This repository contains the source code used to benchmark distributed-jwt-cracker.
|5||26^5 = 12 mln||1m55.618s|
|6||26^6 = 310 mln||1h32m48.378s|
|7||26^7 = 8 Bln||3d18h22m10.231s|
|8||26^8 = 210 Bln||TODO|
|9||26^9 = 5.5 Tln||TODO|
This benchmark will spin up a number of virtual machine on AWS in order to crack a given JWT token. This is the default setup:
t2.mediumrunning 1 server process
t2.mediumrunning 2 client processes each
Once the computation is completed the results will be logged in CloudWatch (log stream) and the machines will be automatically destroyed.
Note: the benchmark is currently hardcoded to run in
eu-west-1 (Ireland region).
- An AWS account and a user (with full programmatic access configured in the local machine through
Build the AMI
The AMI that contains the necessary software can be built using packer by running:
packer build images/packer-ami.json
This will spin up a
t2.micro instance in your AWS account, build the image, destroy the machine and finally publish the new AMI.
You will get the id of the AMI as part of the command output in case of success.
Before you can run the benchmark suite you have to create a terraform configuration file. You can start by copying the sample configuration file:
In the newly created
terraform.tfvars you can now specify the following config parameters:
stack_name: the name of the benchmark stack (to keep track of the allocated resource in your AWS account).
authorized_ssh_key: the content of the public ssh key you want to use in case you need to ssh into one of the virtual machines.
token: the JWT token you want to brute force
alphabet: the set of characters to use in to generate the strings for the brute force attack
ami: the AMI id generated in the previous step
You can change more advanced parameters like the type of instance or the number of client processes per instance. If you are curious to experiment with this, you can find the name of the variables in
Run the benchmark
To run the benchmark you have to run:
terraform init terraform apply
Terraform will show you a preview of all the resources that will be allocated and give you a prompt to confirm that you are OK with it.
Once you confirm, the resources will be allocated and consequently the benchmark will start.
Monitor execution and results
Once the benchmark is started, you can read the logs in Cloudwatch in your AWS account.
You will find a new log group called
JWTCracker. Inside of if there will be multiple log streams available. Every log stream represents a machine in the brute force cluster.
When you are done, you can clean up everything by running:
Everyone is very welcome to contribute to this project. You can contribute just by submitting bugs or suggesting improvements by opening an issue on GitHub.
Licensed under MIT License. © Luciano Mammino.