{"id":13540210,"url":"https://github.com/brendan-rius/c-jwt-cracker","last_synced_at":"2025-05-15T11:05:58.431Z","repository":{"id":44331514,"uuid":"79501355","full_name":"brendan-rius/c-jwt-cracker","owner":"brendan-rius","description":"JWT brute force cracker written in C","archived":false,"fork":false,"pushed_at":"2023-06-02T20:46:11.000Z","size":26,"stargazers_count":2449,"open_issues_count":15,"forks_count":266,"subscribers_count":41,"default_branch":"master","last_synced_at":"2025-04-14T18:10:00.195Z","etag":null,"topics":["brute-force","cracker","jwt-authentication","security"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/brendan-rius.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-01-19T22:23:08.000Z","updated_at":"2025-04-12T18:58:14.000Z","dependencies_parsed_at":"2024-01-14T08:58:48.665Z","dependency_job_id":"f7021148-87cc-4c9f-a5ff-a0a9346583b9","html_url":"https://github.com/brendan-rius/c-jwt-cracker","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brendan-rius%2Fc-jwt-cracker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brendan-rius%2Fc-jwt-cracker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brendan-rius%2Fc-jwt-cracker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brendan-rius%2Fc-jwt-cracker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/brendan-rius","download_url":"https://codeload.github.com/brendan-rius/c-jwt-cracker/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248933340,"owners_count":21185460,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["brute-force","cracker","jwt-authentication","security"],"created_at":"2024-08-01T09:01:42.780Z","updated_at":"2025-04-14T18:10:06.482Z","avatar_url":"https://github.com/brendan-rius.png","language":"C","funding_links":[],"categories":["\u003ca id=\"de81f9dd79c219c876c1313cd97852ce\"\u003e\u003c/a\u003e破解\u0026\u0026Crack\u0026\u0026爆破\u0026\u0026BruteForce","Miscellaneous","C","Weapons","C (286)","\u003ca id=\"73c3c9225523cbb05333246f23342846\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"f2c76d99a0b1fda124d210bd1bbc8f3f\"\u003e\u003c/a\u003eWordlist生成","JSON Web Token","Tools","\u003ca id=\"53084c21ff85ffad3dd9ce445684978b\"\u003e\u003c/a\u003e未分类的"],"readme":"# JWT cracker\n\nA multi-threaded JWT brute-force cracker written in C. If you are very lucky or have a huge computing power, this program should find the secret key of a JWT token, allowing you to forge valid tokens. This is for testing purposes only, do not put yourself in trouble :)\n\nI used the [Apple Base64 implementation](https://opensource.apple.com/source/QuickTimeStreamingServer/QuickTimeStreamingServer-452/CommonUtilitiesLib/base64.c) that I modified slightly.\n\n## Build a Docker Image\n```\ndocker build . -t jwtcrack\n\n```\n\n\n## Run on Docker\n```\ndocker run -it --rm  jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.cAOIAifu3fykvhkHpbuhbvtH807-Z2rI1FS3vX1XMjE\n```\n\n## Manual Compilation\n\nMake sure you have openssl's headers installed.\nOn Ubuntu you can install them with `apt-get install libssl-dev`\n\n```\nmake\n```\n\nIf you use a Mac, you can install OpenSSL with `brew install openssl`, but the headers will be stored in a\ndifferent location:\n\n```\nmake OPENSSL=/usr/local/opt/openssl/include OPENSSL_LIB=-L/usr/local/opt/openssl/lib\n```\n\n## Run\n\n```\n$ \u003e ./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.cAOIAifu3fykvhkHpbuhbvtH807-Z2rI1FS3vX1XMjE\n```                                                              \n\n## Run with different HMAC functions\n\nThe following hash functions are supported for HMAC, i.e. to generate keyed-hashed message authentication codes: \"sha256\" for JSON HS256 (HMAC using SHA-256), \"sha384\" for HS384 and \"sha512\" for HS512, respectively. You can specify the name of any other hash function exactly as it is named in the OpenSSL. If OpenSSL allows this hash function to be used for HMAC, then jwtcrack will try to decode the secret. However, since jwtcrack is only a decoder, there is no guarantee that this algorithm was actually used for encoding, let alone among the list of algorithms allowed for the \"JSON Web Algorithms\" RFC. See section 3.1. of the RFC 7518 for more details.\n\nIn the following example, we use a sha256 hash function that corresponds to JSON HS256 (HMAC-SHA256), see the \"sha256\" as a last command line parameter. Also, in this example we specify maximum secret length of 5 characters, and limit the alphabet to the following characters: ABCSNFabcsnf1234\n\n```\n$ \u003e ./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.cAOIAifu3fykvhkHpbuhbvtH807-Z2rI1FS3vX1XMjE ABCSNFabcsnf1234 5 sha256\n```\nIn the above example, the key is `Sn1f`, and it takes less than a second on an average notebook manufactured around 2019 (e.g. with an Intel CPU based on Ice Lake microarchitecture). GCC version 9.3.0 with \"-O3\" was used to compile the jwtcrack program. It was linked with the OpenSSL library version 1.1.1f under Linux Ubuntu 20.04.1 LTS.\n\nHere, in the next example, we use \"sha512\" as a last command line parameter to specify HS512 (HMAC-SHA512), we also specify maximum secret length of 9 characters, and limit the alphabet to the following seven lowercase latin characters: \"adimnps\".\n\n```\n$ \u003e ./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJyb2xlIjoiYWRtaW4ifQ.RnWtv7Rjggm8LdMU3yLnz4ejgGAkIxoZwsCMuJlHMwTh7CJODDZWR8sVuNvo2ws25cbH9HWcp2n5WxpIZ9_v0g adimnps 9 sha512\n```\n\nIn the above example, the key is `adminpass`, and it takes about 15 seconds on average to decode on a notebook with Intel Core i7 1065G7 CPU on Ice Lake microarchitecture (2019), base frequency 1.30 GHz, max turbo 3.90 GHz). The combined number of CPU seconds consumed from each of the cores in the user mode due to multithreading is about 100 on average to decode that secret.\n\n\nExample of using \"sha384\":\n\n```\n$ \u003e ./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzM4NCJ9.eyJyb2xlIjoiYWRtaW4ifQ.31xCH3k8VRqB8l5qBy7RyqI2htyCskBy_4cIWpk3o43UkIMW-IcjTUEL_NyFXUWJ 0123456789 6 sha384\n```\n\n## Measurement of time consumed by jwtcrack\n\n```\n/usr/bin/time -f \"Total number of CPU-seconds consumed directly from each of the CPU cores: %U\\nElapsed real wall clock time used by the process: %E\" ./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJyb2xlIjoiYWRtaW4ifQ.RnWtv7Rjggm8LdMU3yLnz4ejgGAkIxoZwsCMuJlHMwTh7CJODDZWR8sVuNvo2ws25cbH9HWcp2n5WxpIZ9_v0g adimnps 9 sha512\n```\n\n## Contribute\n\n * No progress status\n * If you stop the program, you cannot start back where you were\n \n## IMPORTANT: Known bugs\n\nThe base64 implementation I use (from Apple) is sometimes buggy because not every Base64 implementation is the same.\nSo sometimes, decrypting of your Base64 token will only work partially and thus you will be able to find a secret to your token that is not the correct one.\n\nIf someone is willing to implement a more robust Base64 implementation, that would be great :)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbrendan-rius%2Fc-jwt-cracker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbrendan-rius%2Fc-jwt-cracker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbrendan-rius%2Fc-jwt-cracker/lists"}