Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SECRET NOT FOUND #12

Open
floxcristian opened this issue Jun 22, 2020 · 5 comments
Open

SECRET NOT FOUND #12

floxcristian opened this issue Jun 22, 2020 · 5 comments

Comments

@floxcristian
Copy link

floxcristian commented Jun 22, 2020
edited
Loading

I don't know why it doesn't work.

jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJma2ZmIiwiZW1haWwiOiJjZGNkQGRzZnMuY29tIiwibmFtZSI6ImZsZGZrZHNrZmQiLCJpY 
XQiOjE1OTI4MDE5MTZ9.Cvzj0tVtVGc60xvqLdyasYf6gF8QLi8HQCKlxw9nBk4" 4

SECRET NOT FOUND
Time taken (sec): 0.01
Attempts: 12
@lmammino
Copy link
Owner

Hello @floxcristian! thanks for using this tool and opening an issue :)

Are you aware of the secret for this token? Does it contain only symbols from the default alphabet?

@philsmd
Copy link

philsmd commented Jun 27, 2020

I just accidentally found this issue because I was troubleshooting another problem with JWT token parsing and "cracking"... and I just want to let you know that:

  1. the password for this JWT from above seems to be "casa" (without quotes)
  2. the problem is that the arguments for jwt-cracker are positional
  3. that (# 2) implies that the "4" is seen as the "alphabet" not the maxlength
  4. you would need to specify the alphabet first e.g. "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" 4
  5. therefore, I would really suggest/recommend to make the command line user interface a little bit more flexible and allow to use command line arguments like --maxlength 4 and --alphabet "abcdef" to avoid these mistakes

The other problem I actually experienced (and this might be totally off-topic, sorry for that) is that jwt-cracker doesn't really have any (basic) JWT "validation" code... and therefore it tries to crack even hashes that are of a different "alg" type and with an invalid signature (too short in my case, truncated)... I know it's off-topic but would be great if you could add some basic "validation" (because it's really bad if users spent dozens of hours trying to crack a JWT, just to find out that it's corrupted/malformed/truncated or whatever).
Thank you very much and I hope my debugging/explanation helps :)
cheers

@lmammino
Copy link
Owner

Very good point! Thanks for taking the time to report this :)

I would love a contribution to address this issue if you have some spare time.

@Envincion
Copy link

specifying the command arguments advice really helped ,thanks buddy amazing tool

@jobsenn
Copy link

jobsenn commented Apr 30, 2024

I don't know why it doesn't work.

jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJma2ZmIiwiZW1haWwiOiJjZGNkQGRzZnMuY29tIiwibmFtZSI6ImZsZGZrZHNrZmQiLCJpY 
XQiOjE1OTI4MDE5MTZ9.Cvzj0tVtVGc60xvqLdyasYf6gF8QLi8HQCKlxw9nBk4" 4

SECRET NOT FOUND
Time taken (sec): 0.01
Attempts: 12

hello , i have just discovered that the tool wont work of the key is base64 encoded. so i would suggest you to decode the key first from whatever encoding scheme they have used then try to crack it now ..thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@lmammino @philsmd @floxcristian @Envincion @jobsenn