Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/lmammino/jwt-cracker
Simple HS256, HS384 & HS512 JWT token brute force cracker.
https://github.com/lmammino/jwt-cracker
alphabet brute-force brute-force-attacks bruteforce command command-line cracker javascript jwt jwt-cracker nodejs secrets security
Last synced: about 7 hours ago
JSON representation
Simple HS256, HS384 & HS512 JWT token brute force cracker.
- Host: GitHub
- URL: https://github.com/lmammino/jwt-cracker
- Owner: lmammino
- License: mit
- Created: 2016-08-28T22:39:52.000Z (over 8 years ago)
- Default Branch: main
- Last Pushed: 2024-07-13T23:31:35.000Z (5 months ago)
- Last Synced: 2024-12-04T20:49:37.242Z (7 days ago)
- Topics: alphabet, brute-force, brute-force-attacks, bruteforce, command, command-line, cracker, javascript, jwt, jwt-cracker, nodejs, secrets, security
- Language: JavaScript
- Homepage: https://lmammino.github.io/jwt-cracker/
- Size: 369 KB
- Stars: 1,048
- Watchers: 9
- Forks: 165
- Open Issues: 11
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-bugbounty-tools - jwt-cracker - Simple HS256 JWT token brute force cracker (Miscellaneous / JSON Web Token)
- WebHackersWeapons - jwt-cracker - cracker?label=%20)|[`jwt`](/categorize/tags/jwt.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)| (Weapons / Tools)
README
![npm](https://img.shields.io/npm/dt/jwt-cracker.svg)
[![npm](https://img.shields.io/npm/v/jwt-cracker.svg)](https://www.npmjs.com/package/jwt-cracker)
[![Rawsec's CyberSecurity Inventory](https://inventory.raw.pm/img/badges/Rawsec-inventoried-FF5050_flat.svg)](https://inventory.raw.pm/tools.html#jwt-cracker)
[![GitHub stars](https://img.shields.io/github/stars/lmammino/jwt-cracker.svg)](https://github.com/lmammino/jwt-cracker/stargazers)
[![GitHub license](https://img.shields.io/github/license/lmammino/jwt-cracker.svg)](https://github.com/lmammino/jwt-cracker/blob/main/LICENSE)# jwt-cracker
Simple HS256, HS384 & HS512 JWT token brute force cracker.
Effective only to crack JWT tokens with weak secrets.
**Recommendation**: Use strong long secrets or RS256 tokens.## Install
With npm:
```bash
npm install --global jwt-cracker
```## Usage
From command line:
```bash
jwt-cracker -t [-a ] [--max ] [-d ] [-f]
```Where:
* **token**: the full HS256-512 JWT token string to crack
* **alphabet**: the alphabet to use for the brute force (default: "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789")
* **maxLength**: the max length of the string generated during the brute force (default: 12)
* **dictionaryFilePath**: path to a list of passwords (one per line) to use instead of brute force
* **force**: force script to execute when the token isn't valid## Requirements
This script requires Node.js version 16.0.0 or higher
## Example
Cracking the default [jwt.io example](https://jwt.io):
```bash
jwt-cracker -t eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ -a abcdefghijklmnopqrstuwxyz --max 6
```It takes about 2 hours in a Macbook Pro (2.5GHz quad-core Intel Core i7).
Or using a list of passwords taken from https://github.com/danielmiessler/SecLists
```bash
jwt-cracker -t eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ -d darkweb2017-top10000.txt
```It takes less than a second.
## Contributing
Everyone is very welcome to contribute to this project.
You can contribute just by submitting bugs or suggesting improvements by
[opening an issue on GitHub](https://github.com/lmammino/jwt-cracker/issues).## License
Licensed under [MIT License](LICENSE). © Luciano Mammino.