Simple HS256 JWT token brute force cracker with multi-thread support and minimal dependencies. It also shows a resume command on exit and has a nice progressbar.
It is a fork of single-threaded jwt-cracker package by @lmammino, check out the original repo!
With npm:
npm install --global multithread-jwt-crackerFrom command line:
multithread-jwt-cracker <token> [<alphabet>] [<maxLength>] [<threads>] [<start>]Where:
- token: the full HS256 JWT token string to crack
- alphabet: the alphabet to use for the brute force, type 'default' to omit
(default: "etaoinsrhldcumfpgwybv0123456789kxjqz _-.ETAOINSRHLDCUMFPGWYBVKXJQZ") - maxLength: the max length of the string generated during the brute force (default: 12)
- threads: the number of threads to use (default: 1, max: your-cpu-max-threads)
- start: the index from where to resume the search
This script requires Node.js version 6.0.0 or higher
Cracking the default jwt.io example:
multithread-jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6 12It starts cracking with 12 threads and only lower-case letters as alphabet. It takes about 240s to crack on i9-9900K:
Cracking process started. (pid: XXXX)
Token: <eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ>
Alphabet: <abcdefghijklmnopqrstuwxyz>
maxLen: <6>
threads: <12>
[================= ] length 6/6 | cursor 187,210,000 | 754,879 secrets/sec | elapsed 248s Success!
Secret found! Secret: secret
Time taken (sec): 248
Pretty cool, huh?
Everyone is very welcome to contribute to this project. You can contribute just by submitting bugs or suggesting improvements by opening an issue on GitHub.
- HTTP server to preview the cracking progress
- Min-length argument
- Looking for a way to optimize this package even more!
Licensed under MIT License.