Use password attempts from files (e.g. rockyou or top 1000)

[global4g]

Is it possible to brute-force based on a predefined password file ?

[lmammino]

Thanks for checking out this project.

No this feature is currently not supported and it's on my personal radar. Anyway, this is supposed to be a proof of concept, so the code should be simple enough to allow everybody to submit new features like the one you described.

Let me know if you are interested in implementing something like this, maybe i can give you some insight if needed.

On Nov 25, 2017 19:36, "global4g" notifications@github.com wrote:

Is it possible to brute-force based on a predefined password file ?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/lmammino/jwt-cracker/issues/4, or mute the thread https://github.com/notifications/unsubscribe-auth/AAMjPYvnejB-9sHrrXzye_tvFNDCCUQtks5s6F4qgaJpZM4Qqg-s .

[global4g]

Thanks for your quick response. yes I might be interested to give this a shot. Not much experience in node as such but familiar with crypto, hmac stuff. Will check the source code. if you have any words of advice, i would appreciate that. Thanks again!

[lmammino]

Sure, super happy to help on this.

So this is the current main logic: https://github.com/lmammino/jwt-cracker/blob/master/index.js#L54-L69

Here we basically use the variations-stream library to generate all the possible variations of strings over an alphabet.

Every variation string is pushed to the stream, so we use the on('data') event to get the current string.

If you change the source string to push the data from a file line by line, the rest of the code should remain pretty much the same. Check byline, if you need a quick win on reading a file line by line using a streamable interface.

I hope that's useful!