Cracking | Scripting and security

Simple HS256 JWT token brute force cracker. Effective only to crack JWT tokens with weak secrets. Recommendation: Use strong long secrets or RS256 tokens. Install With npm:

npm install --global jwt-cracker

1	npm install --global jwt-cracker

Usage From command line:

jwt-cracker <token> [<alphabet>] [<maxLength>]

1	jwt-cracker <token> [<alphabet>] [<maxLength>]

Where: token: the full HS256 JWT token string to crack alphabet: the alphabet to use for the brute force (default: “abcdefghijklmnopqrstuwxyzABCDEFGHIJKLMNOPQRSTUWXYZ0123456789”) maxLength: the max length of the string generated during the brute force (default: 12) Requirements This script requires Node.js version 6.0.0 or higher Example Cracking the default jwt.io example:

jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6

1	jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6

It takes about 2 hours in a Macbook Pro (2.5GHz quad-core Intel Core i7). Contributing Everyone is very […]

PHP Security

THC-Hydra 8.6

26/07/201715/04/2018

Hydra is born more than 10 years ago, this page is used as a recap of the functionalities it provides, but also the differences in feature sets, services coverage and code between the most popular network authentication cracker tools available. Each feature is compared against Hydra as of the current version. This table is updated as new features are added to the project. If you find any inaccuracies on this page please do not hesitate to contact us. [0x00] News and Changelog Check out the feature sets and services coverage page – including a speed comparison against ncrack and medusa (yes, we […]

Security Web

THC-Hydra

11/03/201515/04/2018

Number one of the biggest security holes are passwords, as every password security study shows. Hydra is a parallized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fast. Hydra was tested to compile on Linux, Windows/Cygwin, Solaris 11, FreeBSD 8.1, OpenBSD, OSX, QNX/Blackberry, and is made available under GPLv3 with a special OpenSSL license expansion. Currently this tool supports: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, […]