Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support of HS384 & HS512, password list and improved display #34

Merged
merged 8 commits into from
Nov 3, 2023
Merged

Add support of HS384 & HS512, password list and improved display #34

merged 8 commits into from
Nov 3, 2023

Conversation

flibustier
Copy link
Contributor

@flibustier flibustier commented Nov 1, 2023

  • Added support for HS384 & HS512 algorithm
  • Added option for using a simple list of password instead of brute force (option’s called "dictionary" but don’t hesitate to ask me for a better naming :)
  • Add speed and last attempt during execution : Attempts: 100000 (483K/s last attempt was 'nascar08')
  • Fix the non purged chunk when stream is ending
  • Fix the checkFinished function to proper close when every child processes are finished
  • Use terminal width for -help with yargs
  • Some small refactors

Don’t hesitate to ask for changes, I will do it as fast as possible ! 🚀

It should resolve this issue : #4

Thanks for this awesome project, it helped me a lot!!

* **alphabet**: the alphabet to use for the brute force (default: "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789")
* **maxLength**: the max length of the string generated during the brute force (default: 12)

* **dictionaryFilePath**: path to a list of passwords (one per line) to use instead of brute force
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we specify that it’s optional ?


## Requirements

This script requires Node.js version 6.0.0 or higher
This script requires Node.js version 16.0.0 or higher
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reflecting the engine key in package.json ("node": ">=16.0.0")

@@ -7,7 +7,7 @@ export default class Constants {
return 12
}

static get MAX_CHUNK_SIZE () {
static get CHUNK_SIZE () {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have renamed it since it’s not used (no reference to this constant found)


const args = new ArgsParser()
const __dirname = fileURLToPath(new URL('.', import.meta.url))
const numberFormatter = Intl.NumberFormat('en', { notation: 'compact' }).format
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the magic used for displaying speed like 875K/s, 1M/s, 1.1M/s

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice trick! :) i was not aware you could simply use Intl!

process.on('message', function ({ chunk, content, signature }) {

process.on('message', function ({ chunk, content, signature, algorithm }) {
const generateSignature = signatureGenerator(algorithm, content)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This function generator (currying) improve speed as we won’t pass each time algorithm and content during the loop (only the changing part)

Comment on lines +2 to +6
static SUPPORTED_ALGORITHM = [
'HS256',
'HS384',
'HS512'
]
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can also put it in constants.js if you wish

Copy link
Owner

@lmammino lmammino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work! It looks really good to me!

Can you please review that .conflicts option?

Happy to merge and release a new version after that

type: 'string',
describe: 'Password file to use instead of the brute force',
default: null
})
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we could also add a

.conflicts('d', 'a')

To basically error if a user is specifying both the alphabet and the dictionary (which I believe should be mutually exclusive)

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to be tested btw, i have only looked at the tdoc and discovered that this is supported in some version of Yargs!


const args = new ArgsParser()
const __dirname = fileURLToPath(new URL('.', import.meta.url))
const numberFormatter = Intl.NumberFormat('en', { notation: 'compact' }).format
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice trick! :) i was not aware you could simply use Intl!

@flibustier
Copy link
Contributor Author

flibustier commented Nov 2, 2023

Thank you very much for your approval!!

I’ve looked into the conflicts option, but it acts weird:

  • If you don’t use the -d option, you can launch the command with or without -a, it will work;
  • If you use the -d option, it throws the Arguments d and a are mutually exclusive because a has a default option set, so it will be considered set even if user don’t explicitly set it! (Making d useless…)

So I see two possible options :

  • Don’t use default value for -a with yargs but defining it in the getter (see my last commit, it’s the solution I have pushed to show you)
  • Keep default in yargs, but give up on conflicts feature…

By the way, during testing I found the .wrap(yargs.terminalWidth) which make adapt the width to the terminal avoiding cropping the options, feel free to tell me if you prefer the default 80 col width

@lmammino
Copy link
Owner

lmammino commented Nov 2, 2023

  • If you don’t use the -d option, you can launch the command with or without -a, it will work;
  • If you use the -d option, it throws the Arguments d and a are mutually exclusive because a has a default option set, so it will be considered set even if user don’t explicitly set it! (Making d useless…)

Thinking about this, it actually makes sense. Thanks for testing this thoroughly!

So I see two possible options :

  • Don’t use default value for -a with yargs but defining it in the getter (see my last commit, it’s the solution I have pushed to show you)
  • Keep default in yargs, but give up on conflicts feature…

I prefer the second approach for now... it feels more intuitive to me. What do you think?

If I understand your implementation correctly, we just need to make it very clear that by default it's an alphabet brute force, but if you specify a dictionary that takes precedence it becomes a dictionary brute force.

By the way, during testing I found the .wrap(yargs.terminalWidth) which make adapt the width to the terminal avoiding cropping the options, feel free to tell me if you prefer the default 80 col width

No strong preference here. what's a good value that doesn't crop the options? Can you share some screenshots?

Also this is something we could review and discuss in a dedicated PR, if you don't want to have this one blocked ;)

@flibustier
Copy link
Contributor Author

flibustier commented Nov 2, 2023

I prefer the second approach for now... it feels more intuitive to me. What do you think?

Yes sure, indeed it will feel more intuitive, and default values will still be printed in the -help (commit reverted)

If I understand your implementation correctly, we just need to make it very clear that by default it's an alphabet brute force, but if you specify a dictionary that takes precedence it becomes a dictionary brute force.

Exactly! Don’t hesitate to change some wording to reflect that :)

No strong preference here. what's a good value that doesn't crop the options? Can you share some screenshots?
Also this is something we could review and discuss in a dedicated PR, if you don't want to have this one blocked ;)

Yes, right! I’ve reverted the last commit, so it should be as it was before (80 col width, no conflicts option), but in the meantime some screenshots of the width difference:

Actual:
Capture d’écran 2023-11-02 à 23 29 10

Using responsive width (if you shrink your terminal, it shrinks with it):
Capture d’écran 2023-11-02 à 23 36 47

@lmammino
Copy link
Owner

lmammino commented Nov 3, 2023

I honestly like the responsive one... should we include it in this PR?

@flibustier
Copy link
Contributor Author

I honestly like the responsive one... should we include it in this PR?

Agreed!! It’s pushed :)

@lmammino
Copy link
Owner

lmammino commented Nov 3, 2023

Legend!

Once the tests are completed, I'll merge and cut a new release!

Thanks a lot for your awesome contribution

PS: did you know that I also have a distributed version of this project? 😇

@lmammino lmammino merged commit 604af56 into lmammino:master Nov 3, 2023
2 checks passed
@flibustier
Copy link
Contributor Author

flibustier commented Nov 3, 2023

Awesome!! 🔥

I saw it very recently when looking the issues, It’s awesome to have this server/client distributed version, I was impressed!! Some contributions you would suggest? 😇

I was also thinking of porting the cracker to the web (converting node imports to web crypto API) making it running on browser with no installation. I would love to hear your thought on that!

@lmammino
Copy link
Owner

lmammino commented Nov 3, 2023

The web idea sounds pretty cool! I'd love to see it :)

Regarding contribs to the distributed version, the dictionary feature might be very cool to have there too!

@flibustier
Copy link
Contributor Author

flibustier commented Oct 3, 2024

Almost a year later ⏲️ I finally deployed a web version running in the browser (brute-force is done only on client side), features are very limited for now (the dictionary works the best) but it can help when you want to quickly check a token without installing Node.JS :)
If you’re curious to see it : https://github.com/flibustier/jwt-online-cracker
It’s currently deployed here : https://jwt-cracker.online
Thanks for your support :)

@lmammino
Copy link
Owner

lmammino commented Oct 6, 2024

Almost a year later ⏲️ I finally deployed a web version running in the browser (brute-force is done only on client side), features are very limited for now (the dictionary works the best) but it can help when you want to quickly check a token without installing Node.JS :) If you’re curious to see it : https://github.com/flibustier/jwt-online-cracker It’s currently deployed here : https://jwt-cracker.online Thanks for your support :)

That's amazing! I love the design :)

Thanks for sharing this. I will certainly repost it on my socials.

BTW I am not able to change the dictionary (looks like I can't click anything other than the default option). Is that intended or a bug?

@flibustier
Copy link
Contributor Author

flibustier commented Oct 7, 2024

Thank you very much !! That would be awesome !!

If you’re talking about using your own dictionary, I haven’t implemented this feature (custom dictionary) yet as I was thinking about uploading file and the design of the input, but that would be the next feature on the list :)
But if you’re talking about just switching the dictionary in the list (like from scraped-JWT-secrets.txt to seasons.txt), it’s a bug I haven’t reproduced yet, did you try clicking or using arrow key to change?
If the confirm button has been clicked on step 3 and the Start Brute-force button is here (step 4), you must use the Cancel button first to change the dictionary (but as I wrote it, I think it’s not user friendly and will certainly change that in the future :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants