https://github.com/lmammino/jwt-cracker

Simple HS256, HS384 & HS512 JWT token brute force cracker.
https://github.com/lmammino/jwt-cracker

alphabet brute-force brute-force-attacks bruteforce command command-line cracker javascript jwt jwt-cracker nodejs secrets security

Last synced: 18 days ago
JSON representation

Simple HS256, HS384 & HS512 JWT token brute force cracker.

• Host: GitHub
• URL: https://github.com/lmammino/jwt-cracker
• Owner: lmammino
• License: mit
• Created: 2016-08-28T22:39:52.000Z (about 8 years ago)
• Default Branch: main
• Last Pushed: 2024-07-13T23:31:35.000Z (4 months ago)
• Last Synced: 2024-10-04T09:51:58.865Z (about 1 month ago)
• Topics: alphabet, brute-force, brute-force-attacks, bruteforce, command, command-line, cracker, javascript, jwt, jwt-cracker, nodejs, secrets, security
• Language: JavaScript
• Homepage: https://lmammino.github.io/jwt-cracker/
• Size: 369 KB
• Stars: 1,007
• Watchers: 9
• Forks: 160
• Open Issues: 11
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-bugbounty-tools - jwt-cracker - Simple HS256 JWT token brute force cracker (Miscellaneous / JSON Web Token)
• WebHackersWeapons - jwt-cracker - cracker?label=%20)|[`jwt`](/categorize/tags/jwt.md)|[](/categorize/langs/JavaScript.md)| (Weapons / Tools)

README

        
 ![npm](https://img.shields.io/npm/dt/jwt-cracker.svg)

 [![npm](https://img.shields.io/npm/v/jwt-cracker.svg)](https://www.npmjs.com/package/jwt-cracker)

 [![Rawsec's CyberSecurity Inventory](https://inventory.raw.pm/img/badges/Rawsec-inventoried-FF5050_flat.svg)](https://inventory.raw.pm/tools.html#jwt-cracker)

 [![GitHub stars](https://img.shields.io/github/stars/lmammino/jwt-cracker.svg)](https://github.com/lmammino/jwt-cracker/stargazers)

 [![GitHub license](https://img.shields.io/github/license/lmammino/jwt-cracker.svg)](https://github.com/lmammino/jwt-cracker/blob/main/LICENSE)

# jwt-cracker

Simple HS256, HS384 & HS512 JWT token brute force cracker.

Effective only to crack JWT tokens with weak secrets.

**Recommendation**: Use strong long secrets or RS256 tokens.

## Install

With npm:

```bash

npm install --global jwt-cracker

```

## Usage

From command line:

```bash

jwt-cracker -t  [-a ] [--max ] [-d ] [-f]

```

Where:

* **token**: the full HS256-512 JWT token string to crack

* **alphabet**: the alphabet to use for the brute force (default: "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789")

* **maxLength**: the max length of the string generated during the brute force (default: 12)

* **dictionaryFilePath**: path to a list of passwords (one per line) to use instead of brute force

* **force**: force script to execute when the token isn't valid

## Requirements

This script requires Node.js version 16.0.0 or higher

## Example

Cracking the default [jwt.io example](https://jwt.io):

```bash

jwt-cracker -t eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ -a abcdefghijklmnopqrstuwxyz --max 6

```

It takes about 2 hours in a Macbook Pro (2.5GHz quad-core Intel Core i7).

Or using a list of passwords taken from https://github.com/danielmiessler/SecLists

```bash

jwt-cracker -t eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ -d darkweb2017-top10000.txt

```

It takes less than a second.

## Contributing

Everyone is very welcome to contribute to this project.

You can contribute just by submitting bugs or suggesting improvements by

[opening an issue on GitHub](https://github.com/lmammino/jwt-cracker/issues).

## License

Licensed under [MIT License](LICENSE). © Luciano Mammino.