jwt-cracker - Simple HS256 JWT Token Brute Force Cracker

2017-08-0616:08:00

www.kitploit.com

729

6.7 Medium

AI Score

Confidence

High

JSON

Simple HS256 JWT token brute force cracker.
Effective only to crack JWT tokens with weak secrets.
Recommendation: Use strong long secrets or RS256 tokens.

Install
With npm:

npm install --global jwt-cracker

Usage
From command line:

jwt-cracker &lt;token&gt; [&lt;alphabet&gt;] [&lt;maxLength&gt;]

Where:

token: the full HS256 JWT token string to crack
alphabet: the alphabet to use for the brute force (default: “abcdefghijklmnopqrstuwxyzABCDEFGHIJKLMNOPQRSTUWXYZ0123456789”)
maxLength: the max length of the string generated during the brute force (default: 12)

Requirements
This script requires Node.js version 6.0.0 or higher

Example
Cracking the default jwt.io example:

jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6

It takes about 2 hours in a Macbook Pro (2.5GHz quad-core Intel Core i7).

Download jwt-cracker

References

github.com/lmammino/jwt-cracker

6.7 Medium

AI Score

Confidence

High

JSON