jwt-cracker

Simple HS256 JWT token brute force cracker

View the Project on GitHub lmammino/jwt-cracker

npm npm Rawsec's CyberSecurity Inventory GitHub stars GitHub license

jwt-cracker

Simple HS256, HS384 & HS512 JWT token brute force cracker.

Effective only to crack JWT tokens with weak secrets. Recommendation: Use strong long secrets or RS256 tokens.

Install

With npm:

npm install --global jwt-cracker

Usage

From command line:

jwt-cracker -t <token> [-a <alphabet>] [--max <maxLength>] [-d <dictionaryFilePath>] [-f]

Where:

Requirements

This script requires Node.js version 16.0.0 or higher

Example

Cracking the default jwt.io example:

jwt-cracker -t eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ -a abcdefghijklmnopqrstuwxyz --max 6

It takes about 2 hours in a Macbook Pro (2.5GHz quad-core Intel Core i7).

Or using a list of passwords taken from https://github.com/danielmiessler/SecLists

jwt-cracker -t eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ -d darkweb2017-top10000.txt

It takes less than a second.

Contributing

Everyone is very welcome to contribute to this project. You can contribute just by submitting bugs or suggesting improvements by opening an issue on GitHub.

License

Licensed under MIT License. © Luciano Mammino.