Skip to content
A benchmark suite using AWS for distributed-jwt-cracker
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


This repository contains the source code used to benchmark distributed-jwt-cracker.

Current results

Secret length Attempts Time
5 26^5 = 12 mln 1m55.618s
6 26^6 = 310 mln 1h32m48.378s
7 26^7 = 8 Bln 3d18h22m10.231s
8 26^8 = 210 Bln TODO
9 26^9 = 5.5 Tln TODO

The benchmark

This benchmark will spin up a number of virtual machine on AWS in order to crack a given JWT token. This is the default setup:

  • 1 t2.medium running 1 server process
  • 4 t2.medium running 2 client processes each

Once the computation is completed the results will be logged in CloudWatch (log stream) and the machines will be automatically destroyed.

Note: the benchmark is currently hardcoded to run in eu-west-1 (Ireland region).


Build the AMI

The AMI that contains the necessary software can be built using packer by running:

packer build images/packer-ami.json

This will spin up a t2.micro instance in your AWS account, build the image, destroy the machine and finally publish the new AMI.

You will get the id of the AMI as part of the command output in case of success.


Before you can run the benchmark suite you have to create a terraform configuration file. You can start by copying the sample configuration file:

cp terraform.tfvars{~sample,}

In the newly created terraform.tfvars you can now specify the following config parameters:

  • stack_name: the name of the benchmark stack (to keep track of the allocated resource in your AWS account).
  • authorized_ssh_key: the content of the public ssh key you want to use in case you need to ssh into one of the virtual machines.
  • token: the JWT token you want to brute force
  • alphabet: the set of characters to use in to generate the strings for the brute force attack
  • ami: the AMI id generated in the previous step

Advanced configuration

You can change more advanced parameters like the type of instance or the number of client processes per instance. If you are curious to experiment with this, you can find the name of the variables in

Run the benchmark

To run the benchmark you have to run:

terraform init
terraform apply

Terraform will show you a preview of all the resources that will be allocated and give you a prompt to confirm that you are OK with it.

Once you confirm, the resources will be allocated and consequently the benchmark will start.

Monitor execution and results

Once the benchmark is started, you can read the logs in Cloudwatch in your AWS account.

You will find a new log group called JWTCracker. Inside of if there will be multiple log streams available. Every log stream represents a machine in the brute force cluster.

Clean up

When you are done, you can clean up everything by running:

terraform destroy


Everyone is very welcome to contribute to this project. You can contribute just by submitting bugs or suggesting improvements by opening an issue on GitHub.


Licensed under MIT License. © Luciano Mammino.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.