic hash type identification. Analyses length, character set, prefix patterns, and structural signatures. Supports 30+ hash types with confidence scoring.

Capabilities ghoul identify <hash>

30+ hash types identified by length, charset, prefix, and structure
Confidence scoring — 0.0–1.0 per candidate type
Auto-detect formats: shadow ($6$...), SAM (LM:NTLM), NTDS.dit, htpasswd
Batch identification from file input
Returns: hash_type, confidence, algorithm, salt_detected, format

# Single hash
$ ghoul identify "$6$rounds=5000$salt$hash..."

# File of hashes
$ ghoul identify --file hashes.txt

# Shadow file
$ ghoul identify --shadow /etc/shadow
    

DICTIONARY — Wordlist Attacks

Dictionary attack engine with built-in wordlist and custom wordlist support. Streaming mode for memory-efficient processing of massive wordlists.

Capabilities ghoul dictionary

1,000 built-in passwords — most common passwords from breach datasets
Custom wordlist support — any size, streaming mode for large files
Case mutations — lowercase, uppercase, capitalise, toggle
Batch hashing — multiple hashes cracked in a single pass
Progress reporting with ETA and speed metrics

# Built-in wordlist
$ ghoul dictionary --hash "hash_value" --type ntlm

# Custom wordlist
$ ghoul dictionary --hash "hash_value" --type sha256 --wordlist rockyou.txt

# Batch mode
$ ghoul dictionary --hashfile hashes.txt --type md5
    

RULES — Mutation Engine

26 mutation rules applied to dictionary candidates. Rule chaining with frequency-ordered application optimises crack rates. Each rule generates multiple candidates per base word.

26 Rules ghoul rules

Capitalise — first letter uppercase
Uppercase / Lowercase — full case conversion
Toggle case — swap upper/lower per character
Reverse — reverse the string
L33t speak — a→4, e→3, i→1, o→0, s→5, t→7
Append digits — 0-9, 00-99, common years
Prepend symbols — !, @, #, $, %, common prefixes
Duplicate — password→passwordpassword
Rotate — shift characters left/right
Strip vowels / consonants
Rule chaining — capitalise + append digit + l33t
Frequency ordering — most effective rules first

# Apply rules to dictionary
$ ghoul rules --hash "hash_value" --type sha512crypt

# Specific rules
$ ghoul rules --hash "hash_value" --rules capitalise,leet,append_digits
    

BRUTE — Brute Force & Mask Attacks

Full brute force and mask attack engine. Charset selection, mask patterns (?u?l?d?s), incremental mode, and resume capability.

Capabilities ghoul brute / ghoul mask

Charset selection: lowercase, uppercase, digits, symbols, custom
Mask attacks: ?u (upper), ?l (lower), ?d (digit), ?s (symbol)
Incremental mode — 1 character to max length
Resume capability — save and restore progress
Hybrid mode — dictionary + mask (e.g., password?d?d?d?d)

# Mask attack: Uppercase + 3 lowercase + 4 digits
$ ghoul mask --hash "hash_value" --type ntlm --mask "?u?l?l?l?d?d?d?d"

# Incremental brute force (1-6 chars)
$ ghoul brute --hash "hash_value" --type md5 --min 1 --max 6

# Custom charset
$ ghoul brute --hash "hash_value" --charset "abcdef0123456789"
    

MARKOV — Statistical Attacks

Markov chain candidate generation using password frequency statistics. Generates candidates in probability order for highest crack rates first.

Capabilities ghoul markov

Markov chain generation from password frequency datasets
Probability-ordered output — highest probability candidates first
Configurable chain length — order 2 (standard), order 3-4 (UNLEASHED)
Configurable threshold — minimum probability cutoff
Custom training — train on domain-specific password lists

# Markov chain attack
$ ghoul markov --hash "hash_value" --type sha256

# Custom trained model
$ ghoul markov --hash "hash_value" --model custom_model.json
    

CRACK — Core Engine

Core cracking engine with pure Python hash implementations. Multi-threaded with configurable worker count. Orchestrates all attack modes in optimal sequence.

Capabilities ghoul crack

Pure Python hash implementations — MD5, SHA-1, SHA-256, SHA-512, NTLM, bcrypt, scrypt, argon2
Multi-threaded — configurable worker count (default 4, UNLEASHED unlimited)
Full pipeline mode — dictionary → rules → markov → brute force
Progress reporting — speed (H/s), progress %, ETA
Session management — save/restore cracking sessions

# Full pipeline
$ ghoul crack --hash "hash_value" --type sha512crypt --full

# Multi-hash file
$ ghoul crack --hashfile hashes.txt --type ntlm --threads 8
    

RAINBOW — Table Generation & Lookup

Rainbow table generation and lookup for fast cracking of unsalted hashes. Configurable chain length and table size.

Capabilities ghoul rainbow

Table generation for MD5, SHA-1, NTLM, LM
Configurable chain length and table size
Lookup mode — crack hashes against generated tables
Reduction function optimisation for minimal collision rates
Standard mode: lookup only. UNLEASHED: generate + lookup at scale.

# Lookup against existing tables
$ ghoul rainbow --hash "hash_value" --type md5 --table md5_tables/

# Generate tables (UNLEASHED)
$ ghoul rainbow --generate --type ntlm --output ntlm_tables/ --override --confirm-destroy
    

REAPER_IMPORT — Harvest Integration

Native REAPER integration. Import harvest JSON files, shadow files, SAM databases, and NTDS.dit extractions. Auto-identifies hash types from import context.

Capabilities ghoul import

REAPER harvest JSON — structured hash import with metadata
Shadow file parser — /etc/shadow format with user mapping
SAM database parser — Windows SAM with LM:NTLM split
NTDS.dit parser — Active Directory hash extraction
Auto hash type detection from import context
Direct crack mode — import and crack in one command

# Import REAPER harvest and crack
$ ghoul import --harvest reaper_output.json --crack

# Import shadow file
$ ghoul import --shadow shadow_dump.txt --crack --rules

# Import SAM database
$ ghoul import --sam sam_dump.txt --crack --full

# Import NTDS.dit extraction
$ ghoul import --ntds ntds_hashes.txt --crack
    

GHOUL UNLEASHED

Cryptographic override. Private key controlled. One operator. Founder's machine only.

Standard mode runs basic attacks with limited parameters. UNLEASHED removes all limits. Full brute force ranges. All 26 mutation rules chained. Maximum Markov depth. Rainbow table generation. Unlimited threads.

Capability	Standard	UNLEASHED
Dictionary size	1,000 built-in	Unlimited custom
Mutation rules	Basic 5	All 26, full chaining
Brute force length	4 characters	Unlimited
Markov depth	Order 2, 6 chars	Order 4, unlimited
Rainbow tables	Lookup only	Generate + lookup
Thread count	4 workers	Unlimited
Hash types	Fast hashes	All 30+ including KDFs
Key required	No	Ed25519

# UNLEASHED (full pipeline)
$ ghoul crack --hashfile hashes.txt --full --override --confirm-destroy
    

UNLEASHED mode is restricted to authorised operators with Ed25519 private key access. The key must be present at ~/.redspecter/override_private.pem. Both --override and --confirm-destroy flags are required. The gate is cryptographic. There is no bypass.

CLI Reference

Commands

Command	Description
ghoul identify <hash>	Identify hash type with confidence scoring
ghoul dictionary	Dictionary attack with built-in or custom wordlist
ghoul rules	Rule-based mutation attack
ghoul brute	Brute force with charset selection
ghoul mask	Mask attack with ?u?l?d?s patterns
ghoul markov	Markov chain statistical attack
ghoul crack	Core engine — orchestrates attack pipeline
ghoul rainbow	Rainbow table lookup and generation
ghoul import	Import REAPER harvest / shadow / SAM / NTDS
ghoul benchmark	Benchmark hash speed by type

Options

Flag	Description
--hash	Single hash value to crack
--hashfile	File containing hashes (one per line)
--type	Hash type (md5, sha256, ntlm, bcrypt, etc.)
--wordlist	Custom wordlist file
--rules	Enable rule mutations (or specify rules)
--mask	Mask pattern (?u?l?d?s)
--threads	Worker thread count
--full	Run full attack pipeline
--override	UNLEASHED dry-run
--confirm-destroy	UNLEASHED live execution
--output	Output directory for results
--session	Session name for save/restore

Kill Chain Integration

GHOUL operates as part of the Red Specter kill chain. WRAITH finds infrastructure. REAPER exploits and harvests. GHOUL cracks. REAPER uses cracked credentials for lateral movement. DOMINION leverages credentials for Active Directory compromise.

01 WRAITH Finds

→

02 REAPER Harvests

→

03 GHOUL Cracks

→

04 DOMINION Conquers

REAPER → GHOUL Harvest JSON imports natively. Shadow, SAM, NTDS.dit parsed automatically.

GHOUL → REAPER Cracked credentials feed back for SSH, RDP, SMB lateral movement.

GHOUL → DOMINION Cracked Kerberos/NTLM hashes enable DCSync and domain persistence.

NEMESIS Orchestration Supreme Commander chains all stages automatically across tools.

API Reference

GHOUL exposes a Python API for programmatic integration.

# Identify a hash
from ghoul import identify
result = identify("5f4dcc3b5aa765d61d8327deb882cf99")
# → [{"type": "md5", "confidence": 0.95}]

# Dictionary attack
from ghoul import dictionary_attack
cracked = dictionary_attack(
    hash_value="5f4dcc3b5aa765d61d8327deb882cf99",
    hash_type="md5"
)

# Import REAPER harvest
from ghoul import import_harvest
hashes = import_harvest("reaper_output.json")

# Full pipeline
from ghoul import crack
results = crack(
    hashfile="hashes.txt",
    hash_type="ntlm",
    full_pipeline=True,
    threads=8
)
    

Disclaimer

Red Specter GHOUL is designed for authorised security testing, research, and educational purposes only. You must have explicit written permission from the system owner before using GHOUL against any credential stores. Password cracking activities must only be performed on systems you are authorised to test. Unauthorised use may violate the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), or equivalent legislation in your jurisdiction. The authors accept no liability for misuse or damage resulting from improper use.