RELEASE CANDIDATE · NVIDIA + AMD

NHH Crack
Server

Boot from USB. GPU drivers load. Tor hidden service starts. Your .onion address and token appear on screen. Paste into any NHH tool — distributed cracking over Tor, behind WireGuard, with zero open ports.

Rust · Axum API Ubuntu 24.04 LTS ISO NVIDIA CUDA 12 + AMD ROCm 6 Tor hidden service

Get RC Build → GitHub ↗ vs Competition ↓

nhh-crack-node — tty1

[ boot ] GPU: NVIDIA RTX 4090 CUDA ✓
[ boot ] CPU governor: performance
[ boot ] cgroup slice: crack=80% sys=20%
[ nhh ] Firewall: Tor + WireGuard only
[ nhh ] Starting Tor hidden service…
[ nhh ] WireGuard wg0 up at 10.13.0.1

╔══════════════════════════════════╗
║ NHH CRACK NODE · Adamantware OU ║
║ ║
║ .onion: a1b2c3d4e5f6.onion ║
║ Token: 9f3a2b1c8e4d… ║
║ GPU: RTX 4090 [CUDA 12] ║
║ API: 10.13.0.1:9901 [wg0] ║
║ Firewall: WireGuard only ● ║
╚══════════════════════════════════╝

Paste .onion + token into any NHH GUI tool → Crack tab

30s

BOOT TO RUNNING

80%

CPU/GPU TO CRACK

OPEN PORTS

TOOLS BUNDLED

// the problem

Setting up a crack server is a full day's work.

You need a GPU server. Install CUDA — if the version matches your driver. Install hashcat. Open a port (now your box is publicly visible). Set up an SSH tunnel. Copy wordlists. Figure out the flags. Do it again for the AMD box.

None of it integrates with your workflow. Cracked passwords don't auto-appear in your credential vault or pre-fill your pass-the-hash templates. Every tool is a separate manual step.

// the solution

One ISO. Any hardware. 30 seconds.

Same concept as ethOS or PIMP OS for GPU mining — purpose-built bootable Linux image. Pre-configured, pre-installed, pre-integrated. The OS exists to serve one purpose: give your toolkit maximum GPU power, invisibly.

80%

RESOURCES TO CRACK

OPEN PORTS

TOOLS BUNDLED

// boot sequence

From USB to cracking in under 60 seconds.

Everything happens automatically. The only user action required is plugging in the USB drive.

GRUB loads

Custom boot menu. 5-second countdown. Boots into minimal Ubuntu 24.04 LTS headless. No GUI, no desktop, no wasted RAM.

→

GPU detected

NVIDIA CUDA 12 and AMD ROCm 6 auto-loaded. CPU governor locked to performance. cgroups: 80% CPU/IO to crack slice, 20% to system.

→

Tor + WireGuard

Tor starts. Hidden service created for WireGuard TCP bridge (wstunnel). WG key auto-generated. wg0 up at 10.13.0.1. nftables blocks everything else.

→

Server starts

cracking-server binds to wg0 only. .onion address and token print to console in green. Paste into any NHH tool — you're live.

Zero-config by default

Token is auto-generated on first boot. WireGuard key auto-generated. GPU drivers auto-detected. Everything works with a blank drive — no configuration required.

Optionally drop a crack.conf on the USB's /boot/ to pre-set a token, SSH key, WG peers, or GPU power limit.

# Optional crack.conf on /boot/
CRACK_TOKEN=your-secret-token
SSH_PUBKEY=ssh-ed25519 AAAA...
WG_MESH_ENABLED=0
GPU_POWER_LIMIT=300
WORDLIST=/root/wordlists/rockyou.txt

# All optional. Works blank.

// bundled tools

7 cracking tools. Pre-installed. Pre-configured.

Every tool is callable by the server API. You don't install anything, configure paths, or manage versions.

hashcat 6.2.6

GPU-accelerated hash cracking. NTLM, NTLMv2, Kerberos AS-REP (18200) / TGS (13100), WPA2 (22000), bcrypt, SHA-512. Workload profile 4 (Nightmare) by default — every GPU compute unit maxed.

john (jumbo)

CPU cracking for formats hashcat skips: KeePass .kdbx, PDF, ZIP archives, SSH private keys, Linux shadow via unshadow. Compiled from source with AVX2. Forked across all available CPU cores.

hydra + medusa

Network brute-force for 30+ protocols: SSH, FTP, RDP, SMB, HTTP, LDAP, MSSQL, PostgreSQL, VNC. Hydra for single targets, Medusa for parallel multi-host attacks.

ffuf + wfuzz

Web fuzzing backends for the WebVuln Sidekick's API fuzzing, directory brute-force, and parameter discovery. ffuf for speed, wfuzz for cookie/header edge cases.

aircrack-ng

WPA/WPA2 handshake cracking from the WiFi Sidekick's captured .cap files. Works alongside hashcat -m 22000 PMKID — uses whichever is faster per job type.

wordlists + rules

rockyou.txt pre-installed. hashcat rules: best64, rockyou-30000, dive. SecLists subsets. Extra wordlists mountable from a USB persistence partition — no ISO rebuild needed.

// competitive analysis

Why not just use hashcat directly?

NHH Crack Server doesn't replace hashcat — it contains hashcat, and wraps it with everything that makes distributed cracking actually usable in a professional engagement.

Capability	hashcat standalone	john standalone	Hydra / Medusa	Hashtopolis distributed	L0phtCrack / Ophcrack	NHH Crack Server ✦
Zero-config boot from USB Plug in, boot, server running	—	—	—	—	—	✓
Tor hidden service — no IP exposed No visible IP, no open ports on host	—	—	—	—	—	✓
WireGuard VPN — API accessible only over VPN Must establish WireGuard to reach the API	—	—	—	—	—	✓
NVIDIA CUDA GPU acceleration	✓	✓	—	✓	Win only	✓
AMD ROCm / OpenCL acceleration	✓	✓	—	✓	—	✓
80% resource auto-allocation to cracking cgroups, performance governor, IRQ pinning, hugepages	—	—	—	Manual	—	✓ Auto
Network brute-force — SSH, FTP, RDP, SMB…	—	—	✓	—	—	✓
Exotic formats — KeePass, PDF, ZIP, SSH keys john jumbo handles what hashcat skips	—	✓	—	—	—	✓
Web fuzzing — directory, vhost, API, params	—	—	—	—	—	✓ ffuf+wfuzz
WiFi WPA2 cracking — aircrack-ng + hashcat	hash only	—	—	hash only	—	✓
GUI integration — submit jobs from pentest tools Direct API from all 8 NHH Sidekick tools	—	—	—	Web UI	Standalone	✓ All 8
Credential vault auto-push Cracked passwords appear in all NHH tools instantly	—	—	—	—	—	✓
Multiple nodes, auto load balancing	—	—	—	✓	—	✓ ∞ nodes
Open source server code	✓	✓	✓	✓	—	✓ GitHub
ISO download — write to USB, boot, go	—	—	—	—	—	✓

✦ NHH Crack Server wraps hashcat, john, hydra, medusa, ffuf, wfuzz, and aircrack-ng. All individual capabilities plus the integration layer, zero-config deployment, and Tor-first security model none of them have alone.

// vs hashtopolis / fitcrack

Same concept. Completely different posture.

Hashtopolis and Fitcrack are excellent — but they assume you're running on controlled infrastructure with a web server, a database, and agents deployed manually. For an engagement, that's hours of setup and a web UI you have to remember to tear down after.

NHH assumes you have a spare machine and 30 seconds. No database. No web UI. No public ports. No IP address exposed to anyone.

// vs l0phtcrack / ophcrack / cain & abel

Replaced, not wrapped.

L0phtCrack, Ophcrack, and Cain & Abel are Windows-only GUI tools around LM/NTLM cracking. Underlying cracking is orders of magnitude slower than GPU mask attacks (rainbow tables vs CUDA).

NHH CredDump Sidekick extracts the hashes; Crack Server runs hashcat -m 1000 (NTLM). Results auto-push to your credential vault. Cross-platform, orders of magnitude faster.

// security architecture

The machine is invisible.

No IP. No open ports. No attack surface. The only path in is through WireGuard, reachable only through Tor.

Internet
  ↓ Tor circuit (end-to-end encrypted)
Tor hidden service (.onion)
  ↓ wstunnel TCP bridge
WireGuard UDP 51820
  ↓ authenticated WG handshake
wg0 interface (10.13.0.1/24)
  ↓ VPN-only TCP connection
cracking-server :9901
  ↓ X-Crack-Token header auth
hashcat / john / hydra / …

→
nftables lockdown — drops everything inbound/outbound except the Tor process (UID-matched) and the wg0 interface.
→
Tor HS exposes only WireGuard — the API is never directly reachable through Tor. WireGuard must be established first.
→
API binds to wg0 only — WG_ONLY_MODE=1 by default. Listening address is the WireGuard interface IP, never 0.0.0.0.
→
Token authentication — every API request requires X-Crack-Token header. Auto-generated on first boot, persisted to USB.
→
Ephemeral by default — no persistence partition means no data survives a reboot. Config and wordlists mountable from a labelled USB partition.

// hardware support

Any GPU. Any machine.

NVIDIA — CUDA 12

GTX 10xx series and newer. RTX 20xx / 30xx / 40xx. Tesla and A-series datacenter GPUs. Driver 560 + CUDA 12.6 pre-installed. GPU clocks locked at max TDP.

AMD — ROCm 6 / OpenCL

RX 5000 series and newer. Radeon Pro and Instinct cards. ROCm 6.1 + OpenCL runtime. Works alongside NVIDIA in mixed-GPU builds.

CPU fallback

No GPU detected → CPU-only mode. john jumbo AVX2, hashcat CPU OpenCL. Full capability for network brute-force (hydra/medusa) and web fuzzing (ffuf/wfuzz).

Min: 4-core CPU · 8 GB RAM · 16 GB USB · network connection. Recommended: RTX 3080+ or RX 6800+ · 16 GB RAM · 32 GB USB.

// pricing

Release Candidate available now.

Feature-complete, being hardened. RC builds available to NHH license holders and early access requesters. Server binary and ISO build scripts are open source.

Crack Server — Standalone

€99

/year

Unlimited nodes. Token auth. ISO download + updates. Source on GitHub.

Request RC Access →

Bundled — All Tools

€1,299

/year

All 8 NHH Sidekick tools + Crack Server ISO + full license server access.

Get bundle →

Open Source

Free

Server binary + ISO build scripts. Build your own ISO. No ISO download or license server access.

GitHub →

NHH CrackServer