jwt-cracker - Simple HS256 JWT Token Brute Force Cracker

2017-08-06T16:08:58
ID KITPLOIT:4074521293617632933
Type kitploit
Reporter KitPloit
Modified 2017-08-06T16:08:58

Description

Simple HS256 JWT token brute force cracker.
Effective only to crack JWT tokens with weak secrets.
Recommendation : Use strong long secrets or RS256 tokens.

Install
With npm:

npm install --global jwt-cracker

Usage
From command line:

jwt-cracker <token> [<alphabet>] [<maxLength>]

Where:

  • token : the full HS256 JWT token string to crack
  • alphabet : the alphabet to use for the brute force (default: "abcdefghijklmnopqrstuwxyzABCDEFGHIJKLMNOPQRSTUWXYZ0123456789")
  • maxLength : the max length of the string generated during the brute force (default: 12)

Requirements
This script requires Node.js version 6.0.0 or higher

Example
Cracking the default jwt.io example :

jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6

It takes about 2 hours in a Macbook Pro (2.5GHz quad-core Intel Core i7).

Download jwt-cracker