search

lmammino / jwt-cracker

Simple HS256, HS384 & HS512 JWT token brute force cracker.
https://lmammino.github.io/jwt-cracker/
MIT License
1.05k stars 165 forks source link

SECRET NOT FOUND #12

Open floxcristian opened 4 years ago

floxcristian commented 4 years ago

I don't know why it doesn't work.

jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJma2ZmIiwiZW1haWwiOiJjZGNkQGRzZnMuY29tIiwibmFtZSI6ImZsZGZrZHNrZmQiLCJpY 
XQiOjE1OTI4MDE5MTZ9.Cvzj0tVtVGc60xvqLdyasYf6gF8QLi8HQCKlxw9nBk4" 4

SECRET NOT FOUND
Time taken (sec): 0.01
Attempts: 12
lmammino commented 4 years ago

Hello @floxcristian! thanks for using this tool and opening an issue :)

Are you aware of the secret for this token? Does it contain only symbols from the default alphabet?

philsmd commented 4 years ago

I just accidentally found this issue because I was troubleshooting another problem with JWT token parsing and "cracking"... and I just want to let you know that:

  1. the password for this JWT from above seems to be "casa" (without quotes)
  2. the problem is that the arguments for jwt-cracker are positional
  3. that (# 2) implies that the "4" is seen as the "alphabet" not the maxlength
  4. you would need to specify the alphabet first e.g. "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" 4
  5. therefore, I would really suggest/recommend to make the command line user interface a little bit more flexible and allow to use command line arguments like --maxlength 4 and --alphabet "abcdef" to avoid these mistakes

The other problem I actually experienced (and this might be totally off-topic, sorry for that) is that jwt-cracker doesn't really have any (basic) JWT "validation" code... and therefore it tries to crack even hashes that are of a different "alg" type and with an invalid signature (too short in my case, truncated)... I know it's off-topic but would be great if you could add some basic "validation" (because it's really bad if users spent dozens of hours trying to crack a JWT, just to find out that it's corrupted/malformed/truncated or whatever). Thank you very much and I hope my debugging/explanation helps :) cheers

lmammino commented 4 years ago

Very good point! Thanks for taking the time to report this :)

I would love a contribution to address this issue if you have some spare time.

Envincion commented 2 years ago

specifying the command arguments advice really helped ,thanks buddy amazing tool

jobsenn commented 7 months ago

I don't know why it doesn't work.

jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJma2ZmIiwiZW1haWwiOiJjZGNkQGRzZnMuY29tIiwibmFtZSI6ImZsZGZrZHNrZmQiLCJpY 
XQiOjE1OTI4MDE5MTZ9.Cvzj0tVtVGc60xvqLdyasYf6gF8QLi8HQCKlxw9nBk4" 4

SECRET NOT FOUND
Time taken (sec): 0.01
Attempts: 12

hello , i have just discovered that the tool wont work of the key is base64 encoded. so i would suggest you to decode the key first from whatever encoding scheme they have used then try to crack it now ..thanks