/go-jwt-cracker

Concurrent HS256 JWT token brute force cracker, inspired by https://github.com/lmammino/jwt-cracker

Primary LanguageGoMIT LicenseMIT

go-jwt-cracker

Concurrent HS256 JWT token brute force cracker, inspired by https://github.com/lmammino/jwt-cracker

This is realistically only effective to crack JWT with weak secrets. It also only currently works with HMAC-SHA256 signatures.

It should be slightly faster than it's inspiration, as it uses a new goroutine for each generated and compared hash. Could be made faster if it was generating secrets in more than one goroutine.

Feel free to create a pull request with an improvement or fix 😄

Usage

Usage of go-jwt-cracker:
  -alphabet string
        The alphabet to use for the brute force (default "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789")
  -maxlen int
        The max length of the string generated during the brute force (default 12)
  -prefix string
        A string that is always prefixed to the secret
  -suffix string
        A string that is always suffixed to the secret
  -token string
        The full HS256 jwt token to crack

Example

Cracking a token generated with jwt.io:

go-jwt-cracker -token "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.XbPfbIHMI6arZ3Y922BhjWgQzWXcXNrz0ogtVhfEd2o" -alphabet "abcdefghijklmnopqrstuwxyz" -maxlen 6

Output

Parsed JWT:
- Algorithm: HS256
- Type: JWT
- Payload: {"sub":"1234567890","name":"John Doe","iat":1516239022}
- Signature (hex): 5db3df6c81cc23a6ab67763ddb60618d6810cd65dc5cdaf3d2882d5617c4776a

There are 254313150 combinations to attempt
Cracking JWT secret...
Attempts: 100000
Attempts: 200000
Attempts: 300000
...
Attempts: 184500000
Attempts: 184600000
Attempts: 184700000
Found secret in 184776821 attempts: secret

Time spent

  • Intel Core i7-4790k @ 4.38GHz - around 4.5 minutes
  • Intel Xeon E3-1270 V2 @ 3.50GHz - around 15 minutes