SECRET NOT FOUND

Question

SECRET NOT FOUND

floxcristian opened this issue 4 years ago · comments

I don't know why it doesn't work.

jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJma2ZmIiwiZW1haWwiOiJjZGNkQGRzZnMuY29tIiwibmFtZSI6ImZsZGZrZHNrZmQiLCJpY 
XQiOjE1OTI4MDE5MTZ9.Cvzj0tVtVGc60xvqLdyasYf6gF8QLi8HQCKlxw9nBk4" 4

SECRET NOT FOUND
Time taken (sec): 0.01
Attempts: 12

Luciano Mammino · Answer 1 · Tue Jun 23 2020 23:45:07 GMT+0800 (China Standard Time)

Hello @floxcristian! thanks for using this tool and opening an issue :)

Are you aware of the secret for this token? Does it contain only symbols from the default alphabet?

philsmd · Answer 2 · Sat Jun 27 2020 18:13:38 GMT+0800 (China Standard Time)

I just accidentally found this issue because I was troubleshooting another problem with JWT token parsing and "cracking"... and I just want to let you know that:

the password for this JWT from above seems to be "casa" (without quotes)
the problem is that the arguments for jwt-cracker are positional
that (# 2) implies that the "4" is seen as the "alphabet" not the maxlength
you would need to specify the alphabet first e.g. "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" 4
therefore, I would really suggest/recommend to make the command line user interface a little bit more flexible and allow to use command line arguments like --maxlength 4 and --alphabet "abcdef" to avoid these mistakes

The other problem I actually experienced (and this might be totally off-topic, sorry for that) is that jwt-cracker doesn't really have any (basic) JWT "validation" code... and therefore it tries to crack even hashes that are of a different "alg" type and with an invalid signature (too short in my case, truncated)... I know it's off-topic but would be great if you could add some basic "validation" (because it's really bad if users spent dozens of hours trying to crack a JWT, just to find out that it's corrupted/malformed/truncated or whatever).
Thank you very much and I hope my debugging/explanation helps :)
cheers

Luciano Mammino · Answer 3 · Sat Jun 27 2020 18:28:04 GMT+0800 (China Standard Time)

Very good point! Thanks for taking the time to report this :)

I would love a contribution to address this issue if you have some spare time.

Envincion · Answer 4 · Wed Mar 02 2022 10:12:16 GMT+0800 (China Standard Time)

specifying the command arguments advice really helped ,thanks buddy amazing tool

Rozana job · Answer 5 · Tue Apr 30 2024 13:13:16 GMT+0800 (China Standard Time)

I don't know why it doesn't work.

jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJma2ZmIiwiZW1haWwiOiJjZGNkQGRzZnMuY29tIiwibmFtZSI6ImZsZGZrZHNrZmQiLCJpY 
XQiOjE1OTI4MDE5MTZ9.Cvzj0tVtVGc60xvqLdyasYf6gF8QLi8HQCKlxw9nBk4" 4

SECRET NOT FOUND
Time taken (sec): 0.01
Attempts: 12

hello , i have just discovered that the tool wont work of the key is base64 encoded. so i would suggest you to decode the key first from whatever encoding scheme they have used then try to crack it now ..thanks