Skip to content

Simple HS256 JWT token brute force cracker with multi-thread support and minimal dependencies. It also shows a resume command on exit and has a nice progressbar.

License

Notifications You must be signed in to change notification settings

vaverix/multithread-jwt-cracker

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

npm npm GitHub stars GitHub license

multithread-jwt-cracker

Simple HS256 JWT token brute force cracker with multi-thread support and minimal dependencies. It also shows a resume command on exit and has a nice progressbar.

It is a fork of single-threaded jwt-cracker package by @lmammino, check out the original repo!

Install

With npm:

npm install --global multithread-jwt-cracker

Usage

From command line:

multithread-jwt-cracker <token> [<alphabet>] [<maxLength>] [<threads>] [<start>]

Where:

  • token: the full HS256 JWT token string to crack
  • alphabet: the alphabet to use for the brute force, type 'default' to omit
    (default: "etaoinsrhldcumfpgwybv0123456789kxjqz _-.ETAOINSRHLDCUMFPGWYBVKXJQZ")
  • maxLength: the max length of the string generated during the brute force (default: 12)
  • threads: the number of threads to use (default: 1, max: your-cpu-max-threads)
  • start: the index from where to resume the search

Requirements

This script requires Node.js version 6.0.0 or higher

Example

Cracking the default jwt.io example:

multithread-jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6 12

It starts cracking with 12 threads and only lower-case letters as alphabet. It takes about 240s to crack on i9-9900K:

   Cracking process started. (pid: XXXX)
   Token:    <eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ>
   Alphabet: <abcdefghijklmnopqrstuwxyz>
   maxLen:   <6>
   threads:  <12>

[=================   ] length 6/6 | cursor 187,210,000 | 754,879 secrets/sec | elapsed 248s Success!
Secret found! Secret: secret
Time taken (sec): 248

Pretty cool, huh?

Contributing

Everyone is very welcome to contribute to this project. You can contribute just by submitting bugs or suggesting improvements by opening an issue on GitHub.

Future plans

  • HTTP server to preview the cracking progress
  • Min-length argument
  • Looking for a way to optimize this package even more!

License

Licensed under MIT License.

About

Simple HS256 JWT token brute force cracker with multi-thread support and minimal dependencies. It also shows a resume command on exit and has a nice progressbar.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published