{"id":25970788,"url":"https://github.com/0xnoid/jwt-crackng","last_synced_at":"2026-06-10T14:31:40.029Z","repository":{"id":279223561,"uuid":"938004788","full_name":"0xnoid/jwt-crackng","owner":"0xnoid","description":"JSON Web Token Bruteforcing tool written in Rust","archived":false,"fork":false,"pushed_at":"2025-09-22T10:06:46.000Z","size":39,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-09-22T12:06:38.324Z","etag":null,"topics":["api","api-pentest","brute-force-tool","bruteforce","cybersecurity-tools","jsonwebtoken","jwt","jwt-authentication","penetration-testing","pentesting","rust","security-audit","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xnoid.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-02-24T09:15:12.000Z","updated_at":"2025-09-22T10:06:49.000Z","dependencies_parsed_at":"2025-02-24T13:34:33.744Z","dependency_job_id":"4cfa09e0-bb39-4bad-a8a2-2db38750eaa4","html_url":"https://github.com/0xnoid/jwt-crackng","commit_stats":null,"previous_names":["0xnoid/jwt-crackng"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/0xnoid/jwt-crackng","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xnoid%2Fjwt-crackng","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xnoid%2Fjwt-crackng/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xnoid%2Fjwt-crackng/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xnoid%2Fjwt-crackng/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xnoid","download_url":"https://codeload.github.com/0xnoid/jwt-crackng/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xnoid%2Fjwt-crackng/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34157453,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-10T02:00:07.152Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api","api-pentest","brute-force-tool","bruteforce","cybersecurity-tools","jsonwebtoken","jwt","jwt-authentication","penetration-testing","pentesting","rust","security-audit","security-tools"],"created_at":"2025-03-04T23:19:50.224Z","updated_at":"2026-06-10T14:31:40.007Z","avatar_url":"https://github.com/0xnoid.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# jwt-crackng\nEasy to use brute force cracker for JSON Web Tokens (JWT). Supports `HS256`, `HS384` \u0026 `HS512`.\n\n\u003csub\u003ePlease note before using this software; This may be ineffective against Secrets with stronger protection.\u003c/sub\u003e\n\n### Inspiration\nThis project is inspired by/baeed on the pretty well established [jwt-cracker](https://github.com/lmammino/jwt-cracker) by [lmammino](https://github.com/lmammino) made using NodeJS, be sure to check it out.\n\n#### What makes this one different?\nSimply put: Rust. While we love NodeJS and the tool by lmammino, the performance leaves room for improvement, among other issues such as minimum-length. With Rust we get to fully utilize CPU, or GPU, to perform the task. There are also other improvements, so be sure to check the [features](#features)\n\n# Features\n- Wordlists\n- Minimum and maximum length\n- Built in Alphabet attack\n- Load Management\n- Output to file\n- Input files (multiple JWTs)\n- Install as a CLI tool (via alias and Bash handler)\n- Autodetects signature, put full JWT or just the end\n- Automatic updates (can be toggled)\n- Container versions\n\n# Installation\nThe easiest way to install this is to run the script:\n```bash\ncurl -sSL https://github.com/0xnoid/jwt-crackng/releases/download/v0.2.0/install.sh | bash\n```\n\u003csub\u003eScript Info: Uses cURL to download the precompiled release, makes it executable \u0026 adds it to your PATH\u003c/sub\u003e\n\n### Without Script:\n```bash\nwget https://github.com/0xnoid/jwt-crackng/releases/download/v0.2.0/jwt-crackng \u0026\u0026 \\\nchmod +x jwt-crackng \u0026\u0026 \\\n./jwt-crackng --help\n```\n\n### Compile Yourself\n```bash\ngit clone https://github.com/0xnoid/jwt-crackng \u0026\u0026 cd jwt-crackng \\\ncargo build --release\n```\n\n# Usage\n```bash\nUsage: jwt-crackng [OPTIONS] --token \u003cTOKEN\u003e\n\nOptions:\n -t, --token \u003cTOKEN\u003e \n -o, --output \u003cOUTPUT\u003e \n -n, --min-length \u003cMIN_LENGTH\u003e [default: 1]\n -m, --max-length \u003cMAX_LENGTH\u003e [default: 12]\n -u, --use-alphabet \u003cALPHABET\u003e [default: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]\n -l, --logfile \u003cLOG_FILE\u003e \n -g, --all-guesses \u003cALL_TRIED_FILE\u003e \n -a, --algorithm \u003cALGORITHM\u003e [default: HS256] [possible values: HS256, HS384, HS512, HMACSHA256, HMACSHA384, HMACSHA512]\n -b, --base64 \n -v, --verbose \n --gpu \n --gpu-limit \u003cGPU_LIMIT\u003e \n --cpu \u003cCPU\u003e \n --ram \u003cRAM\u003e \n --cores \u003cCORES\u003e \n --limit \u003cLIMIT\u003e \n --dictionary \u003cDICTIONARY\u003e... \n -h, --help Print help\n```\n\nExample (Default): \n```bash\njwt-crackng -t eyJhbGciOiJIUzI1NiJ9.eyJSb2xlIjoiQWRtaW4iLCJJc3N1ZXIiOiJJc3N1ZXIiLCJVc2VybmFtZSI6IkphdmFJblVzZSIsImV4cCI6MTczMzg3NDg2OSwiaWF0IjoxNzMzODc0ODY5fQ.CzXLrvPyf4IpZqUvQbU6xU507vevT8MKlqGhV5cUEu4\n```\n\n\nExample (Dictionary):\n```bash\njwt-crackng -t eyJhbGciOiJIUzI1NiJ9.eyJSb2xlIjoiQWRtaW4iLCJJc3N1ZXIiOiJJc3N1ZXIiLCJVc2VybmFtZSI6IkphdmFJblVzZSIsImV4cCI6MTczMzg3NDg2OSwiaWF0IjoxNzMzODc0ODY5fQ.CzXLrvPyf4IpZqUvQbU6xU507vevT8MKlqGhV5cUEu4 -d pMerged.txt\n```\n\n# Other \u0026 Recommendations\nThis is a proof of concept tool that does not guarantee anything.\n\n\n### Wordlist\nWe strongly recommend creating a wordlist for your situation. However, this is not always possible.\\\nThe tool itself comes integrated with alphabet bruteforcing mode, however the success depends on the weakness of the key. The weaker the key is the easier it is to break.\n\nThe more you know about the backend and key or it's way of generating the higher your possibility of success will be.\n\n### Time\nIf you have the resources and patience to run this program, feel free to. We do NOT recommend running this program against Tokens where you have zero knowledge, nor do we recommend running this program on hardware not suitable.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xnoid%2Fjwt-crackng","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xnoid%2Fjwt-crackng","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xnoid%2Fjwt-crackng/lists"}