New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JWT (JSON Web Token) Support #1057

Closed
ratzrattillo opened this Issue Feb 13, 2017 · 13 comments

Comments

Projects
None yet
6 participants
@ratzrattillo

ratzrattillo commented Feb 13, 2017

JSON Web Tokens (JWTs) are an emerging technology in Authorizing users in the web.
The Format of these Authorization Token is defined here: https://jwt.io/
The algorithm used to create a token is most of the time HMAC-SHA256 (HS256).

Hashcat actually already provides functionality to crack HMAC-SHA256, but with a character limitation of the plaintext (50 characters) JSON Web Tokens tend to be much longer though. The example on https://jwt.io/ has a plaintext-length of 105 characters.

Is it possible to either:

  1. Allow a wider length for the plaintext
  2. Implement a dedicated JWT-Cracking mode?

Best Greetings!

Edit:
People seem to have the same issues:
https://hashcat.net/forum/thread-6255-post-33425.html#pid33425

Edit2:
Examples:
A JSON Web Token Looks like this and consists of three Base64URLEncoded parts separated by dots:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

1. The first Part (header) of the token contains the algorithm and the type:

{
  "alg": "HS256",
  "typ": "JWT"
}

Encoded, this portion (header) of the token looks like this: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

2. The second part (payload) contains more information like issuing timestamp, expiration timestamps, usernames and privilege claims:

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}

Encoded, the second part (payload) of a JWT looks like this:
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9

3. The third part (signature) of the token is the Signature that can be built e.g. with the HMAC-SHA256 Algorithm:

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  "secret" #This is the password used to create the HMAC
)

Encoded, the third part (signature) of a JWT looks like this:
TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

The basic approach to crack a HMAC of this kind would be to create a hash.data file with the following contents:
[hash.data]
4c9540f793ab33b13670169bdf444c1eb1c37047f18e861981e14e34587b1e04:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9

Using hashcat, the follwing command can be used to bruteforce this token:
[hashcat command]
hashcat64.exe -a 3 -m 1450 data.hash

Due to the length of the plaintext, this will throw the following error:
Line-length exception
I believe, the issue has to be fixed at this point to allow a longer plaintext length.

JWTs also use the following algorithms:

HS256
HS384
HS512
RS256 
RS384
RS512
ES256
ES384
ES512

@ratzrattillo ratzrattillo changed the title from JWT (JSON web Token) Support to JWT (JSON Web Token) Support Feb 13, 2017

@jsteube

This comment has been minimized.

Show comment
Hide comment
@jsteube

jsteube Feb 13, 2017

Member
Member

jsteube commented Feb 13, 2017

@ratzrattillo

This comment has been minimized.

Show comment
Hide comment
@ratzrattillo

ratzrattillo Feb 13, 2017

i updated the issue with additional information ;)

ratzrattillo commented Feb 13, 2017

i updated the issue with additional information ;)

@magnumripper

This comment has been minimized.

Show comment
Hide comment
@magnumripper

magnumripper Feb 13, 2017

Contributor

magnumripper/JohnTheRipper#2318 is the longest sample I've seen. After that we use 5 MD blocks (311 bytes) for SHA-256 but we're apparently still at 2 blocks (239 bytes) for SHA-384/512.

I can't recall what plaintext that sample had but it was cracked immediately so probably something like "secret"...

Contributor

magnumripper commented Feb 13, 2017

magnumripper/JohnTheRipper#2318 is the longest sample I've seen. After that we use 5 MD blocks (311 bytes) for SHA-256 but we're apparently still at 2 blocks (239 bytes) for SHA-384/512.

I can't recall what plaintext that sample had but it was cracked immediately so probably something like "secret"...

@ratzrattillo

This comment has been minimized.

Show comment
Hide comment
@ratzrattillo

ratzrattillo Feb 14, 2017

I tried cracking a JWT using JTR-Jumbo and it worked quite well.
The procedure looked like this:

  1. Download John the Ripper Jumboversion (http://www.openwall.com/john/)

  2. Download conversion script (https://github.com/Sjord/jwtcrack/blob/master/jwt2john.py)

  3. pip install PyJWT

  4. python jwt2john.py ORIGINAL_JSON_WEB_TOKEN_HERE (Example.:
    Original Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.b0KvNRPdABlRuFsw584inZijEdAY4IJclzwGdZfmlhg
    Converted Token:
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9#6f42af3513dd001951b85b30e7ce229d98a311d018e0825c973c067597e69618)

  5. john.exe --show --format=HMAC-SHA256 converted-jwt.txt

Result:

1 password hash cracked, 0 left
Password:sec

Even if this works, i would be interested in seeing this feature in Hashcat, as JWTs are getting more important as an Autorization mechanism in the web day by day ;)
Keep up the good work! :)

ratzrattillo commented Feb 14, 2017

I tried cracking a JWT using JTR-Jumbo and it worked quite well.
The procedure looked like this:

  1. Download John the Ripper Jumboversion (http://www.openwall.com/john/)

  2. Download conversion script (https://github.com/Sjord/jwtcrack/blob/master/jwt2john.py)

  3. pip install PyJWT

  4. python jwt2john.py ORIGINAL_JSON_WEB_TOKEN_HERE (Example.:
    Original Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.b0KvNRPdABlRuFsw584inZijEdAY4IJclzwGdZfmlhg
    Converted Token:
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9#6f42af3513dd001951b85b30e7ce229d98a311d018e0825c973c067597e69618)

  5. john.exe --show --format=HMAC-SHA256 converted-jwt.txt

Result:

1 password hash cracked, 0 left
Password:sec

Even if this works, i would be interested in seeing this feature in Hashcat, as JWTs are getting more important as an Autorization mechanism in the web day by day ;)
Keep up the good work! :)

@roycewilliams

This comment has been minimized.

Show comment
Hide comment
@roycewilliams
Contributor

roycewilliams commented Feb 14, 2017

@ratzrattillo

This comment has been minimized.

Show comment
Hide comment
@ratzrattillo

ratzrattillo Feb 14, 2017

@roycewilliams
I am not using JWTs at all, but a lot of people do :)
From a security perspective the following article shows a lot of things that can go wrong when using JWTs: https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/

ratzrattillo commented Feb 14, 2017

@roycewilliams
I am not using JWTs at all, but a lot of people do :)
From a security perspective the following article shows a lot of things that can go wrong when using JWTs: https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/

@roycewilliams

This comment has been minimized.

Show comment
Hide comment
@roycewilliams

roycewilliams Feb 14, 2017

Contributor

@ratzrattillo Indeed :) I was acknowledging your wink. I could tell that you already knew why. :)

Contributor

roycewilliams commented Feb 14, 2017

@ratzrattillo Indeed :) I was acknowledging your wink. I could tell that you already knew why. :)

@unl1k3ly

This comment has been minimized.

Show comment
Hide comment
@unl1k3ly

unl1k3ly commented Apr 12, 2017

up

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost commented Sep 18, 2017

up

@ryman1

This comment has been minimized.

Show comment
Hide comment
@ryman1

ryman1 Jan 12, 2018

Would be great to see support for JWT

ryman1 commented Jan 12, 2018

Would be great to see support for JWT

@jsteube

This comment has been minimized.

Show comment
Hide comment
@jsteube

jsteube Jan 20, 2018

Member

I'm about to add this hash-mode to hashcat finally. One question for @ratzrattillo : The hash line you posted

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

How and where did you get it initially from? I guess this data must have been somehow sniffed from the wire? I'm asking because I'd like to stick to the original output as close as possible, so that there's no tool needed (like jwt2john) and hashcat can load it directly. However if this is just some data you've collected manually this wouldn't make sense then, thus I'm asking.

Member

jsteube commented Jan 20, 2018

I'm about to add this hash-mode to hashcat finally. One question for @ratzrattillo : The hash line you posted

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

How and where did you get it initially from? I guess this data must have been somehow sniffed from the wire? I'm asking because I'd like to stick to the original output as close as possible, so that there's no tool needed (like jwt2john) and hashcat can load it directly. However if this is just some data you've collected manually this wouldn't make sense then, thus I'm asking.

@ratzrattillo

This comment has been minimized.

Show comment
Hide comment
@ratzrattillo

ratzrattillo Jan 20, 2018

Hello @jsteube ,
i got that one directly from https://jwt.io/ which states the reference for JWTs :)
If you stick to that page, you should not encounter any non standard behaviour.
Best regards!

ratzrattillo commented Jan 20, 2018

Hello @jsteube ,
i got that one directly from https://jwt.io/ which states the reference for JWTs :)
If you stick to that page, you should not encounter any non standard behaviour.
Best regards!

@jsteube

This comment has been minimized.

Show comment
Hide comment
@jsteube

jsteube Jan 21, 2018

Member

Format was added as hash-mode 16500. It supports cracking HS256, HS384 and HS512. You can compile from source or use the binary beta from https://hashcat.net/beta/

Member

jsteube commented Jan 21, 2018

Format was added as hash-mode 16500. It supports cracking HS256, HS384 and HS512. You can compile from source or use the binary beta from https://hashcat.net/beta/

@jsteube jsteube closed this Jan 21, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment