Add support of HS384 & HS512, password list and improved display

[flibustier]

• Added support for HS384 & HS512 algorithm
• Added option for using a simple list of password instead of brute force (option’s called "dictionary" but don’t hesitate to ask me for a better naming :)
• Add speed and last attempt during execution : Attempts: 100000 (483K/s last attempt was 'nascar08')
• Fix the non purged chunk when stream is ending
• Fix the checkFinished function to proper close when every child processes are finished
• Use terminal width for -help with yargs
• Some small refactors

Don’t hesitate to ask for changes, I will do it as fast as possible ! 🚀

It should resolve this issue : #4

Thanks for this awesome project, it helped me a lot!!

[flibustier]

Should we specify that it’s optional ?

[flibustier]

Reflecting the engine key in package.json ("node": ">=16.0.0")

[flibustier]

I have renamed it since it’s not used (no reference to this constant found)

[flibustier]

This is the magic used for displaying speed like 875K/s, 1M/s, 1.1M/s

[lmammino]

Nice trick! :) i was not aware you could simply use Intl!

[flibustier]

This function generator (currying) improve speed as we won’t pass each time algorithm and content during the loop (only the changing part)

[flibustier]

We can also put it in constants.js if you wish

[lmammino]

Great work! It looks really good to me!

Can you please review that .conflicts option?

Happy to merge and release a new version after that

[lmammino]

we could also add a

.conflicts('d', 'a')

To basically error if a user is specifying both the alphabet and the dictionary (which I believe should be mutually exclusive)

[lmammino]

to be tested btw, i have only looked at the tdoc and discovered that this is supported in some version of Yargs!

[lmammino]

Nice trick! :) i was not aware you could simply use Intl!

[flibustier]

Thank you very much for your approval!!

I’ve looked into the conflicts option, but it acts weird:

• If you don’t use the -d option, you can launch the command with or without -a, it will work;
• If you use the -d option, it throws the Arguments d and a are mutually exclusive because a has a default option set, so it will be considered set even if user don’t explicitly set it! (Making d useless…)

So I see two possible options :

• Don’t use default value for -a with yargs but defining it in the getter (see my last commit, it’s the solution I have pushed to show you)
• Keep default in yargs, but give up on conflicts feature…

By the way, during testing I found the .wrap(yargs.terminalWidth) which make adapt the width to the terminal avoiding cropping the options, feel free to tell me if you prefer the default 80 col width

[lmammino]

• If you don’t use the -d option, you can launch the command with or without -a, it will work;
• If you use the -d option, it throws the Arguments d and a are mutually exclusive because a has a default option set, so it will be considered set even if user don’t explicitly set it! (Making d useless…)

Thinking about this, it actually makes sense. Thanks for testing this thoroughly!

So I see two possible options :

• Don’t use default value for -a with yargs but defining it in the getter (see my last commit, it’s the solution I have pushed to show you)
• Keep default in yargs, but give up on conflicts feature…

I prefer the second approach for now... it feels more intuitive to me. What do you think?

If I understand your implementation correctly, we just need to make it very clear that by default it's an alphabet brute force, but if you specify a dictionary that takes precedence it becomes a dictionary brute force.

By the way, during testing I found the .wrap(yargs.terminalWidth) which make adapt the width to the terminal avoiding cropping the options, feel free to tell me if you prefer the default 80 col width

No strong preference here. what's a good value that doesn't crop the options? Can you share some screenshots?

Also this is something we could review and discuss in a dedicated PR, if you don't want to have this one blocked ;)

[flibustier]

I prefer the second approach for now... it feels more intuitive to me. What do you think?

Yes sure, indeed it will feel more intuitive, and default values will still be printed in the -help (commit reverted)

If I understand your implementation correctly, we just need to make it very clear that by default it's an alphabet brute force, but if you specify a dictionary that takes precedence it becomes a dictionary brute force.

Exactly! Don’t hesitate to change some wording to reflect that :)

No strong preference here. what's a good value that doesn't crop the options? Can you share some screenshots?
Also this is something we could review and discuss in a dedicated PR, if you don't want to have this one blocked ;)

Yes, right! I’ve reverted the last commit, so it should be as it was before (80 col width, no conflicts option), but in the meantime some screenshots of the width difference:

Actual:

Using responsive width (if you shrink your terminal, it shrinks with it):

[lmammino]

I honestly like the responsive one... should we include it in this PR?

[flibustier]

I honestly like the responsive one... should we include it in this PR?

Agreed!! It’s pushed :)

[lmammino]

Legend!

Once the tests are completed, I'll merge and cut a new release!

Thanks a lot for your awesome contribution

PS: did you know that I also have a distributed version of this project? 😇

[flibustier]

Awesome!! 🔥

I saw it very recently when looking the issues, It’s awesome to have this server/client distributed version, I was impressed!! Some contributions you would suggest? 😇

I was also thinking of porting the cracker to the web (converting node imports to web crypto API) making it running on browser with no installation. I would love to hear your thought on that!

[lmammino]

The web idea sounds pretty cool! I'd love to see it :)

Regarding contribs to the distributed version, the dictionary feature might be very cool to have there too!

[flibustier]

Almost a year later ⏲️ I finally deployed a web version running in the browser (brute-force is done only on client side), features are very limited for now (the dictionary works the best) but it can help when you want to quickly check a token without installing Node.JS :)
If you’re curious to see it : https://github.com/flibustier/jwt-online-cracker
It’s currently deployed here : https://jwt-cracker.online
Thanks for your support :)

[lmammino]

Almost a year later ⏲️ I finally deployed a web version running in the browser (brute-force is done only on client side), features are very limited for now (the dictionary works the best) but it can help when you want to quickly check a token without installing Node.JS :) If you’re curious to see it : https://github.com/flibustier/jwt-online-cracker It’s currently deployed here : https://jwt-cracker.online Thanks for your support :)

That's amazing! I love the design :)

Thanks for sharing this. I will certainly repost it on my socials.

BTW I am not able to change the dictionary (looks like I can't click anything other than the default option). Is that intended or a bug?

[flibustier]

Thank you very much !! That would be awesome !!

If you’re talking about using your own dictionary, I haven’t implemented this feature (custom dictionary) yet as I was thinking about uploading file and the design of the input, but that would be the next feature on the list :)
But if you’re talking about just switching the dictionary in the list (like from scraped-JWT-secrets.txt to seasons.txt), it’s a bug I haven’t reproduced yet, did you try clicking or using arrow key to change?
If the confirm button has been clicked on step 3 and the Start Brute-force button is here (step 4), you must use the Cancel button first to change the dictionary (but as I wrote it, I think it’s not user friendly and will certainly change that in the future :)