Note that this README is updated for the latest snapshot version. If you want to use the last release, please visit this page
Android Keystore Recovery
This project aims to solve the "password forgotten" problem for (Android) developers who happen to manage java keystore(s).
This bruteforce tool is very simple, yet efficient. It will try all password combinations matching
[A-Za-z0-9]+ by default, from the shortest password, up to the solution.
- Download the project jar
- Launch the bruteforce:
java -jar android-keystore-recovery-1.4.0-bundle.jar <keystore> [opts]
These are the available options for AKR:
-l <length> | --min-length <length>start at given length
-f <password> | --from <password>start at given password (in dictionary attack this is a start line number)
-t <password> | --to <password>stop at given password (in dictionary attack this is a end line number)
-pps <number> | --passwords-per-second <number>Will try the given number of passwords per second (Since 1.1)
-w <path> | --wordlist <path>path to wordlist file (example: /../../wordlist.txt)
You can use
--to to parallelize the brute force on several computers.
Note: If you want to resume a stopped brute force, I suggest that you take the second last tried password that was stored in
$HOME/AndroidKeystoreRecovery.log. Indeed, as actor computation is asynchronous, there is no guarantee that every password before the last one were really tried by the software.
### Character set options — since 1.1
-lo | --letters-onlyuse letters only
-no | --numbers-onlyuse numbers only
-uc | --upper-casediscards lower-case letters
-lc | --lower-casediscards upper-case letters
-ec <chars> | --extra-characters <chars>add specified characters in combinations
Time needed to retrieve password
Bruteforce algorithms are not optimized at all, AKR is faster than other bruteforce tools but it will still try all password possibilities.
In our case, we try all the characters like so:
A, B, ..., Z, a, b, ..., z, 0, ..., 9. This is 62 possibilites for one character of the password.
Depending on your hardware, AKR will try more or less passwords per second, this is a sample calculation with my own computer:
- AKR velocity: v = 120 000 passwords/seconds - Number of combinations for a password of length n: 62^n - Number of combinations for a 6 characters password: 56 800 235 584 - Time needed to try all these combinations: 56 800 235 584 / v = 5.5 days! - Time needed for 7 character passwords: 5.5 * 62 = 339 days!
As you can see, brute force with a single computer can take a very long time...
You can use the
-f (--from) and
-t (--to) options to run AKR on different computers, to parallelize computation and try to shorten the discovery of the password.
This software runs on the Java Virtual Machine (JVM), so you need to have a Java Runtime Environnement (JRE) installed on your computer. If you don't have one, get it at http://java.com.
To benefit from multi-core computers, this software uses the awesome Akka actor library.
- Pull Requests: I accept every meaningful pull request that you might offer. Please add description and comments in the code :)
- Issues: You can create issues, however, I don't know when I'll have time to fix them (will do my best!)
Copyright Romain Sertelon 2013
This software is licenced under the GNU Public Licence v3 (GPLv3), you can find it in the